%define haproxy_user      haproxy
%define haproxy_group     haproxy

%global _hardened_build   1

Name:             haproxy
Version:          3.0.11
Release:          4
Summary:          The Reliable, High Performance TCP/HTTP Load Balancer

License:          GPL-2.0-or-later
URL:              https://www.haproxy.org/
Source0:          https://www.haproxy.org/download/3.0/src/%{name}-%{version}.tar.gz
Source1:          %{name}.service
Source2:          %{name}.cfg
Source3:          %{name}.logrotate
Source4:          %{name}.sysconfig

Patch1:           backport-CVE-2025-11230.patch
Patch2:           backport-0001-CVE-2026-33555.patch
Patch3:           backport-0002-CVE-2026-33555.patch
Patch4:           backport-CVE-2026-55203.patch
Patch5:           backport-CVE-2026-55204.patch

BuildRequires:    gcc lua-devel pcre2-devel openssl-devel systemd-devel systemd libatomic libxcrypt-devel
Requires(pre):    shadow-utils
%{?systemd_requires}

%package_help
%description
HAProxy is a free, very fast and reliable solution offering high availability, load balancing,
and proxying for TCP and HTTP-based applications. It is particularly suited for very high traffic
web sites and powers quite a number of the world's most visited ones. 

%prep
%autosetup -n %{name}-%{version} -p1

%build
%make_build CC="%{__cc}" CXX="%{__cxx}" CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 \
    USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 DEFINE=-DMAX_SESS_STKCTR=12 \
    CFLAGS="%{build_cflags}" ARCH_FLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}"

%make_build CC="%{__cc}" CXX="%{__cxx}" admin/halog/halog ARCH_FLAGS="%{build_cflags}" LDFLAGS="%{build_ldflags}"

pushd admin/iprange
%make_build CC="%{__cc}" OPTIMIZE="%{build_cflags}" LDFLAGS="%{build_ldflags}"
popd

%install
install -d %{buildroot}%{_sbindir}
install haproxy  %{buildroot}%{_sbindir}
install -d %{buildroot}%{_mandir}/man1
install -m 644 doc/haproxy.1 %{buildroot}%{_mandir}/man1

pushd %{buildroot}
install -p -D -m 0644 %{SOURCE1} .%{_unitdir}/%{name}.service
install -p -D -m 0644 %{SOURCE2} .%{_sysconfdir}/haproxy/%{name}.cfg
install -p -D -m 0644 %{SOURCE3} .%{_sysconfdir}/logrotate.d/%{name}
install -p -D -m 0644 %{SOURCE4} .%{_sysconfdir}/sysconfig/%{name}
install -d -m 0755 .%{_bindir}
install -d -m 0755 .%{_localstatedir}/lib/haproxy
install -d -m 0755 .%{_sysconfdir}/haproxy/conf.d
install -d -m 0755 .%{_datadir}/haproxy
popd

install -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog
install -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange
install -p -m 0755 ./admin/iprange/ip6range %{buildroot}%{_bindir}/ip6range
install -p -m 0644 ./examples/errorfiles/* %{buildroot}%{_datadir}/haproxy

for httpfile in $(find ./examples/errorfiles/ -type f) 
do
    install -p -m 0644 $httpfile %{buildroot}%{_datadir}/haproxy
done

%{__rm} -rf ./examples/errorfiles/
find ./examples/* -type f ! -name "*.cfg" -exec %{__rm} -f "{}" \;

textfiles=$(find ./ -type f -name '*.txt')
for textfile in ${textfiles}
do
    %{__mv} ${textfile} ${textfile}.old
    iconv --from-code ISO8859-1 --to-code UTF-8 --output ${textfile} ${textfile}.old
    %{__rm} -f ${textfile}.old
done

%pre
getent group %{haproxy_group} >/dev/null || groupadd -r %{haproxy_group}
getent passwd %{haproxy_user} >/dev/null || useradd -r -g %{haproxy_user} -d \
    %{_localstatedir}/lib/haproxy -s /sbin/nologin -c "haproxy" %{haproxy_user}
exit 0

%post
%systemd_post %{name}.service

%preun
%systemd_preun %{name}.service

%postun
%systemd_postun_with_restart %{name}.service

%files
%license LICENSE
%dir %{_sysconfdir}/haproxy
%config(noreplace) %{_sysconfdir}/haproxy/%{name}.cfg
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
%{_bindir}/halog
%{_bindir}/iprange
%{_bindir}/ip6range
%{_sbindir}/%{name}
%{_unitdir}/%{name}.service
%dir %{_sysconfdir}/haproxy/conf.d
%dir %{_localstatedir}/lib/haproxy
%dir %{_datadir}/haproxy
%{_datadir}/haproxy/*

%files help
%doc doc/* examples/* CHANGELOG README VERSION
%{_mandir}/man1/*

%changelog
* Mon Jun 22 2026 xinghe <xingheyd@163.com> - 3.0.11-4
- Type:cves
- CVE:CVE-2026-55203 CVE-2026-55204
- SUG:NA
- DESC:fix CVE-2026-55203 CVE-2026-55204

* Wed Apr 15 2026 xinghe <xingheyd@163.com> - 3.0.11-3
- Type:cves
- CVE:CVE-2026-33555
- SUG:NA
- DESC:fix CVE-2026-33555

* Thu Oct 09 2025 xinghe <xinghe2@h-partners.com> - 3.0.11-2
- Type:cves
- CVE:CVE-2025-11230
- SUG:NA
- DESC:fix CVE-2025-11230

* Fri Aug 01 2025 xinghe <xinghe2@h-partners.com> - 3.0.11-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:Update to 3.0.11

* Tue Apr 29 2025 xinghe <xinghe2@h-partners.com> - 3.0.7-3
- Type:cves
- CVE:CVE-2025-32464
- SUG:NA
- DESC:fix CVE-2025-32464

* Wed Mar 19 2025 yanglu <yanglu72@h-partners.com> - 3.0.7-2
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:queues:Do not use pendconn_grab_from_px
       queues:Make sure we call process_srv_queue when leaving
       queue:Make process_srv_queue return the number of streams

* Thu Jan 02 2025 Funda Wang <fundawang@yeah.net> - 3.0.7-1
- Update to 3.0.7

* Mon Nov 04 2024 xu_ping <707078654@qq.com> - 3.0.5-1
- Upgrade version to 3.0.5

* Mon Oct 14 2024 yaoxin <yao_xin001@hoperun.com> - 2.9.9-3
- Fix CVE-2024-49214

* Wed Sep 04 2024 yinyongkang <yinyongkang@kylinos.cn> - 2.9.9-2
- Type:CVE
- CVE:CVE-2024-45506
- SUG:NA
- DESC: Fix CVE-2024-45506

* Mon Jun 24 2024 zouzhimin <zouzhimin@kylinos.cn> - 2.9.9-1
- update to version 2.9.9
- BUG/MINOR: quic: fix computed length of emitted STREAM frames

* Fri Apr 12 2024 zouzhimin <zouzhimin@kylinos.cn> - 2.9.7-1
- update to version 2.9.7

* Thu Feb 22 2024 luofng <luofeng13@huawei.com> - 2.9.6-2
- Type: enhencement
- CVE:NA
- SUG:NA
- DESC:support for building with clang

* Mon Mar 04 2024 xuhe <xuhe@kylinos.cn> - 2.9.6-1
- update to version 2.9.6

* Mon Feb 19 2024 liweigang <izmirvii@gmail.com> - 2.9.5-1
- update to version 2.9.5

* Wed Oct 11 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.15-1
- Upgrade to 2.6.15

* Wed Sep 27 2023 xinghe <xinghe2@h-partners.com> - 2.6.6-6
- Type:bugfix
- CVE:NA
- SUG:restart
- DESC:backport to fix potential coredump:
       errors: handle malloc failure in usermsgs_put
       ssl_sock: add check for ha_meth
       thread: add a check for pthread_creat
       
* Fri Sep 22 2023 leeffo <liweiganga@uniontech.com> - 2.6.6-5
- backport update stream

* Mon Aug 21 2023 wangkai <wang_kai001@hoperun.com> - 2.6.6-4
- Fix CVE-2023-40225

* Thu Apr 20 2023 yaoxin <yao_xin001@hoperun.com> - 2.6.6-3
- Fix CVE-2023-25950

* Sat Feb 25 2023 yaoxin <yaoxin30@h-partners.com> - 2.6.6-2
- Fix CVE-2023-25725 and CVE-2023-0056

* Sat Oct 22 2022 xinghe <xinghe2@h-partners.com> - 2.6.6-1
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:upgrade to 2.6.6

* Wed Mar 23 2022 xihaochen <xihaochen@h-partners.com> - 2.4.8-1
- update haproxy to 2.4.8

* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.2.16-3
- Fix CVE-2022-0711

* Sat Sep 18 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-2
- Fix CVE-2021-40346

* Mon Aug 30 2021 yaoxin <yaoxin30@huawei.com> - 2.2.16-1
- Upgrade 2.2.16 to fix CVE-2021-39240

* Thu Aug 26 2021 liwu <liwu13@huawei.com> - 2.2.1-2
- fix CVE-2021-39241,CVE-2021-39242

* Thu Jul 1 2021 huanghaitao <huanghaitao8@huawei.com> - 2.2.1-1
- update to 2.2.1

* Tue Sep 15 2020 Ge Wang <wangge20@huawei.com> - 2.0.17-1
- update to 2.0.17 and modify source0 url

* Wed Aug 05 2020 lingsheng <lingsheng@huawei.com> - 2.0.14-2
- Add support for the Lua 5.4

* Wed Jul 22 2020 hanzhijun <hanzhijun1@huawei.com> - 2.0.14-1
- update to 2.0.14

* Thu May 7 2020 cuibaobao <cuibaobao1@huawei.com> - 1.8.14-5
- Type:cves
- ID: CVE-2020-11100
- SUG:restart
- DESC: fix CVE-2020-11100

* Wed Dec 4 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.14-4
- Package init