diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-08 00:32:12 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-08 00:32:12 +0100 |
commit | 923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a (patch) | |
tree | b1fcaa364f937bed90ad8d5c6db2f4cb3a819a7e | |
parent | 00240df580c59b9a54dafafcbf5524d266f1616e (diff) | |
download | pfsense-packages-923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a.tar.gz pfsense-packages-923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a.tar.bz2 pfsense-packages-923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a.zip |
haproxy-devel, ssl backend support, X-Forwarded-Proto, server states active/backup/disabled/inactive, certificate purpose show 'server certs' only.
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 40 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_listeners_edit.php | 61 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_pool_edit.php | 52 |
3 files changed, 90 insertions, 63 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index fce05008..cd440eb0 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -322,7 +322,7 @@ function haproxy_find_acl($name) { } function write_backend($fd, $name, $pool, $frontend) { - if(!is_array($pool['ha_servers']['item'])) + if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') return; fwrite ($fd, "backend " . $name . "\n"); @@ -408,15 +408,21 @@ function write_backend($fd, $name, $pool, $frontend) { $checkinter = ""; $a_servers = &$pool['ha_servers']['item']; - foreach($a_servers as $be) { - if (!$be['name']) - $be['name'] = $be['address']; - if($be['backup']) { - $isbackup = "backup"; - } else { - $isbackup = ""; + if (is_array($a_servers)) + { + foreach($a_servers as $be) { + if (!$be['status'] == "inactive") + continue; + + if (!$be['name']) + $be['name'] = $be['address']; + if(!$be['status'] || $be['status'] != 'active') { + $isbackup = $be['status']; + } else { + $isbackup = ""; + } + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); } fwrite ($fd, "\n"); } @@ -524,7 +530,7 @@ function haproxy_writeconf() { $a_pendingpl = array(); - // Construct and write out configuration file + // Construct and write out configuration for each "frontend" if(is_array($a_bind)) { foreach ($a_bind as $bind) { if (count($bind['config']) > 1) @@ -576,8 +582,10 @@ function haproxy_writeconf() { if($bind['httpclose']) fwrite ($fd, "\toption\t\t\thttpclose\n"); - if($bind['forwardfor']) + if($bind['forwardfor']) { fwrite ($fd, "\toption\t\t\tforwardfor\n"); + fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https\tif { ssl_fc }\n"); + } if($bind['max_connections']) fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); @@ -614,6 +622,15 @@ function haproxy_writeconf() { $a_pendingpl[$poolname]['frontend'] = $bconfig; } + if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { + $aclname = "SNI_" . $poolname; + $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); + //$expr = "req_ssl_sni -i $cert_cn"; + $expr = "hdr(host) -i $cert_cn"; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + } + foreach ($a_acl as $entry) { $acl = haproxy_find_acl($entry['expression']); if (!$acl) @@ -638,6 +655,7 @@ function haproxy_writeconf() { fwrite ($fd, "\n"); } } + // Construct and write out configuration for each "backend" if (is_array($a_pendingpl) && is_array($a_pools)) { foreach ($a_pendingpl as $pending) { foreach ($a_pools as $pool) { diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 32cf0020..c61954ac 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -64,6 +64,10 @@ function get_certificates_server($get_includeWebCert=false) { { if ($get_ca == false && is_webgui_cert($cert['refid'])) continue; + + $purpose = cert_get_purpose($cert['crt']); + if ($purpose['server'] != 'Yes') + continue; $selected = ""; $caname = ""; @@ -126,6 +130,9 @@ if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; +global $simplefields; +$simplefields = array('name','desc','status','secondary','type','forwardfor','httpclose','extaddr','backend_serverpool', + 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl'); if (isset($_POST['id'])) $id = $_POST['id']; @@ -136,27 +143,11 @@ if (isset($_GET['dup'])) $id = $_GET['dup']; if (isset($id) && $a_backend[$id]) { - $pconfig['name'] = $a_backend[$id]['name']; - $pconfig['desc'] = $a_backend[$id]['desc']; - $pconfig['status'] = $a_backend[$id]['status']; - $pconfig['secondary'] = $a_backend[$id]['secondary']; - - $pconfig['type'] = $a_backend[$id]['type']; - - $pconfig['forwardfor'] = $a_backend[$id]['forwardfor']; - $pconfig['httpclose'] = $a_backend[$id]['httpclose']; - - $pconfig['type'] = $a_backend[$id]['type']; - $pconfig['extaddr'] = $a_backend[$id]['extaddr']; - $pconfig['backend_serverpool'] = $a_backend[$id]['backend_serverpool']; - $pconfig['max_connections'] = $a_backend[$id]['max_connections']; - $pconfig['client_timeout'] = $a_backend[$id]['client_timeout']; - $pconfig['port'] = $a_backend[$id]['port']; $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); - $pconfig['ssloffloadcert'] = $a_backend[$id]['ssloffloadcert']; - $pconfig['dcertadv'] = $a_backend[$id]['dcertadv']; - $pconfig['ssloffload'] = $a_backend[$id]['ssloffload']; + + foreach($simplefields as $stat) + $pconfig[$stat] = $a_backend[$id][$stat]; } if (isset($_GET['dup'])) @@ -237,25 +228,11 @@ if ($_POST) { if($backend['name'] != "") $changedesc .= " modified '{$backend['name']}' pool:"; + foreach($simplefields as $stat) + update_if_changed($stat, $backend[$stat], $_POST[$stat]); - update_if_changed("name", $backend['name'], $_POST['name']); - update_if_changed("description", $backend['desc'], $_POST['desc']); - update_if_changed("status", $backend['status'], $_POST['status']); - update_if_changed("secondary", $backend['secondary'], $_POST['secondary']); - update_if_changed("type", $backend['type'], $_POST['type']); - update_if_changed("cookie_name", $backend['cookie_name'], $_POST['cookie_name']); - update_if_changed("forwardfor", $backend['forwardfor'], $_POST['forwardfor']); - update_if_changed("httpclose", $backend['httpclose'], $_POST['httpclose']); - update_if_changed("type", $backend['type'], $_POST['type']); - update_if_changed("port", $backend['port'], $_POST['port']); - update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']); - update_if_changed("backend_serverpool", $backend['backend_serverpool'], $_POST['backend_serverpool']); - update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']); - update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']); + update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); - update_if_changed("ssloffloadcert", $backend['ssloffloadcert'], $_POST['ssloffloadcert']); - update_if_changed("dcertadv", $backend['dcertadv'], $_POST['dcertadv']); - update_if_changed("ssloffload", $backend['ssloffload'], $_POST['ssloffload']); $backend['ha_acls']['item'] = $a_acl; if (isset($id) && $a_backend[$id]) { @@ -278,6 +255,12 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; +if (!$id) +{ + //default value for new items. + $pconfig['ssloffloadacl'] = "yes"; +} + $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); @@ -721,6 +704,12 @@ include("head.inc"); </td> </tr> <tr class="haproxy_ssloffloading_enabled" align="left"> + <td width="22%" valign="top" class="vncell">ACL for certificate CN</td> + <td width="78%" class="vtable" colspan="2"> + <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();">Add ACL for certificate CommonName.</input> + </td> + </tr> + <tr class="haproxy_ssloffloading_enabled" align="left"> <td width="22%" valign="top" class="vncell">Advanced ssl options</td> <td width="78%" class="vtable" colspan="2"> <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> size="10" maxlength="64"> diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 09474f02..5fb43b49 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -113,8 +113,9 @@ if ($_POST) { $server_name=$_POST['server_name'.$x]; $server_address=$_POST['server_address'.$x]; $server_port=$_POST['server_port'.$x]; + $server_ssl=$_POST['server_ssl'.$x]; $server_weight=$_POST['server_weight'.$x]; - $server_backup=$_POST['server_backup'.$x]; + $server_status=$_POST['server_status'.$x]; if ($server_address) { @@ -122,8 +123,9 @@ if ($_POST) { $server['name']=$server_name; $server['address']=$server_address; $server['port']=$server_port; + $server['ssl']=$server_ssl; $server['weight']=$server_weight; - $server['backup']=$server_backup; + $server['status']=$server_status; $a_servers[]=$server; if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name)) @@ -257,12 +259,15 @@ row_helper(); rowname[2] = "server_port"; rowtype[2] = "textbox"; rowsize[2] = "5"; - rowname[3] = "server_weight"; - rowtype[3] = "textbox"; + rowname[3] = "server_ssl"; + rowtype[3] = "checkbox"; rowsize[3] = "5"; - rowname[4] = "server_backup"; - rowtype[4] = "checkbox"; + rowname[4] = "server_weight"; + rowtype[4] = "textbox"; rowsize[4] = "5"; + rowname[5] = "server_status"; + rowtype[5] = "select"; + rowsize[5] = "1"; </script> <?php include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> @@ -295,16 +300,15 @@ row_helper(); </td> </tr> <tr align="left"> - <td class="vncellreq" colspan="3">Server list</td> - </tr> - <tr> - <td width="78%" class="vtable" colspan="2" valign="top"> + <td class="vncell" colspan="3"><strong>Server list</strong> + <table class="" width="100%" cellpadding="0" cellspacing="0" id='servertable'> <tr> <td width="30%" class="listhdrr">Name</td> <td width="30%" class="listhdrr">Address</td> <td width="18%" class="listhdrr">Port</td> - <td width="18%" class="listhdrr">Weight</td> + <td width="5%" class="listhdrr">SSL</td> + <td width="8%" class="listhdrr">Weight</td> <td width="5%" class="listhdr">Backup</td> <td width="4%" class=""></td> </tr> @@ -322,8 +326,9 @@ row_helper(); <td class="vtable listlr"><?=$server['name']; ?></td> <td class="vtable listr"><?=$server['address']; ?></td> <td class="vtable listr"><?=$server['port']; ?></td> + <td class="vtable listr"><?=$server['ssl']; ?></td> <td class="vtable listr"><?=$server['weight']; ?></td> - <td class="vtable listr"><?=$server['backup']; ?></td> + <td class="vtable listr"><?=$server['status']; ?></td> <td class="list"> <table border="0" cellspacing="0" cellpadding="1"><tr> <td valign="middle"> @@ -345,9 +350,17 @@ row_helper(); <td class="vtable"> <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td> <td class="vtable"> + <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="<?=$server['ssl']; ?>" size="5"/></td> + <td class="vtable"> <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td> <td class="vtable"> - <input name="server_backup<?=$counter;?>" id="server_backup<?=$counter;?>" type="checkbox" value="yes" <?php if ($server['backup']=='yes') echo "checked"; ?>/></td> + <select name="server_status<?=$counter;?>" id="server_status<?=$counter;?>"> + <option value="active" <?php if($server['status']=='active') echo "SELECTED";?>>active</option> + <option value="backup" <?php if($server['status']=='backup') echo "SELECTED";?>>backup</option> + <option value="disabled" <?php if($server['status']=='disabled') echo "SELECTED";?>>disabled</option> + <option value="inactive" <?php if($server['status']=='inactive') echo "SELECTED";?>>inactive</option> + </select> + </td> <td class="list"> <table border="0" cellspacing="0" cellpadding="1"><tr> <td valign="middle"> @@ -473,14 +486,14 @@ row_helper(); <td colspan="2" valign="top" class="listtopic">Advanced settings</td> </tr> <tr align="left"> - <td width="22%" valign="top" class="vncellreq">Connection timeout</td> + <td width="22%" valign="top" class="vncell">Connection timeout</td> <td width="78%" class="vtable" colspan="2"> <input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64"> <div>the time (in milliseconds) we give up if the connection does not complete within (default 30000).</div> </td> </tr> <tr align="left"> - <td width="22%" valign="top" class="vncellreq">Server timeout</td> + <td width="22%" valign="top" class="vncell">Server timeout</td> <td width="78%" class="vtable" colspan="2"> <input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64"> <div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (default 30000).</div> @@ -582,7 +595,7 @@ set by the 'retries' parameter.</div> <br> <?php include("fend.inc"); ?> <script type="text/javascript"> - field_counter_js = 5; + field_counter_js = 6; rows = 1; totalrows = <?php echo $counter; ?>; loaded = <?php echo $counter; ?>; @@ -594,6 +607,13 @@ set by the 'retries' parameter.</div> <?php function row_helper() { + $options = <<<EOD + <option value='active' SELECTED>active</option>"+ +" <option value='backup'>backup</option>"+ +" <option value='disabled'>disabled</option>"+ +" <option value='inactive'>inactive</option> +EOD; + echo <<<EOF <script type="text/javascript"> // Global Variables |