diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2015-02-07 17:50:48 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2015-02-07 17:50:48 +0100 |
commit | 75372116092d861ab829d52f3d245325696cee66 (patch) | |
tree | 06d1e740adf25515c92315dc34d496b73f1a56ae /config/haproxy-devel/haproxy.inc | |
parent | e28f3357fa41438060791f4b339ab079721d64d6 (diff) | |
download | pfsense-packages-75372116092d861ab829d52f3d245325696cee66.tar.gz pfsense-packages-75372116092d861ab829d52f3d245325696cee66.tar.bz2 pfsense-packages-75372116092d861ab829d52f3d245325696cee66.zip |
haproxy-devel, 0.17, acl's are merged when duplicates exist, better client certificate handling, checkbox options for allowing no/invalid client certs instead of the 'none'-ca which wasn't 'user friendly'.
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 106 |
1 files changed, 68 insertions, 38 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index e9b0f9e3..a7394cf3 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -68,12 +68,12 @@ $a_acltypes["path_regex"] = array('name' => 'Path regex:', $a_acltypes["path_contains"] = array('name' => 'Path contains:', 'mode' => 'http', 'syntax' => 'path_dir -i %1$s'); $a_acltypes["ssl_c_verify_code"] = array('name' => 'SSL Client certificate verify error result:', - 'mode' => 'http', 'syntax' => 'ssl_fc_has_crt ssl_c_verify %1$s'); + 'mode' => 'http', 'syntax' => 'ssl_c_verify %1$s', 'require_client_cert' => '1'); // ssl_c_verify result codes: https://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS $a_acltypes["ssl_c_verify"] = array('name' => 'SSL Client certificate valid.', - 'mode' => 'http', 'syntax' => 'ssl_fc_has_crt ssl_c_verify 0 '); + 'mode' => 'http', 'syntax' => 'ssl_c_verify 0', 'novalue' => '1', 'require_client_cert' => '1'); $a_acltypes["ssl_c_ca_commonname"] = array('name' => 'SSL Client issued by CA common-name:', - 'mode' => 'http', 'syntax' => 'ssl_c_i_dn(CN) %1$s'); + 'mode' => 'http', 'syntax' => 'ssl_c_i_dn(CN) %1$s', 'require_client_cert' => '1'); $a_acltypes["source_ip"] = array('name' => 'Source IP matches IP or Alias:', 'mode' => '', 'syntax' => 'src %1$s'); $a_acltypes["backendservercount"] = array('name' => 'Minimum count usable servers:', @@ -151,9 +151,13 @@ $a_closetypes['forceclose'] = array('name' => 'forceclose', 'syntax' => 'forcecl global $a_servermodes; $a_servermodes = array(); $a_servermodes["active"]['name'] = "active"; +$a_servermodes["active"]['sign'] = ""; $a_servermodes["backup"]['name'] = "backup"; +$a_servermodes["backup"]['sign'] = "*"; $a_servermodes["disabled"]['name'] = "disabled"; +$a_servermodes["disabled"]['sign'] = "?"; $a_servermodes["inactive"]['name'] = "inactive"; +$a_servermodes["inactive"]['sign'] = "-"; // http://www.exceliance.fr/sites/default/files/biblio/aloha_load_balancer_haproxy_cookie_persistence_methods_memo.pdf global $a_cookiemode; @@ -1036,7 +1040,6 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "{$frontendinfo}"); - $allow_none = false; $advancedextra = array(); $ca_file = ""; $first = true; @@ -1046,10 +1049,9 @@ function haproxy_writeconf($configpath) { if (!empty($ca['cert_ca'])){ haproxy_write_certificate_crt($filename, $ca['cert_ca'], false, !$first); $first = false; - } else - $allow_none = true; + } } - $verify = $allow_none ? "verify optional" : "verify required"; + $verify = $bind['sslclientcert-none'] == 'yes' ? "verify optional" : "verify required"; $ca_file = " ca-file $filename $verify"; } $crl_file = ""; @@ -1062,15 +1064,11 @@ function haproxy_writeconf($configpath) { } $crl_file = " crl-file $filename"; } - - if($bind['type'] == "http") { - // ssl offloading is only possible in http mode. - $ssl_info = $bind['ssl_info'].$ca_file.$crl_file; - $advanced_bind = $bind['advanced_bind']; - } else { - $ssl_info = ""; - $advanced_bind = ""; - } + $advanced_bind = $bind['advanced_bind']; + $ssl_info = $bind['ssl_info']; + $ssl_info .= $ca_file . $crl_file; + if ($bind['sslclientcert-invalid']) + $ssl_info .= " crt-ignore-err all"; $useipv4 = false; $useipv6 = false; @@ -1165,6 +1163,8 @@ function haproxy_writeconf($configpath) { $inspectdelay = 0; $i = 0; + $acllist = array(); + $acl_newid = 0; foreach ($bind['config'] as $frontend) { $a_acl = get_frontend_acls($frontend); @@ -1187,12 +1187,27 @@ function haproxy_writeconf($configpath) { $a_acl_combine = array(); foreach ($a_acl as $entry) { $name = $entry['ref']['name']; - $a_acl_combine[$name][] = $entry['ref']; + + $acl = array(); + $acl['ref'] = $entry['ref']; + $acltype = haproxy_find_acl($entry['ref']['expression']); + $acl['acltype'] = $acltype; + if (!isset($acltype)) + continue; + $a_acl_combine[$name][] = $acl; + + if (isset($acltype['require_client_cert'])){ + $acl = array(); + $acl['ref']['expression'] = "ssl_c_used"; + $acl['acltype']['syntax'] = "ssl_c_used"; + $acl['acltype']['novalue'] = 1; + $a_acl_combine[$name][] = $acl; + } } + $certacl = ""; $y = 0; foreach($ipv as $ipversion => $ipversionoptions) { - $certacls = array(); $useracls = array(); $poolname = $frontend['backend_serverpool'] . "_" . strtolower($bind['type'])."_".$ipversion; if (!isset($a_pendingpl[$poolname])) { @@ -1210,10 +1225,9 @@ function haproxy_writeconf($configpath) { foreach ($a_acl_combine as $a_usebackend) { $aclnames = ""; - foreach ($a_usebackend as $entry) { - $acl = haproxy_find_acl($entry['expression']); - if (!$acl) - continue; + foreach ($a_usebackend as $entry2) { + $entry = $entry2['ref']; + $acl = $entry2['acltype']; // Filter out acls for different modes if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) @@ -1231,33 +1245,49 @@ function haproxy_writeconf($configpath) { $not = $entry['not'] == "yes" ? "!" : ""; - $aclname = $i . "_" . $entry['name']; - if ($entry['certacl']) - $certacls[] = $aclname . " "; - else + unset($aclkey); + foreach($acllist as $aclid => $aclitem) { + if ($aclitem['expr'] == $expr) { + $aclkey = $aclid; + } + } + if (isset($aclkey)) { + $aclname = $acllist[$aclkey]['aclname']; + } else { + $aclkey = $acl_newid++; + if ($entry['certacl']) { + $aclname = "aclcrt_".$frontend['name']; + $certacl = $aclname; + } else { + $aclname = "aclusr_{$entry['expression']}"; + if (!isset($acl['novalue'])) + $aclname .= "_{$entry['value']}"; + $aclname = haproxy_escape_acl_name($aclname); + $i++; + } + $acllist[$aclkey]['aclname'] = $aclname; + $acllist[$aclkey]['expr'] = $expr; + $config_acls .= "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"; + } + if (!isset($entry['certacl'])) $useracls[$y] .= $not . $aclname . " "; - $config_acls .= "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"; - if ($acl['inspect-delay'] != '') $inspectdelay = $acl['inspect-delay']; if ($acl['advancedoptions'] != '') $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; - $i++; } $y++; } - if (count($certacls) == 0) $certacls[] = ""; // add empty item to enter foreach loop at least once. if (count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once. - $backendacl = ""; - foreach($useracls as $useracl) - foreach($certacls as $certacl) - $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}"; - $backendacl = substr($backendacl, 3); - $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; - //$config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; + foreach($useracls as $useracl) { + $backendacl = ""; + $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}"; + $backendacl = substr($backendacl, 3); + $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; + } } } @@ -1842,7 +1872,7 @@ function get_frontend_acls($frontend) { continue; $not = $entry['not'] == "yes" ? "not " : ""; $acl_item = array(); - $acl_item['descr'] = $acl['name'] . ": " . $entry['value']; + $acl_item['descr'] = $acl['name'] . " " . (isset($acl['novalue']) ? "" : $entry['value']); $acl_item['ref'] = $entry; $result[] = $acl_item; |