aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErmal Luçi <eri@pfsense.org>2014-03-19 16:29:57 +0100
committerErmal Luçi <eri@pfsense.org>2014-03-19 16:29:57 +0100
commit6e77b1d72ae1097ea39defc80361db0a8c7fdebd (patch)
tree3d59cf568ef8191a3d669c06626ad770abbb8752
parentd50c07fd00ac203332e57a45532a265759922993 (diff)
parent1bdd51eeb54147d989ebf288f6c2a1df3e49db6c (diff)
downloadpfsense-packages-6e77b1d72ae1097ea39defc80361db0a8c7fdebd.tar.gz
pfsense-packages-6e77b1d72ae1097ea39defc80361db0a8c7fdebd.tar.bz2
pfsense-packages-6e77b1d72ae1097ea39defc80361db0a8c7fdebd.zip
Merge pull request #594 from PiBa-NL/hap_acl_checks
haproxy-devel, use same checks to show if acl's are used and for writing the configuration file
-rw-r--r--config/haproxy-devel/haproxy.inc72
-rw-r--r--config/haproxy-devel/haproxy_listeners.php4
2 files changed, 41 insertions, 35 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index 1dd3332e..3a0ca782 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -896,10 +896,8 @@ function haproxy_writeconf($configpath) {
$default_backend = "";
$i = 0;
foreach ($bind['config'] as $frontend) {
- $a_acl=&$frontend['ha_acls']['item'];
- if(!is_array($a_acl))
- $a_acl=array();
-
+ $a_acl = get_frontend_acls($frontend);
+
$poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']);
// Create different pools if the svrport is set
@@ -911,31 +909,6 @@ function haproxy_writeconf($configpath) {
$a_pendingpl[$poolname]['name'] = $poolname;
$a_pendingpl[$poolname]['frontend'] = $frontend;
}
-
- if (strtolower($bind['type']) == "http" && $frontend['ssloffload']) {
- $aclname = "SNI_" . $poolname;
- if ($frontend['ssloffloadacl']){
- $cert = lookup_cert($frontend['ssloffloadcert']);
- $cert_cn = cert_get_cn($cert['crt']);
- $descr = haproxy_escape_acl_name($cert['descr']);
- $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn);
- unset($cert);
- }
- if ($frontend['ssloffloadacladditional']){
- $certs = $frontend['ha_certificates']['item'];
- if (is_array($certs)){
- if (count($certs) > 0){
- foreach($certs as $certref){
- $cert = lookup_cert($certref['ssl_certificate']);
- $cert_cn = cert_get_cn($cert['crt']);
- $descr = haproxy_escape_acl_name($cert['descr']);
- $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn);
- unset($cert);
- }
- }
- }
- }
- }
// Write this out once, and must be before any backend config text
if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) {
@@ -945,8 +918,8 @@ function haproxy_writeconf($configpath) {
// combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together..
$a_acl_combine = array();
foreach ($a_acl as $entry) {
- $name = $entry['name'];
- $a_acl_combine[$name][] = $entry;
+ $name = $entry['ref']['name'];
+ $a_acl_combine[$name][] = $entry['ref'];
}
foreach ($a_acl_combine as $a_usebackend) {
@@ -1354,6 +1327,43 @@ function get_frontend_acls($frontend) {
$result[] = $acl_item;
}
}
+
+ $mainfrontend = get_primaryfrontend($frontend);
+ if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) {
+ $a_acl = &$frontend['ha_acls']['item'];
+ if(!is_array($a_acl))
+ $a_acl=array();
+
+ $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']);
+ $aclname = "SNI_" . $poolname;
+ if ($frontend['ssloffloadacl']){
+ $cert = lookup_cert($frontend['ssloffloadcert']);
+ $cert_cn = cert_get_cn($cert['crt']);
+ $descr = haproxy_escape_acl_name($cert['descr']);
+ unset($cert);
+ $acl_item = array();
+ $acl_item['descr'] = "Certificate ACL ".$cert_cn;
+ $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn);
+ $result[] = $acl_item;
+ }
+ if ($frontend['ssloffloadacladditional']){
+ $certs = $frontend['ha_certificates']['item'];
+ if (is_array($certs)){
+ if (count($certs) > 0){
+ foreach($certs as $certref){
+ $cert = lookup_cert($certref['ssl_certificate']);
+ $cert_cn = cert_get_cn($cert['crt']);
+ $descr = haproxy_escape_acl_name($cert['descr']);
+ unset($cert);
+ $acl_item = array();
+ $acl_item['descr'] = "Additional certificate ACLs: ".$cert_cn;
+ $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn);
+ $result[] = $acl_item;
+ }
+ }
+ }
+ }
+ }
return $result;
}
diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php
index fe5e1a8b..a9630b2d 100644
--- a/config/haproxy-devel/haproxy_listeners.php
+++ b/config/haproxy-devel/haproxy_listeners.php
@@ -169,10 +169,6 @@ include("head.inc");
foreach ($acls as $acl) {
$isaclset .= "&#10;" . $acl['descr'];
}
- if ($frontend['ssloffloadacl'])
- $isaclset .= "&#10;" . "Certificate ACL";
- if ($frontend['ssloffloadacladditional'])
- $isaclset .= "&#10;" . "Additional certificate ACLs";
if ($isaclset)
echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\" />";