aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2013-03-08 00:32:12 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2013-03-08 00:32:12 +0100
commit923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a (patch)
treeb1fcaa364f937bed90ad8d5c6db2f4cb3a819a7e
parent00240df580c59b9a54dafafcbf5524d266f1616e (diff)
downloadpfsense-packages-923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a.tar.gz
pfsense-packages-923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a.tar.bz2
pfsense-packages-923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a.zip
haproxy-devel, ssl backend support, X-Forwarded-Proto, server states active/backup/disabled/inactive, certificate purpose show 'server certs' only.
-rw-r--r--config/haproxy-devel/haproxy.inc40
-rw-r--r--config/haproxy-devel/haproxy_listeners_edit.php61
-rw-r--r--config/haproxy-devel/haproxy_pool_edit.php52
3 files changed, 90 insertions, 63 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index fce05008..cd440eb0 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -322,7 +322,7 @@ function haproxy_find_acl($name) {
}
function write_backend($fd, $name, $pool, $frontend) {
- if(!is_array($pool['ha_servers']['item']))
+ if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes')
return;
fwrite ($fd, "backend " . $name . "\n");
@@ -408,15 +408,21 @@ function write_backend($fd, $name, $pool, $frontend) {
$checkinter = "";
$a_servers = &$pool['ha_servers']['item'];
- foreach($a_servers as $be) {
- if (!$be['name'])
- $be['name'] = $be['address'];
- if($be['backup']) {
- $isbackup = "backup";
- } else {
- $isbackup = "";
+ if (is_array($a_servers))
+ {
+ foreach($a_servers as $be) {
+ if (!$be['status'] == "inactive")
+ continue;
+
+ if (!$be['name'])
+ $be['name'] = $be['address'];
+ if(!$be['status'] || $be['status'] != 'active') {
+ $isbackup = $be['status'];
+ } else {
+ $isbackup = "";
+ }
+ fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
}
- fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
}
fwrite ($fd, "\n");
}
@@ -524,7 +530,7 @@ function haproxy_writeconf() {
$a_pendingpl = array();
- // Construct and write out configuration file
+ // Construct and write out configuration for each "frontend"
if(is_array($a_bind)) {
foreach ($a_bind as $bind) {
if (count($bind['config']) > 1)
@@ -576,8 +582,10 @@ function haproxy_writeconf() {
if($bind['httpclose'])
fwrite ($fd, "\toption\t\t\thttpclose\n");
- if($bind['forwardfor'])
+ if($bind['forwardfor']) {
fwrite ($fd, "\toption\t\t\tforwardfor\n");
+ fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https\tif { ssl_fc }\n");
+ }
if($bind['max_connections'])
fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n");
@@ -614,6 +622,15 @@ function haproxy_writeconf() {
$a_pendingpl[$poolname]['frontend'] = $bconfig;
}
+ if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
+ $aclname = "SNI_" . $poolname;
+ $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true);
+ //$expr = "req_ssl_sni -i $cert_cn";
+ $expr = "hdr(host) -i $cert_cn";
+ fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n");
+ fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n");
+ }
+
foreach ($a_acl as $entry) {
$acl = haproxy_find_acl($entry['expression']);
if (!$acl)
@@ -638,6 +655,7 @@ function haproxy_writeconf() {
fwrite ($fd, "\n");
}
}
+ // Construct and write out configuration for each "backend"
if (is_array($a_pendingpl) && is_array($a_pools)) {
foreach ($a_pendingpl as $pending) {
foreach ($a_pools as $pool) {
diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php
index 32cf0020..c61954ac 100644
--- a/config/haproxy-devel/haproxy_listeners_edit.php
+++ b/config/haproxy-devel/haproxy_listeners_edit.php
@@ -64,6 +64,10 @@ function get_certificates_server($get_includeWebCert=false) {
{
if ($get_ca == false && is_webgui_cert($cert['refid']))
continue;
+
+ $purpose = cert_get_purpose($cert['crt']);
+ if ($purpose['server'] != 'Yes')
+ continue;
$selected = "";
$caname = "";
@@ -126,6 +130,9 @@ if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) {
$a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item'];
$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
+global $simplefields;
+$simplefields = array('name','desc','status','secondary','type','forwardfor','httpclose','extaddr','backend_serverpool',
+ 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl');
if (isset($_POST['id']))
$id = $_POST['id'];
@@ -136,27 +143,11 @@ if (isset($_GET['dup']))
$id = $_GET['dup'];
if (isset($id) && $a_backend[$id]) {
- $pconfig['name'] = $a_backend[$id]['name'];
- $pconfig['desc'] = $a_backend[$id]['desc'];
- $pconfig['status'] = $a_backend[$id]['status'];
- $pconfig['secondary'] = $a_backend[$id]['secondary'];
-
- $pconfig['type'] = $a_backend[$id]['type'];
-
- $pconfig['forwardfor'] = $a_backend[$id]['forwardfor'];
- $pconfig['httpclose'] = $a_backend[$id]['httpclose'];
-
- $pconfig['type'] = $a_backend[$id]['type'];
- $pconfig['extaddr'] = $a_backend[$id]['extaddr'];
- $pconfig['backend_serverpool'] = $a_backend[$id]['backend_serverpool'];
- $pconfig['max_connections'] = $a_backend[$id]['max_connections'];
- $pconfig['client_timeout'] = $a_backend[$id]['client_timeout'];
- $pconfig['port'] = $a_backend[$id]['port'];
$pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item'];
$pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']);
- $pconfig['ssloffloadcert'] = $a_backend[$id]['ssloffloadcert'];
- $pconfig['dcertadv'] = $a_backend[$id]['dcertadv'];
- $pconfig['ssloffload'] = $a_backend[$id]['ssloffload'];
+
+ foreach($simplefields as $stat)
+ $pconfig[$stat] = $a_backend[$id][$stat];
}
if (isset($_GET['dup']))
@@ -237,25 +228,11 @@ if ($_POST) {
if($backend['name'] != "")
$changedesc .= " modified '{$backend['name']}' pool:";
+ foreach($simplefields as $stat)
+ update_if_changed($stat, $backend[$stat], $_POST[$stat]);
- update_if_changed("name", $backend['name'], $_POST['name']);
- update_if_changed("description", $backend['desc'], $_POST['desc']);
- update_if_changed("status", $backend['status'], $_POST['status']);
- update_if_changed("secondary", $backend['secondary'], $_POST['secondary']);
- update_if_changed("type", $backend['type'], $_POST['type']);
- update_if_changed("cookie_name", $backend['cookie_name'], $_POST['cookie_name']);
- update_if_changed("forwardfor", $backend['forwardfor'], $_POST['forwardfor']);
- update_if_changed("httpclose", $backend['httpclose'], $_POST['httpclose']);
- update_if_changed("type", $backend['type'], $_POST['type']);
- update_if_changed("port", $backend['port'], $_POST['port']);
- update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']);
- update_if_changed("backend_serverpool", $backend['backend_serverpool'], $_POST['backend_serverpool']);
- update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']);
- update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']);
+
update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced']));
- update_if_changed("ssloffloadcert", $backend['ssloffloadcert'], $_POST['ssloffloadcert']);
- update_if_changed("dcertadv", $backend['dcertadv'], $_POST['dcertadv']);
- update_if_changed("ssloffload", $backend['ssloffload'], $_POST['ssloffload']);
$backend['ha_acls']['item'] = $a_acl;
if (isset($id) && $a_backend[$id]) {
@@ -278,6 +255,12 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
if(strstr($pfSversion, "1.2"))
$one_two = true;
+if (!$id)
+{
+ //default value for new items.
+ $pconfig['ssloffloadacl'] = "yes";
+}
+
$pgtitle = "HAProxy: Frontend: Edit";
include("head.inc");
@@ -721,6 +704,12 @@ include("head.inc");
</td>
</tr>
<tr class="haproxy_ssloffloading_enabled" align="left">
+ <td width="22%" valign="top" class="vncell">ACL for certificate CN</td>
+ <td width="78%" class="vtable" colspan="2">
+ <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();">Add ACL for certificate CommonName.</input>
+ </td>
+ </tr>
+ <tr class="haproxy_ssloffloading_enabled" align="left">
<td width="22%" valign="top" class="vncell">Advanced ssl options</td>
<td width="78%" class="vtable" colspan="2">
<input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> size="10" maxlength="64">
diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php
index 09474f02..5fb43b49 100644
--- a/config/haproxy-devel/haproxy_pool_edit.php
+++ b/config/haproxy-devel/haproxy_pool_edit.php
@@ -113,8 +113,9 @@ if ($_POST) {
$server_name=$_POST['server_name'.$x];
$server_address=$_POST['server_address'.$x];
$server_port=$_POST['server_port'.$x];
+ $server_ssl=$_POST['server_ssl'.$x];
$server_weight=$_POST['server_weight'.$x];
- $server_backup=$_POST['server_backup'.$x];
+ $server_status=$_POST['server_status'.$x];
if ($server_address) {
@@ -122,8 +123,9 @@ if ($_POST) {
$server['name']=$server_name;
$server['address']=$server_address;
$server['port']=$server_port;
+ $server['ssl']=$server_ssl;
$server['weight']=$server_weight;
- $server['backup']=$server_backup;
+ $server['status']=$server_status;
$a_servers[]=$server;
if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name))
@@ -257,12 +259,15 @@ row_helper();
rowname[2] = "server_port";
rowtype[2] = "textbox";
rowsize[2] = "5";
- rowname[3] = "server_weight";
- rowtype[3] = "textbox";
+ rowname[3] = "server_ssl";
+ rowtype[3] = "checkbox";
rowsize[3] = "5";
- rowname[4] = "server_backup";
- rowtype[4] = "checkbox";
+ rowname[4] = "server_weight";
+ rowtype[4] = "textbox";
rowsize[4] = "5";
+ rowname[5] = "server_status";
+ rowtype[5] = "select";
+ rowsize[5] = "1";
</script>
<?php include("fbegin.inc"); ?>
<?php if ($input_errors) print_input_errors($input_errors); ?>
@@ -295,16 +300,15 @@ row_helper();
</td>
</tr>
<tr align="left">
- <td class="vncellreq" colspan="3">Server list</td>
- </tr>
- <tr>
- <td width="78%" class="vtable" colspan="2" valign="top">
+ <td class="vncell" colspan="3"><strong>Server list</strong>
+
<table class="" width="100%" cellpadding="0" cellspacing="0" id='servertable'>
<tr>
<td width="30%" class="listhdrr">Name</td>
<td width="30%" class="listhdrr">Address</td>
<td width="18%" class="listhdrr">Port</td>
- <td width="18%" class="listhdrr">Weight</td>
+ <td width="5%" class="listhdrr">SSL</td>
+ <td width="8%" class="listhdrr">Weight</td>
<td width="5%" class="listhdr">Backup</td>
<td width="4%" class=""></td>
</tr>
@@ -322,8 +326,9 @@ row_helper();
<td class="vtable listlr"><?=$server['name']; ?></td>
<td class="vtable listr"><?=$server['address']; ?></td>
<td class="vtable listr"><?=$server['port']; ?></td>
+ <td class="vtable listr"><?=$server['ssl']; ?></td>
<td class="vtable listr"><?=$server['weight']; ?></td>
- <td class="vtable listr"><?=$server['backup']; ?></td>
+ <td class="vtable listr"><?=$server['status']; ?></td>
<td class="list">
<table border="0" cellspacing="0" cellpadding="1"><tr>
<td valign="middle">
@@ -345,9 +350,17 @@ row_helper();
<td class="vtable">
<input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td>
<td class="vtable">
+ <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="<?=$server['ssl']; ?>" size="5"/></td>
+ <td class="vtable">
<input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td>
<td class="vtable">
- <input name="server_backup<?=$counter;?>" id="server_backup<?=$counter;?>" type="checkbox" value="yes" <?php if ($server['backup']=='yes') echo "checked"; ?>/></td>
+ <select name="server_status<?=$counter;?>" id="server_status<?=$counter;?>">
+ <option value="active" <?php if($server['status']=='active') echo "SELECTED";?>>active</option>
+ <option value="backup" <?php if($server['status']=='backup') echo "SELECTED";?>>backup</option>
+ <option value="disabled" <?php if($server['status']=='disabled') echo "SELECTED";?>>disabled</option>
+ <option value="inactive" <?php if($server['status']=='inactive') echo "SELECTED";?>>inactive</option>
+ </select>
+ </td>
<td class="list">
<table border="0" cellspacing="0" cellpadding="1"><tr>
<td valign="middle">
@@ -473,14 +486,14 @@ row_helper();
<td colspan="2" valign="top" class="listtopic">Advanced settings</td>
</tr>
<tr align="left">
- <td width="22%" valign="top" class="vncellreq">Connection timeout</td>
+ <td width="22%" valign="top" class="vncell">Connection timeout</td>
<td width="78%" class="vtable" colspan="2">
<input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64">
<div>the time (in milliseconds) we give up if the connection does not complete within (default 30000).</div>
</td>
</tr>
<tr align="left">
- <td width="22%" valign="top" class="vncellreq">Server timeout</td>
+ <td width="22%" valign="top" class="vncell">Server timeout</td>
<td width="78%" class="vtable" colspan="2">
<input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64">
<div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (default 30000).</div>
@@ -582,7 +595,7 @@ set by the 'retries' parameter.</div>
<br>
<?php include("fend.inc"); ?>
<script type="text/javascript">
- field_counter_js = 5;
+ field_counter_js = 6;
rows = 1;
totalrows = <?php echo $counter; ?>;
loaded = <?php echo $counter; ?>;
@@ -594,6 +607,13 @@ set by the 'retries' parameter.</div>
<?php
function row_helper() {
+ $options = <<<EOD
+ <option value='active' SELECTED>active</option>"+
+" <option value='backup'>backup</option>"+
+" <option value='disabled'>disabled</option>"+
+" <option value='inactive'>inactive</option>
+EOD;
+
echo <<<EOF
<script type="text/javascript">
// Global Variables