diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2013-04-14 00:41:54 +0200 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2013-04-14 00:41:54 +0200 |
commit | c0d3652855ac7c735c7a90a1f68f3e953923654e (patch) | |
tree | 8537f37c0ed09f63fe093c252ddddc3cc51562c2 /config/haproxy-devel/haproxy.inc | |
parent | 9e8aef5dd920e25b8d0ffa808fbaa43979d8d76a (diff) | |
download | pfsense-packages-c0d3652855ac7c735c7a90a1f68f3e953923654e.tar.gz pfsense-packages-c0d3652855ac7c735c7a90a1f68f3e953923654e.tar.bz2 pfsense-packages-c0d3652855ac7c735c7a90a1f68f3e953923654e.zip |
haproxy-devel, added support for combining acl's
-Agent check (lb-agent-chk)
-binding multiple port's
-new try at including OpenSSL 1.0.1
-fix combining frontends
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 118 |
1 files changed, 66 insertions, 52 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 9a291f7a..89103ef8 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -39,30 +39,32 @@ $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; $a_acltypes = array(); $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', - 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i %1$s'); $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', - 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i %1$s'); $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', - 'mode' =>'http', 'syntax' => 'hdr(host) -i'); + 'mode' =>'http', 'syntax' => 'hdr(host) -i %1$s'); $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', - 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i %1$s'); $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', - 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i %1$s'); $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', - 'mode' => 'http', 'syntax' => 'path_beg -i'); + 'mode' => 'http', 'syntax' => 'path_beg -i %1$s'); $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', - 'mode' => 'http', 'syntax' => 'path_end -i'); + 'mode' => 'http', 'syntax' => 'path_end -i %1$s'); $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', - 'mode' => 'http', 'syntax' => 'path -i'); + 'mode' => 'http', 'syntax' => 'path -i %1$s'); $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', - 'mode' => 'http', 'syntax' => 'path_reg -i'); + 'mode' => 'http', 'syntax' => 'path_reg -i %1$s'); $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', - 'mode' => 'http', 'syntax' => 'path_dir -i'); + 'mode' => 'http', 'syntax' => 'path_dir -i %1$s'); $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', - 'mode' => '', 'syntax' => 'src'); + 'mode' => '', 'syntax' => 'src %1$s'); +$a_acltypes[] = array('name' => 'backendservercount', 'descr' => 'Minimum count usable servers', + 'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname'); if ($haproxy_sni_ssloffloading) { $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', - 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); + 'mode' => 'https', 'syntax' => 'req_ssl_sni -i %1$s', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); } $a_checktypes['none'] = array('name' => 'none', 'syntax' => '', @@ -71,10 +73,9 @@ $a_checktypes['Basic'] = array('name' => 'Basic', 'syntax' => '', 'descr' => 'Basic socket connection check'); $a_checktypes['HTTP'] = array('name' => 'HTTP', 'syntax' => 'httpchk', 'descr' => 'HTTP protocol to check on the servers health, can also be used for HTTPS servers(requirs checking the SSL box for the servers).', 'parameters' => "uri,method,version"); -/* seams this was added in HAProxy1.5dev18, haproxy-devel package is currently using 1.5dev17 +/* 'Agent' was added in HAProxy1.5dev18 */ $a_checktypes['Agent'] = array('name' => 'Agent', 'syntax' => 'lb-agent-chk', 'usedifferenport' => 'yes', 'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)'); -*/ $a_checktypes['LDAP'] = array('name' => 'LDAP', 'syntax' => 'ldap-check', 'descr' => 'Use LDAPv3 health checks for server testing'); $a_checktypes['MySQL'] = array('name' => 'MySQL', 'syntax' => 'mysql-check', @@ -384,6 +385,7 @@ function write_backend($fd, $name, $pool, $frontend) { fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + unset($checkport); $check_type = $pool['check_type']; if ($check_type != 'none') { @@ -392,13 +394,15 @@ function write_backend($fd, $name, $pool, $frontend) { $optioncheck .= " user " . $pool['monitor_username']; if ($check_type == "SMTP" || $check_type == "ESMTP") $optioncheck .= " " . $pool['monitor_domain']; - if ($check_type == "HTTP") - { + if ($check_type == "HTTP") { $uri = $pool['monitor_uri']; if (!$uri) $uri = "/"; $optioncheck .= " {$pool['httpcheck_method']} {$uri} {$pool['monitor_httpversion']}"; } + if ($check_type == "Agent") { + $checkport = " port " . $pool['monitor_agentport']; + } } else { $optioncheck = "httpchk"; } @@ -451,7 +455,6 @@ function write_backend($fd, $name, $pool, $frontend) { if ($pool['advanced_backend']) { $adv_be = explode("\n", base64_decode($pool['advanced_backend'])); foreach($adv_be as $adv_line) { - $adv_line = trim($adv_line); if ($adv_line != "") { fwrite($fd, "\t" . $adv_line . "\n"); } @@ -495,7 +498,7 @@ function write_backend($fd, $name, $pool, $frontend) { { $ssl = $backend_type == "http" ? ' ssl' : ' check-ssl'; } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt} {$be['advanced']}\n"); + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter$checkport $isbackup weight " . $be['weight'] . "{$advanced_txt} {$be['advanced']}\n"); } } fwrite ($fd, "\n"); @@ -537,6 +540,7 @@ function haproxy_writeconf() { fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); if($a_global['remotesyslog']) fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); + fwrite ($fd, "\tstats socket /tmp/haproxy.socket level admin\n"); fwrite ($fd, "\tuid\t\t\t80\n"); fwrite ($fd, "\tgid\t\t\t80\n"); // Set numprocs if defined or use system default (#cores) @@ -586,10 +590,11 @@ function haproxy_writeconf() { unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); } + $bname = get_frontend_ipport($backend); + if ($backend['extaddr']=='localhost') $backend['extaddr'] = "127.0.0.1"; - - $bname = $backend['extaddr'] . ":" . $backend['port']; + if (!is_array($a_bind[$bname])) { $a_bind[$bname] = array(); $a_bind[$bname]['config'] = array(); @@ -662,8 +667,12 @@ function haproxy_writeconf() { // Advanced pass thru if($bind['advanced']) { - $advanced = base64_decode($bind['advanced']); - fwrite($fd, "\t" . $advanced . "\n"); + $advanced = explode("\n", base64_decode($bind['advanced'])); + foreach($advanced as $adv_line) { + if ($adv_line != "") { + fwrite($fd, "\t" . $adv_line . "\n"); + } + } } // https is an alias for tcp for clarity purpouses @@ -729,33 +738,38 @@ function haproxy_writeconf() { if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { $aclname = "SNI_" . $poolname; $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); - //$expr = "req_ssl_sni -i $cert_cn"; - $expr = "hdr(host) -i $cert_cn"; - fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); - fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + $a_acl[] = array('name' => $aclname,'expression' => 'host_matches', 'value' => $cert_cn); } + // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. + $a_acl_combine = array(); foreach ($a_acl as $entry) { - $acl = haproxy_find_acl($entry['expression']); - if (!$acl) - continue; - - // Filter out acls for different modes - if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) - continue; - - if ($acl['syntax'] != '') - $expr = $acl['syntax'] . " " . $entry['value']; - else - $expr = $entry['expression'] . " " . $entry['value']; - - $aclname = $i . "_" . $entry['name']; - fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); - fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); - - if ($acl['advancedoptions'] != '') - $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; - $i++; + $name = $entry['name']; + $a_acl_combine[$name][] = $entry; + } + + foreach ($a_acl_combine as $a_usebackend) { + $aclnames = ""; + foreach ($a_usebackend as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) + continue; + + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) + continue; + + $expr = sprintf($acl['syntax'],$entry['value'],$poolname); + + $aclname = $i . "_" . $entry['name']; + $aclnames .= $aclname." "; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + + if ($acl['advancedoptions'] != '') + $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; + $i++; + } + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclnames . "\n"); } } foreach($advancedextra as $extra) @@ -971,7 +985,8 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { } function get_frontend_id($name) { - global $a_backend; + global $config; + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; $i = 0; foreach($a_backend as $backend) { @@ -983,7 +998,8 @@ function get_frontend_id($name) { } function get_frontend_ipport($fontend) { - global $a_backend; + global $config; + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; if ($fontend['secondary'] == 'yes') $mainfontend = $a_backend[get_frontend_id($fontend['primary_frontend'])]; else @@ -995,7 +1011,6 @@ function get_frontend_ipport($fontend) { else $result = get_current_wan_address('wan'); return $result . ":" . $mainfontend['port']; - return 'abc'; } function haproxy_check_config() { @@ -1060,7 +1075,7 @@ function get_frontent_acls($frontend) { continue; $acl_item = array(); - $acl_item['descr'] = $acl['descr'] . " " . $entry['value']; + $acl_item['descr'] = $acl['descr'] . ": " . $entry['value']; $acl_item['ref'] = $entry; $result[] = $acl_item; @@ -1101,8 +1116,7 @@ function haproxy_escapestring($configurationsting) { return str_replace('#', '\\#', $result); } -function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="") -{ +function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="") { if (count($keyvaluelist)>0){ if ($onchangeEvent != "") $onchangeEvent .= " onchange=$onchangeEvent"; |