[arch-commits] Commit in pound/trunk (5 files)
David Runge
dvzrv at archlinux.org
Fri Nov 6 14:46:59 UTC 2020
Date: Friday, November 6, 2020 @ 14:46:59
Author: dvzrv
Revision: 744354
upgpkg: pound 3.0-1: Upgrade to 3.0.
Replace old .cfg configuration with new default .yaml configuration.
Add patch to set the runtime dir to /run/pound.
Switch to https for upstream url.
Apply all available hardening options to the service file.
Added:
pound/trunk/pound-3.0-runtime_dir.patch
pound/trunk/pound.yaml
Modified:
pound/trunk/PKGBUILD
pound/trunk/pound.service
Deleted:
pound/trunk/pound.cfg
-----------------------------+
PKGBUILD | 71 +++++++++---------
pound-3.0-runtime_dir.patch | 66 +++++++++++++++++
pound.cfg | 85 ----------------------
pound.service | 28 ++++++-
pound.yaml | 161 ++++++++++++++++++++++++++++++++++++++++++
5 files changed, 287 insertions(+), 124 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2020-11-06 14:30:34 UTC (rev 744353)
+++ PKGBUILD 2020-11-06 14:46:59 UTC (rev 744354)
@@ -5,63 +5,66 @@
_name=Pound
pkgname=pound
-pkgver=2.8
-pkgrel=3
+pkgver=3.0
+pkgrel=1
pkgdesc="A reverse proxy, load balancer, and SSL wrapper"
arch=('x86_64')
-url="http://www.apsis.ch/pound/index_html"
+url="https://www.apsis.ch/pound.html"
license=('GPL3')
-depends=('gcc-libs' 'glibc' 'pcre' 'openssl-1.0')
-makedepends=('gperftools')
-backup=('etc/pound/pound.cfg')
-# switch to https://github.com/graygnuorg/pound for openssl
+depends=('gcc-libs' 'glibc' 'libyaml' 'nanomsg' 'pcre')
+makedepends=('cmake' 'gperftools' 'mbedtls' 'uthash')
+backup=("etc/${pkgname}/${pkgname}.yaml")
source=("http://www.apsis.ch/${pkgname}/${_name}-${pkgver}.tgz"
"${_name}-${pkgver}.tgz.asc::http://www.apsis.ch/${pkgname}/${_name}-${pkgver}.asc"
+ "${pkgname}-3.0-runtime_dir.patch"
"${pkgname}.service"
- "${pkgname}.cfg")
-sha512sums=('cf0b865b17d3628e273626e07733f1320e4768702c0f64c8ef0f78d46667f770b223bdc7dca88016a95e5ebd23ae646f95a9b2f4a54a5a80001a10047f07eacc'
+ "${pkgname}.yaml")
+sha512sums=('28426fa2d66efa310fce43fc57b87b6cd9d646573161ab880b139feec856710306002af623f023907bb77f8b37979cf2332dc3e16cde48c6d349d813c6ac47e2'
'SKIP'
- 'c4b47825e3f394db9e8e784f6342d7912081c7de94638e51d27c6a7de0b13fd9665f5540412c8ddaf3157040f9b83d234e01d93ad3a61be45955aaf3afc6f543'
- '32d33474a115dfc9d5ccc094ffdb3c367108a48976cf3e58442642dab08167cd0a1808eefa1879e3c38b607d2a6a1cd28142dbd690244368760daba1f95526f6')
-b2sums=('2e4526fb78bb8bf1206a60318fef23925f2eb3b2d72c56895e6cc839e944ad8a58820be8c6c54ff2f12cd8e34ee8500dc8f7555c968fe4cd42ae7cc51ef6feec'
+ '25db5c13750c2770ae5a91d850f2f00e888474a05b2464c6f03ebe4dc628c86edf8df640daa96e9dcb7240de43537a731671376f20e0dfb599ef5fc2eaf6c053'
+ '887ebace94fb6974b34e096c3f9d85e7e45186f816f8a0b4218ffecf2bf041702bc5d40547ca5883691e1d5f959e28b8ce3aac0f12c877760c0e80d8319f57e9'
+ '329fb0064f9720cc41332894d3e96e098ffd789d13bcb3b35d67dd9f7b4c0667d1b4cf1d93df9427b4e867d5f0b5857be412ae8d34abed5aa3c2774a499b3292')
+b2sums=('8834d2d57c81bf792d803bc2aef7ad5d17243539ea3fddab777ab3dbd7f903a2f771762ee8d4818c63b7c6380c253dc7c7465e10225f884c2bb968af3dfab831'
'SKIP'
- '41fade7a7dc90d4de479b95748f272be4d4ed1e0226539b1dacb20caeef20b30f66b62afc401b4e5fb43b9cbfe107d22dad88a772469f4963ecb564357cd4f2a'
- '1dc6854854fcc1e0ce32249f6dbfe89b9ccb5ebe614bc700252090a1bb1e072d763859f42bdc1e3a8aa5ddded271cecb5d4c82ef0a90ed98c113ca019cbb255b')
+ 'eba66845b02eff8cea9353f1617f9fcbce040609ea22a1061d98a69c109fed1aaaf6fb338cde1c969153df383def7ae5e3231f281140d32702acfb8c628fa0e4'
+ '886e7218d0098f86edfde32b0d8ccdf47f7a8d6a3417144bbd9279cac14d51065fe72b312844ff6a24be6d16183a3b4a44b0d012c1d08808d07ea96d660ff69f'
+ 'a7ebb7714abf8bc7c2c0f627f6fdcc226a293277a98455bd52340536754ef3a5aef75340b8535402c78a9a754f78d4793c1d7b0c15b0b8d393fd3760a6398858')
validpgpkeys=('8BB562A0F1DB703FB7EB1E95AB72C62A8691DD02') # Robert Segall <roseg at apsis.ch>
prepare() {
mv -v "${_name}-${pkgver}" "${pkgname}-${pkgver}"
cd "${pkgname}-${pkgver}"
- # use openssl-1.0 to generate dhparam
- sed -e 's/openssl/openssl-1.0/' -i Makefile.in
+ # set runtime dir to /run/pound
+ patch -Np1 -i "../${pkgname}-3.0-runtime_dir.patch"
+ # remove vendored uthash so we build with the packaged version
+ rm -v include/ut{hash,array}.h
}
build() {
cd "${pkgname}-${pkgver}"
- # use openssl-1.0
- CPPFLAGS+=" -I/usr/include/openssl-1.0" \
- LDFLAGS+=" -L/usr/lib/openssl-1.0" \
- ./configure --prefix=/usr \
- --sysconfdir=/etc/pound \
- --bindir=/usr/bin \
- --sbindir=/usr/bin \
- --with-ssl='/usr/lib/openssl-1.0' \
- --with-owner=root \
- --with-group=root
- make
+ cmake -DCMAKE_INSTALL_PREFIX=/usr \
+ -DCMAKE_BUILD_TYPE='None' \
+ -Wno-dev \
+ -B build \
+ -S .
+ make VERBOSE=1 -C build
}
package() {
- depends+=('libtcmalloc.so')
+ depends+=('libmbedtls.so' 'libmbedcrypto.so' 'libmbedx509.so'
+ 'libtcmalloc.so')
+
cd "${pkgname}-${pkgver}"
- make DESTDIR="$pkgdir" install
+ # cmake setup has no install target :(
+ install -vDm 755 build/"${pkgname}" -t "${pkgdir}/usr/bin/"
# configuration
- install -vDm 644 "${srcdir}/${pkgname}.cfg" \
- "${pkgdir}/etc/${pkgname}/${pkgname}.cfg"
+ install -vDm 644 "../${pkgname}.yaml" -t "${pkgdir}/etc/${pkgname}/"
# systemd service
- install -vDm 644 "$srcdir/${pkgname}.service" \
- "${pkgdir}/usr/lib/systemd/system/${pkgname}.service"
+ install -vDm 644 "../${pkgname}.service" \
+ -t "${pkgdir}/usr/lib/systemd/system/"
+ # man page
+ install -vDm 644 man/${pkgname}.8 -t "${pkgdir}/usr/share/man/man8/"
# docs
- install -vDm 644 {CHANGELOG,FAQ,README} \
+ install -vDm 644 README.md \
-t "${pkgdir}/usr/share/doc/${pkgname}/"
}
Added: pound-3.0-runtime_dir.patch
===================================================================
--- pound-3.0-runtime_dir.patch (rev 0)
+++ pound-3.0-runtime_dir.patch 2020-11-06 14:46:59 UTC (rev 744354)
@@ -0,0 +1,66 @@
+diff -ruN a/include/pound.h.in b/include/pound.h.in
+--- a/include/pound.h.in 2020-11-03 11:53:10.000000000 +0100
++++ b/include/pound.h.in 2020-11-06 11:27:38.356394898 +0100
+@@ -103,7 +103,7 @@
+ #include "hpack.h"
+
+ #define F_CONF "/etc/pound/pound.yaml"
+-#define F_PID "/var/run/pound.pid"
++#define F_PID "/run/pound/pound.pid"
+
+ #ifndef NI_MAXHOST
+ #define NI_MAXHOST 1025
+@@ -203,4 +203,4 @@
+ extern void *thr_http(void *);
+
+ /* http2.c */
+-extern void do_http2(HTTP_LISTENER *, FILE *, char *, char *, int);
+\ No newline at end of file
++extern void do_http2(HTTP_LISTENER *, FILE *, char *, char *, int);
+diff -ruN a/man/pound.8 b/man/pound.8
+--- a/man/pound.8 2020-11-03 11:53:10.000000000 +0100
++++ b/man/pound.8 2020-11-06 11:28:20.249080056 +0100
+@@ -131,7 +131,7 @@
+ will write its own pid into this file. Normally this is used for shell
+ scripts that control starting and stopping of the daemon.
+ Default:
+-.I /var/run/pound.pid
++.I /run/pound/pound.pid
+ .PP
+ One (or more) copies of
+ .B Pound
+@@ -481,7 +481,7 @@
+ .RE
+ .SH FILES
+ .TP
+-\fI/var/run/pound.pid\fR
++\fI/run/pound/pound.pid\fR
+ this is where
+ .B Pound
+ will attempt to record its process id.
+@@ -496,4 +496,4 @@
+ Copyright \(co 2002-2020 Apsis GmbH.
+ .br
+ This is free software; see the source for copying conditions. There is NO
+-warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+\ No newline at end of file
++warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+diff -ruN a/src/config.c b/src/config.c
+--- a/src/config.c 2020-11-03 11:53:10.000000000 +0100
++++ b/src/config.c 2020-11-06 11:28:00.302721953 +0100
+@@ -612,7 +612,7 @@
+
+ memset(&global, '\0', sizeof(global));
+ opterr = 0;
+- global.pid = "/var/run/pound.pid";
++ global.pid = "/run/pound/pound.pid";
+ global.log_level = 0;
+ while((c_opt = getopt(argc, argv, "f:cvd:p:")) > 0)
+ switch(c_opt) {
+@@ -710,4 +710,4 @@
+ if(o_check)
+ exit(0);
+ return;
+-}
+\ No newline at end of file
++}
Deleted: pound.cfg
===================================================================
--- pound.cfg 2020-11-06 14:30:34 UTC (rev 744353)
+++ pound.cfg 2020-11-06 14:46:59 UTC (rev 744354)
@@ -1,85 +0,0 @@
-###############################################################################
-## Pound configration file
-###############################################################################
-##
-##
-## GLOBAL SETTINGS
-##
-## Specify the user and group Pound will run as.
-#User "pound"
-#Group "pound"
-##
-## Specify the directory that Pound will chroot to at runtime.
-#RootJail "/"
-##
-## Have Pound run in the foreground (if 0) or as a daemon (if 1).
-#Daemon 1
-##
-## Specify the log facility to use.
-#LogFacility daemon
-##
-## Specify the logging level.
-#LogLevel 1
-##
-## Ignore case when matching URLs.
-#IgnoreCase 0
-##
-## Enable or disable the dynamic rescaling code.
-#DynScale 0
-##
-## Specify how often Pound will check for resurected back-end hosts.
-#Alive 30
-##
-## Specify for how long Pound will wait for a client request.
-#Client 10
-##
-## How long should Pound wait for a response from the back-end.
-#TimeOut 15
-##
-## How long should Pound wait for a connection to the back-end.
-#ConnTO 15
-##
-## How long should Pound continue to answer interrupted connections.
-#Grace 30
-##
-## Use an OpenSSL hardware acceleration card.
-#SSLEngine "name"
-##
-## Set the control socket path.
-Control "/run/pound/poundctl.socket"
-##
-##
-## LISTENERS
-##
-## Configure services and backends for the HTTP reverse proxy.
-#ListenHTTP
-# Address 10.0.0.1
-# Port 80
-# Service
-# BackEnd
-# Address 127.0.0.1
-# Port 8080
-# End
-# BackEnd
-# Address 127.0.0.1
-# Port 8081
-# End
-# End
-#End
-##
-## Configure services and backends for the HTTPS reverse proxy.
-#ListenHTTPS
-# Address 10.0.0.1
-# Port 443
-# Cert "/etc/ssl/certs/pound.pem"
-# Service
-# BackEnd
-# Address 127.0.0.1
-# Port 8080
-# End
-# BackEnd
-# Address 127.0.0.1
-# Port 8081
-# End
-# End
-#End
Modified: pound.service
===================================================================
--- pound.service 2020-11-06 14:30:34 UTC (rev 744353)
+++ pound.service 2020-11-06 14:46:59 UTC (rev 744354)
@@ -5,15 +5,33 @@
Wants=network-online.target
[Service]
-Type=forking
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+DeviceAllow=
DynamicUser=yes
-RuntimeDirectory=pound
-ExecStart=/usr/bin/pound -f /etc/pound/pound.cfg -p /run/pound/pound.pid
+ExecStart=/usr/bin/pound
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
PIDFile=/run/pound/pound.pid
+PrivateDevices=yes
+PrivateTmp=true
+ProtectClock=yes
ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
ProtectKernelModules=yes
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+ProtectKernelTunables=yes
+RestrictAddressFamilies=~AF_PACKET AF_NETLINK AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RuntimeDirectory=pound
+StateDirectory=pound
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+Type=forking
+UMask=177
[Install]
WantedBy=multi-user.target
Added: pound.yaml
===================================================================
--- pound.yaml (rev 0)
+++ pound.yaml 2020-11-06 14:46:59 UTC (rev 744354)
@@ -0,0 +1,161 @@
+---
+# Pound configuration file. See man 8 pound for further examples.
+#
+# Global Directives
+#
+# Specify the user Pound will run as (must be defined in /etc/passwd).
+# User: "pound"
+
+# Specify the group Pound will run as (must be defined in /etc/group).
+# Group: "pound"
+
+# Specify the directory that Pound will chroot to at runtime. Please note that
+# SSL may require access to /dev/urandom, so make sure you create a device by
+# that name, accessible from the root jail directory. Pound may also require
+# access to /dev/syslog or similar.
+# RootJail: "/"
+
+# Specify a path to an HTML file to be returned in case of a 404 error.
+# Err404: "/path/to/file"
+
+# Specify a path to an HTML file to be returned in case of a 405 error.
+# Err405: "/path/to/file"
+
+# Specify a path to an HTML file to be returned in case of a 500 error.
+# Err500: "/path/to/file"
+
+# Backends
+#
+# A back-end is a definition of a single back-end server Pound will use to
+# reply to incoming requests. Each backend must be marked with an anchor (&).
+Backends:
+ - &default_backend
+ # The address that Pound will connect to. This can be a numeric IP address,
+ # or a symbolic host name that must be resolvable at run-time. This is a
+ # mandatory parameter.
+ Address: localhost
+
+ # The port number that Pound will connect to. This is a mandatory parameter.
+ Port: 8080
+
+ # How long to wait for a backend (server) to complete and operation.
+ # Default: 15 (seconds).
+ Timeout:
+
+ # How many threads will be used to service requests to this backend. See
+ # also below for remarks on performance tuning. Default: 8 (threads).
+ Threads:
+
+ # A header to add to each reply received from this backend. The header is a
+ # string.
+ # HeadAdd:
+
+# HTTPListeners
+#
+# An HTTP listener defines an address and port that Pound will listen on for
+# HTTP requests.
+HTTPListeners:
+ -
+ # The address that Pound will listen on. This can be a numeric IP address,
+ # or a symbolic host name that must be resolvable at run-time. This is a
+ # mandatory parameter. The address 0.0.0.0 may be used as an alias for 'all
+ # available addresses on this machine', but this practice is strongly
+ # discouraged.
+ Address: localhost
+
+ # The port number that Pound will listen on. This is a mandatory parameter.
+ Port: 80
+
+ # Define how long Pound will wait for client activity. Default: 5 (seconds).
+ Client:
+
+ # Define how many threads Pound will use to service client requests.
+ # Default: 8 (threads).
+ Threads:
+
+ # This defines a service. This service will be used only by this listener.
+ Services:
+
+ -
+ # The service will only be used if the request URL matches the given
+ # pattern.
+ URL:
+
+ # Use the service only if any of the request headers matches the given
+ # pattern.
+ HeadRequire:
+
+ # Use the service only if none of the request headers matches the given
+ # pattern.
+ HeadDeny:
+
+ # How long to keep the client sessions (in seconds). Sessions are a
+ # long term association between a client IP address and a specific
+ # backend in this service. A value of 0 seconds means no sessions are
+ # kept. Default: 0.
+ Session:
+
+ # A list of references to previously defined backends.
+ BackEnds:
+ - *default_backend
+
+# HTTPSListeners
+#
+# An HTTP listener defines an address and port that Pound will listen on for
+# HTTP requests.
+HTTPSListeners:
+ # -
+ # The address that Pound will listen on. This can be a numeric IP address,
+ # or a symbolic host name that must be resolvable at run-time. This is a
+ # mandatory parameter. The address 0.0.0.0 may be used as an alias for 'all
+ # available addresses on this machine', but this practice is strongly
+ # discouraged.
+ # Address: localhost
+
+ # The port number that Pound will listen on. This is a mandatory parameter.
+ # Port: 443
+
+ # Define how long Pound will wait for client activity. Default: 5 (seconds).
+ # Client:
+
+ # Define how many threads Pound will use to service client requests.
+ # Default: 8 (threads).
+ # Threads:
+
+ # A file name or a list of file names. Each file must contain a certificate,
+ # optionally additional chained certificates up to a known certificate
+ # authority, and the private key corresponding to the certificate.
+ # Note: the private key should probably not be password-protected, as Pound
+ # normally starts as a daemon and cannot ask for the password at start-up
+ # time.
+ # Certificates:
+
+ # A list of acceptable cipher names for this listener. The negotiation with
+ # the client will result in one of these ciphers being used, or the
+ # hand-shake will fail.
+ # Ciphers:
+
+ # This defines a service. This service will be used only by this listener.
+ # Services:
+ # -
+ # The service will only be used if the request URL matches the given
+ # pattern.
+ # URL:
+
+ # Use the service only if any of the request headers matches the given
+ # pattern.
+ # HeadRequire:
+
+ # Use the service only if none of the request headers matches the given
+ # pattern.
+ # HeadDeny:
+
+ # How long to keep the client sessions (in seconds). Sessions are a
+ # long term association between a client IP address and a specific
+ # backend in this service. A value of 0 seconds means no sessions are
+ # kept. Default: 0.
+ # Session:
+
+ # A list of references to previously defined backends.
+ # BackEnds:
+ # - *default_backend
More information about the arch-commits
mailing list