aboutsummaryrefslogtreecommitdiffstats
path: root/config/haproxy-devel/haproxy.inc
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2015-02-07 17:50:48 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2015-02-07 17:50:48 +0100
commit75372116092d861ab829d52f3d245325696cee66 (patch)
tree06d1e740adf25515c92315dc34d496b73f1a56ae /config/haproxy-devel/haproxy.inc
parente28f3357fa41438060791f4b339ab079721d64d6 (diff)
downloadpfsense-packages-75372116092d861ab829d52f3d245325696cee66.tar.gz
pfsense-packages-75372116092d861ab829d52f3d245325696cee66.tar.bz2
pfsense-packages-75372116092d861ab829d52f3d245325696cee66.zip
haproxy-devel, 0.17, acl's are merged when duplicates exist, better client certificate handling, checkbox options for allowing no/invalid client certs instead of the 'none'-ca which wasn't 'user friendly'.
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r--config/haproxy-devel/haproxy.inc106
1 files changed, 68 insertions, 38 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index e9b0f9e3..a7394cf3 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -68,12 +68,12 @@ $a_acltypes["path_regex"] = array('name' => 'Path regex:',
$a_acltypes["path_contains"] = array('name' => 'Path contains:',
'mode' => 'http', 'syntax' => 'path_dir -i %1$s');
$a_acltypes["ssl_c_verify_code"] = array('name' => 'SSL Client certificate verify error result:',
- 'mode' => 'http', 'syntax' => 'ssl_fc_has_crt ssl_c_verify %1$s');
+ 'mode' => 'http', 'syntax' => 'ssl_c_verify %1$s', 'require_client_cert' => '1');
// ssl_c_verify result codes: https://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS
$a_acltypes["ssl_c_verify"] = array('name' => 'SSL Client certificate valid.',
- 'mode' => 'http', 'syntax' => 'ssl_fc_has_crt ssl_c_verify 0 ');
+ 'mode' => 'http', 'syntax' => 'ssl_c_verify 0', 'novalue' => '1', 'require_client_cert' => '1');
$a_acltypes["ssl_c_ca_commonname"] = array('name' => 'SSL Client issued by CA common-name:',
- 'mode' => 'http', 'syntax' => 'ssl_c_i_dn(CN) %1$s');
+ 'mode' => 'http', 'syntax' => 'ssl_c_i_dn(CN) %1$s', 'require_client_cert' => '1');
$a_acltypes["source_ip"] = array('name' => 'Source IP matches IP or Alias:',
'mode' => '', 'syntax' => 'src %1$s');
$a_acltypes["backendservercount"] = array('name' => 'Minimum count usable servers:',
@@ -151,9 +151,13 @@ $a_closetypes['forceclose'] = array('name' => 'forceclose', 'syntax' => 'forcecl
global $a_servermodes;
$a_servermodes = array();
$a_servermodes["active"]['name'] = "active";
+$a_servermodes["active"]['sign'] = "";
$a_servermodes["backup"]['name'] = "backup";
+$a_servermodes["backup"]['sign'] = "*";
$a_servermodes["disabled"]['name'] = "disabled";
+$a_servermodes["disabled"]['sign'] = "?";
$a_servermodes["inactive"]['name'] = "inactive";
+$a_servermodes["inactive"]['sign'] = "-";
// http://www.exceliance.fr/sites/default/files/biblio/aloha_load_balancer_haproxy_cookie_persistence_methods_memo.pdf
global $a_cookiemode;
@@ -1036,7 +1040,6 @@ function haproxy_writeconf($configpath) {
fwrite ($fd, "{$frontendinfo}");
- $allow_none = false;
$advancedextra = array();
$ca_file = "";
$first = true;
@@ -1046,10 +1049,9 @@ function haproxy_writeconf($configpath) {
if (!empty($ca['cert_ca'])){
haproxy_write_certificate_crt($filename, $ca['cert_ca'], false, !$first);
$first = false;
- } else
- $allow_none = true;
+ }
}
- $verify = $allow_none ? "verify optional" : "verify required";
+ $verify = $bind['sslclientcert-none'] == 'yes' ? "verify optional" : "verify required";
$ca_file = " ca-file $filename $verify";
}
$crl_file = "";
@@ -1062,15 +1064,11 @@ function haproxy_writeconf($configpath) {
}
$crl_file = " crl-file $filename";
}
-
- if($bind['type'] == "http") {
- // ssl offloading is only possible in http mode.
- $ssl_info = $bind['ssl_info'].$ca_file.$crl_file;
- $advanced_bind = $bind['advanced_bind'];
- } else {
- $ssl_info = "";
- $advanced_bind = "";
- }
+ $advanced_bind = $bind['advanced_bind'];
+ $ssl_info = $bind['ssl_info'];
+ $ssl_info .= $ca_file . $crl_file;
+ if ($bind['sslclientcert-invalid'])
+ $ssl_info .= " crt-ignore-err all";
$useipv4 = false;
$useipv6 = false;
@@ -1165,6 +1163,8 @@ function haproxy_writeconf($configpath) {
$inspectdelay = 0;
$i = 0;
+ $acllist = array();
+ $acl_newid = 0;
foreach ($bind['config'] as $frontend) {
$a_acl = get_frontend_acls($frontend);
@@ -1187,12 +1187,27 @@ function haproxy_writeconf($configpath) {
$a_acl_combine = array();
foreach ($a_acl as $entry) {
$name = $entry['ref']['name'];
- $a_acl_combine[$name][] = $entry['ref'];
+
+ $acl = array();
+ $acl['ref'] = $entry['ref'];
+ $acltype = haproxy_find_acl($entry['ref']['expression']);
+ $acl['acltype'] = $acltype;
+ if (!isset($acltype))
+ continue;
+ $a_acl_combine[$name][] = $acl;
+
+ if (isset($acltype['require_client_cert'])){
+ $acl = array();
+ $acl['ref']['expression'] = "ssl_c_used";
+ $acl['acltype']['syntax'] = "ssl_c_used";
+ $acl['acltype']['novalue'] = 1;
+ $a_acl_combine[$name][] = $acl;
+ }
}
+ $certacl = "";
$y = 0;
foreach($ipv as $ipversion => $ipversionoptions) {
- $certacls = array();
$useracls = array();
$poolname = $frontend['backend_serverpool'] . "_" . strtolower($bind['type'])."_".$ipversion;
if (!isset($a_pendingpl[$poolname])) {
@@ -1210,10 +1225,9 @@ function haproxy_writeconf($configpath) {
foreach ($a_acl_combine as $a_usebackend) {
$aclnames = "";
- foreach ($a_usebackend as $entry) {
- $acl = haproxy_find_acl($entry['expression']);
- if (!$acl)
- continue;
+ foreach ($a_usebackend as $entry2) {
+ $entry = $entry2['ref'];
+ $acl = $entry2['acltype'];
// Filter out acls for different modes
if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type']))
@@ -1231,33 +1245,49 @@ function haproxy_writeconf($configpath) {
$not = $entry['not'] == "yes" ? "!" : "";
- $aclname = $i . "_" . $entry['name'];
- if ($entry['certacl'])
- $certacls[] = $aclname . " ";
- else
+ unset($aclkey);
+ foreach($acllist as $aclid => $aclitem) {
+ if ($aclitem['expr'] == $expr) {
+ $aclkey = $aclid;
+ }
+ }
+ if (isset($aclkey)) {
+ $aclname = $acllist[$aclkey]['aclname'];
+ } else {
+ $aclkey = $acl_newid++;
+ if ($entry['certacl']) {
+ $aclname = "aclcrt_".$frontend['name'];
+ $certacl = $aclname;
+ } else {
+ $aclname = "aclusr_{$entry['expression']}";
+ if (!isset($acl['novalue']))
+ $aclname .= "_{$entry['value']}";
+ $aclname = haproxy_escape_acl_name($aclname);
+ $i++;
+ }
+ $acllist[$aclkey]['aclname'] = $aclname;
+ $acllist[$aclkey]['expr'] = $expr;
+ $config_acls .= "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n";
+ }
+ if (!isset($entry['certacl']))
$useracls[$y] .= $not . $aclname . " ";
- $config_acls .= "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n";
-
if ($acl['inspect-delay'] != '')
$inspectdelay = $acl['inspect-delay'];
if ($acl['advancedoptions'] != '')
$advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n";
- $i++;
}
$y++;
}
- if (count($certacls) == 0) $certacls[] = ""; // add empty item to enter foreach loop at least once.
if (count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once.
- $backendacl = "";
- foreach($useracls as $useracl)
- foreach($certacls as $certacl)
- $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}";
- $backendacl = substr($backendacl, 3);
- $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n";
- //$config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n";
+ foreach($useracls as $useracl) {
+ $backendacl = "";
+ $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}";
+ $backendacl = substr($backendacl, 3);
+ $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n";
+ }
}
}
@@ -1842,7 +1872,7 @@ function get_frontend_acls($frontend) {
continue;
$not = $entry['not'] == "yes" ? "not " : "";
$acl_item = array();
- $acl_item['descr'] = $acl['name'] . ": " . $entry['value'];
+ $acl_item['descr'] = $acl['name'] . " " . (isset($acl['novalue']) ? "" : $entry['value']);
$acl_item['ref'] = $entry;
$result[] = $acl_item;