pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
PR/60114 CVS commit: pkgsrc/www/pound
The following reply was made to PR pkg/60114; it has been noted by GNATS.
From: "David H. Gutteridge" <gutteridge%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc:
Subject: PR/60114 CVS commit: pkgsrc/www/pound
Date: Sat, 13 Jun 2026 02:10:06 +0000
Module Name: pkgsrc
Committed By: gutteridge
Date: Sat Jun 13 02:10:06 UTC 2026
Modified Files:
pkgsrc/www/pound: Makefile distinfo
Removed Files:
pkgsrc/www/pound/patches: patch-src_mem.h
Log Message:
pound: update to 4.23
Addresses PR pkg/60114 from Eirik Ã?verby.
Version 4.23, 2026-05-26
* Important bugfix
A bug in "SendFile" allowed for reading files outside of the
configured directory. This is fixed.
* Compilation
The early pthread_cancel probe hack is no longer used. Consequently, the
"--disable-pthread-cancel-probe" configure option is gone.
* Handling of errors during service selection
In previous versions, if service selection failed due to an error
(e.g. because a non-existing backreference was used, a run-time error
in a Lua function occurred, or the like), that service would be skipped
as if its conditions returned false, and the next one would be tried.
This could lead to selecting an improper service in case of error.
Starting from this version, any error occurring during service
selection causes pound to return internal server error (500).
* File descriptor usage
At startup, pound closes all inherited file descriptors numerically
greater than 2. If this is undesirable for some reason, use the
-Wno-close-extra-fds command line option.
Capacity of the incoming connection queue (used when all workers
become busy) is computed so as to prevent the program from running out
of file descriptors. It can also be set explicitly, using the
"ConnectionQueueSize" configuration file statement.
* Configuration constants
The "Constant" statement defines a configuration constant for use in
string expansions and Lua code. A constant is a string value
identified by a unique name. The "Constant" statement can appear in
top-level, listener, and service scopes. The syntax is:
Constant "NAME" "VALUE"
or
Constant "NAME" OPTIONS
where OPTIONS are:
-file FILE
Read constant value from the file FILE at startup.
-filewatch FILE
Read constant value from the file FILE, and monitor it during
the runtime for changes.
-trim
Trim off the trailing whitespace from the obtained value.
Constants can be used in string expansions (using the "%[const NAME]"
accessor), and in Lua code (using the "http:const(NAME)" method).
Refer to the documentation, section "Constants", for a detailed
discussion with examples.
* Tunnels
A tunnel passes an opaque stream of bytes between the client and backend.
It is defined in configuration file using the following construct:
Tunnel [ "ID" ]
Address IPADDR
Port PORT
Backend
Address IPADDR
Port PORT
End
End
Naturally, only one backend is allowed. Similarly to other listeners,
the Address/Port pair in the Tunnel section can be replaced with a
single SocketFrom statement. The following statements are allowed in
Backend subsection: Timeout, ConnTO, Disabled.
* Runtime log level control
The "poundctl" command can be used to inspect log level settings or to
change them without restarting pound.
- poundctl log [/]
Show global log level.
- poundctl log /L
Show log level for the listener L.
- poundctl log /[L] F
Set log level F. If argument is "/", global log level is
set. Otherwise, log level for the listener L is set.
- poundctl log -d /L
Clears log level setting for the listener L. As a result, the
listener will use global log level.
- poundctl log -d [/]
Set global log level to "null".
* Lua: access to the originator IP
Two new fields are available in the "http" table:
* http.rmt_ip
Request originator IP address (as string).
* http.fwd_ip
Request originator IP address (as string), determined using the
X-Forwarded-For (or similar) header. If the request bears no such
header or if the TrustedIP list is not declared, this is
equivalent to http.rmt_ip.
Version 4.22, 2026-03-29
* Remove spurious log messages.
* Metric backend: close connection after response.
* Support IPv4 mapped to IPv6 in ACLs.
It is no longer necessary to use ::ffff:<IP4> notation in ACLs to
match mapped IPv4 addresses. Using <IP4> is enough.
* Support for split Header and Host conditions is rewritten
A split "Header" condition is
Header "NAME" [OPTIONS] "PATTERN"
In previous versions, this construct was internally translated to a
"Header -re ..." statement, and that introduced several inconsistencies.
In particular, when using the "-re" option, "PATTERN" was treated as
anchored, i.e. as if it started with a "^". Besides, -exact and -prefix
were treated as equivalent. This is now fixed. The new implementation
strictly follows the logic of the statement: it compares each header whose name is "NAME" with "PATTERN" in accordance with the given OPTIONS.
This applies also to "Host" condition, which is equivalent to
Header "Host" [OPTIONS] "PATTERN"
* Bugfixes
** Fix durations on 32-bit architectures.
** Fix recognition of truncated request capture.
Version 4.21, 2026-03-14
* Changes in Lua API
** http.balancer
Balancer group of the currently selected backend. Setting this field
to a numeric value instructs pound to re-send the request to a backend
from the balancer group with the weight greater than or equal to the
value supplied.
** http.resendcount
Keeps number of resending attempts underwent by the current request.
** http.service.name
Name of the currently selected service. Assigning to this variable
instructs pound to send the current request to the named service.
Assigning a nil also implies to rerun service selection from the
beginning.
** http.service.locus
Location of the currently selected service in the configuration file.
* Setting ciphersuites for TLSv3
The syntax of the "Ciphers" statement (ListenHTTPs and Backend
sections) has been extended to allow for specifying ciphersuites for
TLSv3 protocol. The new syntax is:
Ciphers [typeopt] "cipherlist" ...
where optional typeopt option defines how to interpret the cipherlist
argument that follows it. Its possible values are:
-cipherlist
Sets the list of ciphers that affects only TLSv2 and prior protocols.
This is the default.
-ciphersuites
Sets the list of TLSv3 ciphersuites. It will be combined
with any TLSv1.2 and below cipher lists that may have been configured.
Notice, that a single "Ciphers" statement can set both TLSv2 and TLSv3
ciphersuites:
Ciphers "HIGH:@STRENGTH:!RSA" -ciphersuites "TLS_AES_256_GCM_SHA384"
* New configuration setting: WorkerStackSize
Sets worker thread stack size, in bytes.
* Lua compile-time check
The compile-time check for Lua no longer depends on pkg-config.
Version 4.20, 2026-02-06
* New selection statement: Method
This conditional statement evaluates to true, if the request method
matches the supplied pattern, e.g.:
Service
Method "POST"
...
End
* New internal backend: Success
Always returns a 200 response code. This is intended mainly for
handling special requests. For example, the service definition
below replies to the OPTIONS requests:
Service
Method "OPTIONS"
Rewrite response
SetHeader "Access-Control-Allow-Origin: example.com"
SetHeader "Access-Control-Allow-Methods: GET,POST,PUT"
SetHeader "Access-Control-Max-Age: 1800"
End
Success
End
* Changes in Lua API
** http.req.body
This field contains the captured content of the incoming request. For
it to be available, content capturing must be explicitly enabled for
the service on whose behalf the Lua code is called. Content capturing
is enabled by the following new configuration statement:
ContentCapture SIZE
where SIZE sets the upper limit on the captured content size. If the
actual content length is greater than this value, saved material is
discarded and http.req.body is set to nil.
** http.resend
Lua functions invoked in "Rewrite response" can set this variable to
'true' to have pound resend the modified request to backend. To avoid
dead loops, pound limits the number of such resends to 4 per request.
Version 4.19, 2025-12-11
* Support for Lua
Functions written in Lua can be used to implement complex request
matching conditions, modify requests and/or responses, and implement
new backends. You will need Lua version 5.3 or newer. By default,
configure will enable Lua support if it finds the necessary headers
and libraries. This can be controlled using --disable-lua and
--enable-lua options.
At runtime, Lua sources are loaded using Load statement in the Lua
global section of the configuration file:
Lua
Load "impl.lua"
End
A function returning boolean value can be used as a conditional:
LuaMatch "myfun" "arg"
Any number of arguments (all of string type) can be provided.
Arguments undergo usual expansions prior to being passed to the
function.
Two more similar statements are added:
LuaModify - Applies a Lua function to modify the request (or
response). It can be used in ListenHTTP,
ListenHTTPS, Service, Match and Rewrite statements.
LuaBackend - Calls a Lua function that implements a backend.
* Detached conditions
Detached condition is a set of conditional statements not associated
with any service, which is assigned a unique symbolic name. Detached
conditions are defined using the Condition statement in the global
scope of pound configuration file, e.g.:
Condition "protected"
Path -beg "/admin"
ACL -file "internal.acl"
BasicAuth "htpasswd"
End
Detached conditions can be invoked using the "Eval" statement, which
is allowed anyplace where the normal conditional is allowed. Result
of evaluation is cached and reused in subsequent Eval statements
referring to the same condition. E.g.:
Service
Eval "protected"
...
End
Detached conditions provide a convenient way to define conditional
statements with are used repeatedly in multiple Service statements.
* New request modification statement: DeleteQuery
Removes query part of the request URL.
* One-argument form of SetQueryParam
When used with one argument (name of a query parameter), SetQueryParam
causes removal of that query parameter.
* Percent encoding and decoding
The Path and QueryParam conditional statements accept new option
-decode. When given this option, the value will undergo
percent-decoding prior to comparison. E.g.:
QueryParam "t" -decode "?"
Similarly, SetPath and SetQueryParam statements accept new option
-encode. When given this option, the value will be percent-encoded
prior to setting it.
* Relative pathname in SendFile statement.
If the argument to SendFile statement is not an absolute file name, it
is resolved relative to pound include directory.
* Turning PID file off.
To disable PID file creation, use PIDFile "-".
Version 4.18, 2025-10-29
* Emacs mode for editing pound configuration files
Major mode for editing pound configuration files in GNU Emacs is
implemented in file src/pound-mode.el. Its installation and usage is
covered by Chapter 11 of the Pound Manual, entitled "Emacs Major Mode".
* Include statement accepts globbing patterns
If the argument to "Include" configuration statement is a shell
globbing pattern, all regular files matching that pattern will be
included, in lexicographical order.
* New configuration statement: LineBufferSize
Sets the line buffer size. Line buffer is used when reading request
line, backend response status line, and header fields in both requests
and responses. Thus, this value limits the maximum length allowed for
these parts of HTTP messages. By default, it is set to the internal
buffer size (4096), which is also its minimum allowed value.
This statement can be used in global scope and within ListenHTTP
(ListenHTTPS) sections.
* TBF statement
This conditional statement implements token bucket filter. Its
arguments are: the ID of the bucket (a string, subject to
backreference expansion and request accessor interpretation), maximum
allowed rate (requests per second) and a burst size (number of
requests). The statement evaluates to true if the token bucket accepts
the request and to false otherwise.
See Pound Manual, Section 4.6 "Rate-limiting", for a detailed
discussion.
* New request accessor: remoteip
%[remoteip 0] expands to the real originator IP;
%[remoteip 1] expands to the IP determined from the X-Forwarded-For
(or similar) header.
* Originator IP for ACL matching
By default, ACLs are applied to the IP address from which the request
was received. It is now possible to use the IP obtained from X-Forwarded-For
header, instead. To do so, use the -forwarded option keyword, e.g.:
ACL -forwarded -file "acl.lst"
* Changes in log format specifications
** Expansion of %v changed
The %v specifier now expands to the host name used in the request, as
obtained from the "Host" header, with port specification removed.
If you want the old expansion (name of the listener that served the
request), use "%{listener}N".
** Support for new specifiers
. %l Reserved for future use. Expands to single dash.
. %p Port number of the listener that served the request.
** Built-in formats changed accordingly:
3, "vhost_combined"
"%v:%p %a %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""
4, "combined"
"%a %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""
5, "detailed"
"%v:%p %a %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"
(%{service}N -> %{backend}N) %{f}T sec"
* poundctl core
This command shows core pound statistics: server time, daemon version,
pid, and uptime, as well as worker threads configuration and
statistics.
* Openmetrics output
Metrics describing listeners and services are labeled by the listener
and service names, as well as by their ordinal numbers in the
configuration.
* Testsuite: optionally use multi-process model
If Perl is built without ithreads, testsuite harness switches to
multi-process model.
Version 4.17, 2025-07-29
* Tagging conditional statements
All conditional statements that match against a pattern can be tagged
using the following option:
-tag "T"
where T is an arbitrary string. This tag can then be used to refer to
a subexpression obtained as a result of matching, for example:
Path -tag "dir" -re "^/static(/.*)"
Header -tag "type" "Content-Type:([^/]+)/([^;]+)"
SetPath "/assets/$1(type).$2(type)$1(dir)"
* Changes to the "ACL" statements
Two new forms of the ACL statements are provided:
- ACL -file "NAME"
Reads ACL from the file NAME. The file shall contain a list of
CIDRs, one per input line. CIDRs need not be quoted. Empty lines
and comments are allowed.
The file is read once, at program startup.
- ACL -filewatch "NAME"
Same as above, but the file will be monitored for changes during
the runtime. If a change is detected, the file will be rescanned
and the ACL updated. To ensure file changes are noticed
immediately, pound relies on filesystem monitoring API provided by
the operating system - inotify on GNU/Linux systems and kqueue on
BSD. On systems not supporting either interface, the file will be
checked periodically. The interval between two successive checks is
defined by the WatcherTTL global directive.
The corresponding new forms are implemented for all ACL statements,
i.e.:
- Named ACLs:
ACL "name" -file "filename"
ACL "name" -filewatch "filename"
- Trusted IP lists:
TrustedIP -file "filename"
TrustedIP -filewatch "filename"
* Use of "-filewatch" with request matching directives
In addition to ACL, the -filewatch flag discussed above can be used with
the following request matching directives: Header, Path, Query, QueryParam,
StringMatch, URL.
* Changes to the "BasicAuth" statement
The statement takes an option: -filewatch or -file. The option
-filewatch is the default (see above). The -file option can be used
to disable file change monitoring.
* Changes to the "Header" statement
New statement form is introduced:
Header "FIELD" [OPTIONS] "VALUE"
In this form, pattern modification options apply to header value only,
e.g.
Header "Content-Type" -beg "text/"
* New special backend "SendFile"
This backend treats the path part of the request as local file name
and sends back the contents of that file, if it exists. Default
content type is "text/plain". Both parameters can be changed using
request (for file name), and response (for content type) rewriting.
The syntax is:
SendFile DIR
where DIR specifies the directory from which to serve files.
* Error file contents
Error file supplied with "Error", "ErrorFile", or any "ErrNNN"
directvie, can begin with HTTP headers. If so, these will be
sent along with the response, and the actual response contents will
begin after the empty line that terminates the headers.
* Error response rewriting
When a regular backend responds with an error, the content (body)
of that response can be replaced with an arbitrary custom page. For
this to work, the listener must define a custom page for the
status code in question using the ErrorFile statement, and error
response rewriting must be explicitly enabled. The latter is done
with the following statement:
RewriteErrors on
The statement can be used both in ListenHTTP (ListenHTTPS) and in
Service blocks, the latter overriding the former.
* Bugfixes
** Improper pattern handling in patterns read from file
When using -file with one of the following pattern types: -exact, -beg,
-end, -contain, only first pattern from the file was compiled using the
requested pattern type. Remaining ones were treated as POSIX regular
expressions.
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 pkgsrc/www/pound/Makefile
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/pound/distinfo
cvs rdiff -u -r1.4 -r0 pkgsrc/www/pound/patches/patch-src_mem.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Home |
Main Index |
Thread Index |
Old Index