diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-09 01:06:56 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-09 01:06:56 +0100 |
commit | e1a963c1f543873630b104d244151ed70c0b9da7 (patch) | |
tree | a44b8db726e44fe4bc8f4cee117052bc224cb601 /config/haproxy-devel/haproxy.inc | |
parent | 923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a (diff) | |
download | pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.gz pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.bz2 pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.zip |
haproxy-devel, small bugfixes.. maintain ssl checkbox selection, dont use httpcheck for ssl backends, use req_ssl_hello_type for https with SNI acl's.
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 39 |
1 files changed, 32 insertions, 7 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index cd440eb0..e246b8e0 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -63,7 +63,7 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', 'mode' => '', 'syntax' => 'src'); if ($haproxy_sni_ssloffloading) { $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', - 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }"); + 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); } function haproxy_custom_php_deinstall_command() { @@ -324,7 +324,20 @@ function haproxy_find_acl($name) { function write_backend($fd, $name, $pool, $frontend) { if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') return; + + $a_servers = &$pool['ha_servers']['item']; + unset($sslserverpresent); + if (is_array($a_servers)) + { + foreach($a_servers as $be) { + if (!$be['status'] == "inactive") + continue; + if ($be['ssl']) + $sslserverpresent = true; + } + } + fwrite ($fd, "backend " . $name . "\n"); if($pool['cookie_name'] && strtolower($frontend['type']) == "http") fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); @@ -333,7 +346,7 @@ function write_backend($fd, $name, $pool, $frontend) { if(strtolower($frontend['type']) == "https") { $backend_type = "tcp"; $httpchk = "ssl-hello-chk"; - } else { + } else { $backend_type = $frontend['type']; $httpchk = "httpchk"; } @@ -378,7 +391,9 @@ function write_backend($fd, $name, $pool, $frontend) { $uri = $pool['monitor_uri']; else $uri = "/"; - fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); + + if (!$sslserverpresent) + fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); if ($pool['advanced_backend']) { $adv_be = explode("\n", base64_decode($pool['advanced_backend'])); @@ -407,7 +422,6 @@ function write_backend($fd, $name, $pool, $frontend) { else $checkinter = ""; - $a_servers = &$pool['ha_servers']['item']; if (is_array($a_servers)) { foreach($a_servers as $be) { @@ -421,7 +435,8 @@ function write_backend($fd, $name, $pool, $frontend) { } else { $isbackup = ""; } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); + $ssl = ($backend_type == "http" && $be['ssl'] == 'yes') ? ' ssl' : ""; + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); } } fwrite ($fd, "\n"); @@ -486,7 +501,7 @@ function haproxy_writeconf() { } //check ssl info - if ($backend['ssloffload']){ + if (strtolower($backend['type']) == "http" && $backend['ssloffload']){ //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt"; $cert = lookup_cert($backend['ssloffloadcert']); @@ -497,6 +512,9 @@ function haproxy_writeconf() { $ssl_crt=""; unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); } + + if ($backend['extaddr']=='localhost') + $backend['extaddr'] = "127.0.0.1"; $bname = $backend['extaddr'] . ":" . $backend['port']; if (!is_array($a_bind[$bname])) { @@ -538,6 +556,8 @@ function haproxy_writeconf() { else $frontendinfo = "frontend {$bind['name']}\n"; + $advancedextra = array(); + // Prepare ports for processing by splitting $portss = "{$bind['port']},"; $ports = split(",", $portss); @@ -622,7 +642,7 @@ function haproxy_writeconf() { $a_pendingpl[$poolname]['frontend'] = $bconfig; } - if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { + if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { $aclname = "SNI_" . $poolname; $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); //$expr = "req_ssl_sni -i $cert_cn"; @@ -648,10 +668,15 @@ function haproxy_writeconf() { $aclname = $i . "_" . $entry['name']; fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + + if ($acl['advancedoptions'] != '') + $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; $i++; } } + foreach($advancedextra as $extra) + fwrite ($fd, "\t".$extra."\n"); fwrite ($fd, "\n"); } } |