%define haproxy_user      haproxy
%define haproxy_group     haproxy

%global _hardened_build   1

Name:             haproxy
Version:          2.6.6
Release:          8
Summary:          The Reliable, High Performance TCP/HTTP Load Balancer

License:          GPLv2+
URL:              https://www.haproxy.org/
Source0:          https://www.haproxy.org/download/2.6/src/%{name}-%{version}.tar.gz
Source1:          %{name}.service
Source2:          %{name}.cfg
Source3:          %{name}.logrotate
Source4:          %{name}.sysconfig

Patch0:           CVE-2023-25725.patch
Patch1:           CVE-2023-0056.patch
Patch2:           CVE-2023-25950.patch
Patch3:           CVE-2023-40225.patch
Patch4:           backport-BUG-MINOR-stream-Perform-errors-handling-in-right-or.patch
Patch5:           backport-BUG-MINOR-http_ana-txn-don-t-re-initialize-txn-and-r.patch
Patch6:           backport-BUG-MEDIUM-connection-Clear-flags-when-a-conn-is-rem.patch
Patch7:           backport-BUG-MINOR-mworker-prevent-incorrect-values-in-uptime.patch
Patch8:           backport-BUG-MEDIUM-connection-Preserve-flags-when-a-conn-is-.patch
Patch9:           backport-BUG-MINOR-protocol-fix-minor-memory-leak-in-protocol.patch
Patch10:          backport-BUG-MEDIUM-stream-do-not-try-to-free-a-failed-stream.patch
Patch11:          backport-BUG-MINOR-server-inherit-from-netns-in-srv_settings_.patch
Patch12:          CVE-2023-0836.patch
# https://github.com/haproxy/haproxy/commit/2eab6d354322932cfec2ed54de261e4347eca9a6
Patch13:          CVE-2023-45539.patch

BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic
%ifarch sw_64
#!BuildIgnore: gcc_secure
%endif
Requires(pre):    shadow-utils
%{?systemd_requires}

%package_help
%description
HAProxy is a free, very fast and reliable solution offering high availability, load balancing,
and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic
web sites and powers quite a number of the world's most visited ones. 

%prep
%autosetup -n %{name}-%{version} -p1
%build

%make_build CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 \
    USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 \
    ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"

%make_build admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"

pushd admin/iprange
%make_build OPTIMIZE="%{build_cflags}" LDFLAGS="%{build_ldflags}"
popd

%install
install -d %{buildroot}%{_sbindir}
install haproxy  %{buildroot}%{_sbindir}
install -d %{buildroot}%{_mandir}/man1
install -m 644 doc/haproxy.1 %{buildroot}%{_mandir}/man1

pushd %{buildroot}
install -p -D -m 0644 %{SOURCE1} .%{_unitdir}/%{name}.service
install -p -D -m 0644 %{SOURCE2} .%{_sysconfdir}/haproxy/%{name}.cfg
install -p -D -m 0644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/%{name}
install -p -D -m 0644 %{SOURCE4} .%{_sysconfdir}/sysconfig/%{name}
install -d -m 0755 .%{_bindir}
install -d -m 0755 .%{_localstatedir}/lib/haproxy
install -d -m 0755 .%{_sysconfdir}/haproxy/conf.d
install -d -m 0755 .%{_datadir}/haproxy
popd

install -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog
install -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange
install -p -m 0755 ./admin/iprange/ip6range %{buildroot}%{_bindir}/ip6range
install -p -m 0644 ./examples/errorfiles/* %{buildroot}%{_datadir}/haproxy

for httpfile in $(find ./examples/errorfiles/ -type f) 
do
    install -p -m 0644 $httpfile %{buildroot}%{_datadir}/haproxy
done

%{__rm} -rf ./examples/errorfiles/
find ./examples/* -type f ! -name "*.cfg" -exec %{__rm} -f "{}" \;

textfiles=$(find ./ -type f -name '*.txt')
for textfile in ${textfiles}
do
    %{__mv} ${textfile} ${textfile}.old
    iconv --from-code ISO8859-1 --to-code UTF-8 --output ${textfile} ${textfile}.old
    %{__rm} -f ${textfile}.old
done

%pre
getent group %{haproxy_group} >/dev/null || groupadd -r %{haproxy_group}
getent passwd %{haproxy_user} >/dev/null || useradd -r -g %{haproxy_user} -d \
    %{_localstatedir}/lib/haproxy -s /sbin/nologin -c "haproxy" %{haproxy_user}
exit 0

%post
%systemd_post %{name}.service

%preun
%systemd_preun %{name}.service

%postun
%systemd_postun_with_restart %{name}.service

%files
%defattr(-,root,root)
%license LICENSE
%dir %{_sysconfdir}/haproxy
%config(noreplace) %{_sysconfdir}/haproxy/%{name}.cfg
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_bindir}/halog
%{_bindir}/iprange
%{_bindir}/ip6range
%{_sbindir}/%{name}
%{_unitdir}/%{name}.service
%dir %{_sysconfdir}/haproxy/conf.d
%dir %{_localstatedir}/lib/haproxy
%dir %{_datadir}/haproxy
%{_datadir}/haproxy/*

%files help
%defattr(-,root,root)
%doc doc/* examples/* CHANGELOG README VERSION
%{_mandir}/man1/*

%changelog
* Wed Dec 06 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.6-8
- Fix CVE-2023-45539

* Fri Dec 1 2023 liningjie <liningjie@xfusion.com> - 2.6.6-7
- Fix CVE-2023-0836

* Wed Sep 27 2023 xinghe <xinghe2@h-partners.com> - 2.6.6-6
- Type:bugfix
- CVE:NA
- SUG:restart
- DESC:connection: Clear flags when a conn is removed
       connection: Preserve flags when a conn is removed
       stream: do not try to free a failed stream-conn
       http_ana/txn: don't re-initialize txn and req var
       mworker: prevent incorrect values in uptime
       protocol: fix minor memory leak in protocol_bind_all()
       stream: Perform errors handling in right order in stream_new()
       
* Fri Aug 25 2023 panchenbo <panchenbo@kylinsec.com.cn> - 2.6.6-5
- fix sw_64 build error

* Mon Aug 21 2023 wangkai <wang_kai001@hoperun.com> - 2.6.6-4
- Fix CVE-2023-40225

* Thu Apr 20 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.6-3
- Fix CVE-2023-25950

* Sat Feb 25 2023 yaoxin <yaoxin30@h-partners.com> - 2.6.6-2
- Fix CVE-2023-25725 and CVE-2023-0056

* Sat Oct 22 2022 xinghe <xinghe2@h-partners.com> - 2.6.6-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:upgrade to 2.6.6

* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.4.8-2
- Fix CVE-2022-0711

* Tue Dec 07 2021 yanglu <yanglu72@huawei.com> - 2.4.8-1
- update haproxy to 2.4.8

* Sat Sep 18 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-2
- Fix CVE-2021-40346

* Mon Aug 30 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-1
- Upgrade 2.2.16 to fix CVE-2021-39240

* Thu Aug 26 2021 liwu <liwu13@huawei.com> - 2.2.1-2
- fix CVE-2021-39241,CVE-2021-39242

* Thu Jul 1 2021 huanghaitao <huanghaitao8@huawei.com> - 2.2.1-1
- update to 2.2.1

* Tue Sep 15 2020 Ge Wang <wangge20@huawei.com> - 2.0.17-1
- update to 2.0.17 and modify source0 url

* Wed Aug 05 2020 lingsheng <lingsheng@huawei.com> - 2.0.14-2
- Add support for the Lua 5.4

* Wed Jul 22 2020 hanzhijun <hanzhijun1@huawei.com> - 2.0.14-1
- update to 2.0.14

* Thu May 7 2020 cuibaobao <cuibaobao1@huawei.com> - 1.8.14-5
- Type:cves
- ID: CVE-2020-11100
- SUG:restart
- DESC: fix CVE-2020-11100

* Wed Dec 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.14-4
- Package init