diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-02 21:57:23 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-02 21:57:23 +0100 |
commit | fea3c94f99d40325bfb17a3861b55866a216ed1f (patch) | |
tree | 857d5c95be463b6f8759d3bb11ac70dd83f642df /config/haproxy-devel/haproxy.inc | |
parent | bad003299aeb2038d0c9a2531263392455d2941c (diff) | |
download | pfsense-packages-fea3c94f99d40325bfb17a3861b55866a216ed1f.tar.gz pfsense-packages-fea3c94f99d40325bfb17a3861b55866a216ed1f.tar.bz2 pfsense-packages-fea3c94f99d40325bfb17a3861b55866a216ed1f.zip |
haproxy-devel, make it work and include the possibility for both SNI checking and/or SSL offloading.
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 642 |
1 files changed, 511 insertions, 131 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 9fbb606d..ab56f34c 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -32,12 +32,49 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("notices.inc"); + +global $haproxy_sni_ssloffloading; +$haproxy_sni_ssloffloading=true;// can only be used with recent 1.5-dev17 builds. + $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; +$a_acltypes = array(); +$a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); +$a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); +$a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i'); +$a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); +$a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); +$a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i'); +$a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i'); +$a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i'); +$a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i'); +$a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i'); +$a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src'); +if ($haproxy_sni_ssloffloading) +{ + $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', + 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }"); +} + function haproxy_custom_php_deinstall_command() { - exec("rm /usr/local/sbin/haproxy"); + exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); exec("rm /usr/local/pkg/haproxy.inc"); exec("rm /usr/local/www/haproxy*"); + exec("rm /usr/local/etc/rc.d/haproxy.sh"); + exec("rm /etc/devd/haproxy.conf"); + exec("/etc/rc.d/devd restart"); + haproxy_install_cron(false); } function haproxy_custom_php_install_command() { @@ -60,6 +97,8 @@ haproxy_enable=\${haproxy-"YES"} start_cmd="haproxy_start" stop_postcmd="haproxy_stop" +check_cmd="haproxy_check" +extra_commands="check" load_rc_config \$name @@ -77,6 +116,20 @@ haproxy_start () { ENDOFF } +haproxy_check () { + echo "Checking haproxy." + /usr/bin/env \ + PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \ + /usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF + <?php + require_once("globals.inc"); + require_once("functions.inc"); + require_once("haproxy.inc"); + haproxy_check_run(0); + ?> +ENDOFF +} + haproxy_stop () { echo "Stopping haproxy." killall haproxy @@ -91,18 +144,292 @@ EOD; fclose($fd); exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); + $devd = <<<EOD +notify 0 { + match "system" "IFNET"; + match "subsystem" "carp[0-9]+"; + match "type" "LINK_UP"; + action "/usr/local/etc/rc.d/haproxy.sh check"; +}; +notify 0 { + match "system" "IFNET"; + match "subsystem" "carp[0-9]+"; + match "type" "LINK_DOWN"; + action "/usr/local/etc/rc.d/haproxy.sh check"; +}; + +EOD; + exec("mkdir -p /etc/devd"); + $fd = fopen("/etc/devd/haproxy.conf", "w"); + fwrite($fd, $devd); + fclose($fd); + exec("/etc/rc.d/devd restart"); + + /* Do XML upgrade from haproxy 0.31 to haproxy-dev */ + if (is_array($config['installedpackages']['haproxy']['ha_servers'])) { + /* We have an old config */ + $config['installedpackages']['haproxy']['ha_pools']['item'] = array(); + $a_global = &$config['installedpackages']['haproxy']; + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $a_oldservers = &$config['installedpackages']['haproxy']['ha_servers']['item']; + $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + foreach ($a_backends as $id => $be) { + $a_backends[$id]['status'] = 'active'; + } + $id = 0; + foreach ($a_oldservers as $oldserver) { + $pool=$oldserver; + /* make server sub array */ + $server=array(); + $server['name'] = $oldserver['name']; + $server['address'] = $oldserver['address']; + $server['port'] = $oldserver['port']; + $server['weight'] = $oldserver['weight']; + $a_servers=array(); + $a_servers[]=$server; + /* set new pool */ + $pool['name'] = "pool$id"; + $id++; + $pool['ha_servers']['item']=$a_servers; + /* link to frontend */ + foreach ($a_backends as $id => $be) { + if ($a_backends[$id]['name'] == $oldserver['backend']) { + $a_backends[$id]['backend_serverpool'] = $pool['name']; + $pool['monitor_uri'] = $be['monitor_uri']; + unset($a_backends[$id]['monitor_uri']); + break; + } + } + unset($pool['backend']); + unset($pool['address']); + unset($pool['port']); + unset($pool['weight']); + $a_pools[] = $pool; + } + unset($config['installedpackages']['haproxy']['ha_servers']); + write_config(); + } + + /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */ + if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) + { + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) + { + $backend_serverpool = $frontend['pool'][0]; + $frontend['backend_serverpool'] = $backend_serverpool; + unset($frontend['pool']); + } + write_config(); + } + //also move setting for existing 2.0 installations as only the new variable is used + if (isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) + { + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) + { + $backend_serverpool = $frontend['pool']; + $frontend['backend_serverpool'] = $backend_serverpool; + unset($frontend['pool']); + } + write_config(); + } + conf_mount_ro(); exec("/usr/local/etc/rc.d/haproxy.sh start"); } +function haproxy_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], "/usr/local/etc/rc.d/haproxy.sh")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "*/2"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/etc/rc.d/haproxy.sh check"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config(); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function haproxy_find_acl($name) { + global $a_acltypes; + + /* XXX why is this broken from xmlsync? */ + if (!$a_acltypes) { + $a_acltypes = array(); + $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', + 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); + $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', + 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); + $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', + 'mode' =>'http', 'syntax' => 'hdr(host) -i'); + $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', + 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); + $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', + 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); + $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', + 'mode' => 'http', 'syntax' => 'path_beg -i'); + $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', + 'mode' => 'http', 'syntax' => 'path_end -i'); + $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', + 'mode' => 'http', 'syntax' => 'path -i'); + $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', + 'mode' => 'http', 'syntax' => 'path_reg -i'); + $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', + 'mode' => 'http', 'syntax' => 'path_dir -i'); + $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', + 'mode' => '', 'syntax' => 'src'); + } + + if($a_acltypes) { + foreach ($a_acltypes as $acl) { + if ($acl['name'] == $name) + return $acl; + } + } +} + +function write_backend($fd, $name, $pool, $frontend) { + if(!is_array($pool['ha_servers']['item'])) + return; + + fwrite ($fd, "backend " . $name . "\n"); + if($pool['cookie_name'] && strtolower($frontend['type']) == "http") + fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); + + // https is an alias for tcp for clarity purpouses + if(strtolower($frontend['type']) == "https") { + $backend_type = "tcp"; + $httpchk = "ssl-hello-chk"; + } else { + $backend_type = $frontend['type']; + $httpchk = "httpchk"; + } + + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + + if($frontend['balance']) + fwrite ($fd, "\tbalance\t\t\t" . $frontend['balance'] . "\n"); + + if($frontend['connection_timeout']) + fwrite ($fd, "\tcontimeout\t\t" . $frontend['connection_timeout'] . "\n"); + + if($frontend['server_timeout']) + fwrite ($fd, "\tsrvtimeout\t\t" . $frontend['server_timeout'] . "\n"); + + if($frontend['retries']) + fwrite ($fd, "\tretries\t\t\t" . $frontend['retries'] . "\n"); + + if($frontend['stats_enabled']=='yes') { + fwrite ($fd, "\tstats\t\t\tenable\n"); + if($frontend['stats_uri']) + fwrite ($fd, "\tstats\t\t\turi ".$frontend['stats_uri']."\n"); + if($frontend['stats_realm']) + fwrite ($fd, "\tstats\t\t\trealm " . $frontend['stats_realm'] . "\n"); + else + fwrite ($fd, "\tstats\t\t\trealm .\n"); + fwrite ($fd, "\tstats\t\t\tauth " . $frontend['stats_username'].":". $frontend['stats_password']."\n"); + + if($frontend['stats_node_enabled']=='yes') + fwrite ($fd, "\tstats\t\t\tshow-node " . $frontend['stats_node'] . "\n"); + if($frontend['stats_desc']) + fwrite ($fd, "\tstats\t\t\tshow-desc " . $frontend['stats_desc'] . "\n"); + if($frontend['stats_refresh']) + fwrite ($fd, "\tstats\t\t\trefresh " . $frontend['stats_refresh'] . "\n"); + } + + $uri = $pool['monitor_uri']; + if ($pool['monitor_uri']) + $uri = $pool['monitor_uri']; + else + $uri = "/"; + fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); + + if($pool['cookie'] && strtolower($frontend['type']) == "http") + $cookie = " cookie {$pool['cookie']} "; + else + $cookie = ""; + if($pool['advanced']) { + $advanced = base64_decode($pool['advanced']); + $advanced_txt = " " . $advanced; + } else { + $advanced_txt = ""; + } + if($pool['checkinter']) + $checkinter = "check inter {$pool['checkinter']}"; + else if (strtolower($frontend['type']) != "tcp") + $checkinter = "check inter 1000"; + else + $checkinter = ""; + + $a_servers = &$pool['ha_servers']['item']; + foreach($a_servers as $be) { + if(!$be['port']) { + // the listener can specify a default port + $be['port'] = $frontend['svrport']; + } + if(!$be['port']) { + // last resort, use the frontend port + $ports = split(",", "{$frontend['port']},"); + $be['port'] = $ports[0]; + } + if (!$be['name']) + $be['name'] = $be['address']; + if($be['backup']) { + $isbackup = "backup"; + } else { + $isbackup = ""; + } + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); + } + fwrite ($fd, "\n"); +} + function haproxy_configure() { + // reload haproxy + haproxy_writeconf(); + return haproxy_check_run(1); +} + +function haproxy_writeconf() { global $config, $g; $a_global = &$config['installedpackages']['haproxy']; $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; - $a_frontends = &$config['installedpackages']['haproxy']['ha_frontends']['item']; - $a_servers = &$config['installedpackages']['haproxy']['ha_servers']['item']; + $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; $fd = fopen("{$g['varetc_path']}/haproxy.cfg", "w"); @@ -112,7 +439,7 @@ function haproxy_configure() { fwrite ($fd, "\t" . base64_decode($a_global['advanced']) . "\n"); fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); if($a_global['remotesyslog']) - fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\tlocal0\n"); + fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); fwrite ($fd, "\tuid\t\t\t80\n"); fwrite ($fd, "\tgid\t\t\t80\n"); // Set numprocs if defined or use system default (#cores) @@ -126,9 +453,21 @@ function haproxy_configure() { fwrite ($fd, "\n"); } - // Construct and write out configuration file + // Try and get a unique array for address:port as frontends can duplicate + $a_bind = array(); if(is_array($a_backends)) { foreach ($a_backends as $backend) { + if($backend['status'] != 'active') + { + unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + continue; + } + if(!$backend['backend_serverpool']) + { + unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); + continue; + } + //check ssl info if ($backend['ssloffload']){ //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem @@ -138,189 +477,230 @@ function haproxy_configure() { $ssl_info=""; unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); } - // Define our backend name - $backendinfo = "listen {$backend['name']}\n"; + + $bname = $backend['extaddr'] . ":" . $backend['port']; + if (!is_array($a_bind[$bname])) { + $a_bind[$bname] = array(); + $a_bind[$bname]['config'] = array(); + // Settings which are constant for a merged frontend + $a_bind[$bname]['name'] = $backend['name']; + $a_bind[$bname]['extaddr'] = $backend['extaddr']; + $a_bind[$bname]['port'] = $backend['port']; + } + $b = &$a_bind[$bname]; + + // Overwrite ? + $b['type'] = $backend['type']; + $b['forwardfor'] = $backend['forwardfor']; + $b['httpclose'] = $backend['httpclose']; + $b['max_connections'] = $backend['max_connections']; + $b['client_timeout'] = $backend['client_timeout']; + $b['advanced'] = $backend['advanced']; + $b['ssl_info'] = $ssl_info; + + // pointer to each backend + $b['config'][] = $backend; + } + } + + $a_pendingpl = array(); + + // Construct and write out configuration file + if(is_array($a_bind)) { + foreach ($a_bind as $bind) { + if (count($bind['config']) > 1) + $frontendinfo = "frontend {$bind['name']}-merged\n"; + else + $frontendinfo = "frontend {$bind['name']}\n"; // Prepare ports for processing by splitting - $portss = "{$backend['port']},"; + $portss = "{$bind['port']},"; $ports = split(",", $portss); - + $ssl_info = $bind['ssl_info']; // Initialize variable $listenip = ""; // Process and add bind directives for ports foreach($ports as $port) { if($port) { - if($backend['extaddr'] == "any") + if($bind['extaddr'] == "any") $listenip .= "\tbind\t\t\t0.0.0.0:{$port} {$ssl_info}\n"; - elseif($backend['extaddr']) - $listenip .= "\tbind\t\t\t{$backend['extaddr']}:{$port} {$ssl_info}\n"; - else + elseif($bind['extaddr']) + $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port} {$ssl_info}\n"; + else $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port} {$ssl_info}\n"; } } - fwrite ($fd, "{$backendinfo}"); + fwrite ($fd, "{$frontendinfo}"); fwrite ($fd, "{$listenip}"); // Advanced pass thru - if($backend['advanced']) { - $advanced = base64_decode($backend['advanced']); + if($bind['advanced']) { + $advanced = base64_decode($bind['advanced']); fwrite($fd, "\t" . $advanced . "\n"); } // https is an alias for tcp for clarity purpouses - if(strtolower($backend['type']) == "https") { + if(strtolower($bind['type']) == "https") { $backend_type = "tcp"; $httpchk = "ssl-hello-chk"; } else { - $backend_type = $backend['type']; + $backend_type = $bind['type']; $httpchk = "httpchk"; } - fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); fwrite ($fd, "\tlog\t\t\tglobal\n"); fwrite ($fd, "\toption\t\t\tdontlognull\n"); - if($backend['httpclose']) + if($bind['httpclose']) fwrite ($fd, "\toption\t\t\thttpclose\n"); - if($backend['forwardfor']) + if($bind['forwardfor']) fwrite ($fd, "\toption\t\t\tforwardfor\n"); - if($backend['max_connections']) - fwrite ($fd, "\tmaxconn\t\t\t" . $backend['max_connections'] . "\n"); - - if($backend['client_timeout']) - fwrite ($fd, "\tclitimeout\t\t" . $backend['client_timeout'] . "\n"); - - if($backend['balance']) - fwrite ($fd, "\tbalance\t\t\t" . $backend['balance'] . "\n"); - - if($backend['connection_timeout']) - fwrite ($fd, "\tcontimeout\t\t" . $backend['connection_timeout'] . "\n"); - - if($backend['server_timeout']) - fwrite ($fd, "\tsrvtimeout\t\t" . $backend['server_timeout'] . "\n"); - - if($backend['retries']) - fwrite ($fd, "\tretries\t\t\t" . $backend['retries'] . "\n"); - - if($backend['cookie_name']) - fwrite ($fd, "\tcookie\t\t\t" . $backend['cookie_name'] . " insert indirect\n"); - - if($backend['monitor_uri']) - fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $backend['monitor_uri'] . " HTTP/1.0\n"); - - if($backend['stats_enabled']=='yes') { - fwrite ($fd, "\tstats\t\t\tenable\n"); - if($backend['stats_uri']) - fwrite ($fd, "\tstats\t\t\turi ".$backend['stats_uri']."\n"); - if($backend['stats_realm']) - fwrite ($fd, "\tstats\t\t\trealm " . $backend['stats_realm'] . "\n"); - else - fwrite ($fd, "\tstats\t\t\trealm .\n"); - fwrite ($fd, "\tstats\t\t\tauth " . $backend['stats_username'].":". $backend['stats_password']."\n"); - if($backend['stats_node_enabled']=='yes') - fwrite ($fd, "\tstats\t\t\tshow-node " . $backend['stats_node'] . "\n"); - if($backend['stats_desc']) - fwrite ($fd, "\tstats\t\t\tshow-desc " . $backend['stats_desc'] . "\n"); - if($backend['stats_refresh']) - fwrite ($fd, "\tstats\t\t\trefresh " . $backend['stats_refresh'] . "\n"); - } + if($bind['max_connections']) + fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); - $a_acl=&$frontend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); + if($bind['client_timeout']) + fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n"); + + + // Combine the rest of the listener configs + $default_once = 0; + $i = 0; + foreach ($bind['config'] as $bconfig) { + $a_acl=&$bconfig['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); - foreach ($a_acl as $acl) - fwrite ($fd, "\tacl\t\t\t".$acl['name']."\t\t".$acl['expression']."\n"); - - $server['backend'] .= " "; - if(is_array($a_servers)) { - foreach ($a_servers as $server) { - $backends_to_process = split(" ", $server['backend']); - foreach($backends_to_process as $backends) { - if($backends == "") - continue; - if($backends == $backend['name']) { - $server_ports = array(); - if($server['status'] != 'inactive') { - if($server['cookie']) - $cookie = " cookie {$server['cookie']} "; - else - $cookie = ""; - if(!$server['port']) { - foreach($ports as $port) { - if($port) - $server_ports[] = $port; - } - } else { - $server_ports[] = $server['port']; - } - if($server['advanced']) { - $advanced = base64_decode($server['advanced']); - $advanced_txt = " " . $advanced; - } else { - $advanced_txt = ""; - } - if($server['status'] != 'active') { - $status = " " . $server['status']; - } else { - $status = ""; - } - if($server['checkinter']) - $checkinter = "check inter {$server['checkinter']}"; - else - $checkinter = "check inter 1000"; - foreach($server_ports as $pport) - fwrite ($fd, "\tserver\t\t\t" . $server['name'] . " " . $server['address'].":" . $pport . " $cookie " . " $checkinter weight " . $server['weight'] . $status . "{$advanced_txt}\n"); - } - } - } + $poolname = $bconfig['backend_serverpool'] . "_" . strtolower($bconfig['type']); + + // Create different pools if the svrport is set + if ($bconfig['svrport'] > 0) + $poolname .= "_" . $bconfig['svrport']; + + // Write this out once, and must be before any backend config text + if ($default_once == 0) { + fwrite ($fd, "\tdefault_backend\t\t" . $poolname . "\n"); + $default_once++; + } + + if (!isset($a_pendingpl[$poolname])) { + $a_pendingpl[$poolname] = array(); + $a_pendingpl[$poolname]['name'] = $poolname; + $a_pendingpl[$poolname]['frontend'] = $bconfig; + } + + foreach ($a_acl as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) + continue; + + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) + continue; + + if ($acl['syntax'] != '') + $expr = $acl['syntax'] . " " . $entry['value']; + else + $expr = $entry['expression'] . " " . $entry['value']; + + $aclname = $i . "_" . $entry['name']; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + $i++; } + } fwrite ($fd, "\n"); } - // Sync HAProxy configuration (if enabled) - if(isset($config['installedpackages']['haproxy']['enablesync'])) { - if($config['installedpackages']['haproxy']['synchost1']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost2']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost3']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], - $config['installedpackages']['haproxy']['syncpassword']); + } + if (is_array($a_pendingpl) && is_array($a_pools)) { + foreach ($a_pendingpl as $pending) { + foreach ($a_pools as $pool) { + if ($pending['frontend']['backend_serverpool'] == $pool['name']) { + write_backend($fd, $pending['name'], $pool, $pending['frontend']); + } } } } + fwrite ($fd, "\n"); + + // Sync HAProxy configuration (if enabled) + if(isset($config['installedpackages']['haproxy']['enablesync'])) { + if($config['installedpackages']['haproxy']['synchost1']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost2']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], + $config['installedpackages']['haproxy']['syncpassword']); + } + if($config['installedpackages']['haproxy']['synchost3']) { + haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], + $config['installedpackages']['haproxy']['syncpassword']); + } + } // create config file fclose($fd); + if (isset($a_global['carpdev'])) + haproxy_install_cron(true); + else + haproxy_install_cron(false); + $freebsd_version = substr(trim(`uname -r`), 0, 1); if(!file_exists("/usr/bin/limits")) { exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); exec("chmod a+rx /usr/bin/limits"); } +} + +function haproxy_is_running() { + $running = (shell_exec("/bin/pgrep -x haproxy") != ''); + return $running; +} + +function haproxy_check_run($reload) { + global $config, $g; + + $a_global = &$config['installedpackages']['haproxy']; exec("/usr/bin/limits -n 300014"); - // reload haproxy if(isset($a_global['enable'])) { - if(is_process_running('haproxy')) { + if (isset($a_global['carpdev'])) { + $status = get_carp_interface_status($a_global['carpdev']); + if ($status != "MASTER") { + if (haproxy_is_running()) { + log_error("Stopping haproxy on CARP backup."); + exec("/bin/pkill -F /var/run/haproxy.pid haproxy"); + } + return (0); + } else if (haproxy_is_running() && $reload == 0) { + return (0); + } + log_error("Starting haproxy on CARP master."); + /* fallthrough */ + } else if ($reload == 0) + return (0); + + if (haproxy_is_running()) { exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -st `cat /var/run/haproxy.pid`"); } else { exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D"); } return (0); } else { + if ($reload && haproxy_is_running()) { + exec("/bin/pkill -F /var/run/haproxy.pid haproxy"); + } return (1); } + } function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { @@ -370,11 +750,11 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { $xml['haproxy'] = $config['installedpackages']['haproxy']; // Prevent sync loops - unset($xml['haproxy']['synchost1']); - unset($xml['haproxy']['synchost2']); - unset($xml['haproxy']['synchost3']); - unset($xml['haproxy']['syncpassword']); - + unset($xml['synchost1']); + unset($xml['synchost2']); + unset($xml['synchost3']); + unset($xml['syncpassword']); + /* assemble xmlrpc payload */ $params = array( XML_RPC_encode($password), @@ -423,7 +803,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { $cli->setCredentials('admin', $password); $resp = $cli->send($msg, "250"); if(!$resp) { - $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (exec_php)."; log_error($error); file_notice("sync_settings", $error, "HAProxy Settings Reload", ""); } elseif($resp->faultCode()) { @@ -433,7 +813,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { log_error($error); file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); } else { - log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (exec_php)."); } } |