aboutsummaryrefslogtreecommitdiffstats
path: root/config/haproxy-devel/haproxy.inc
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2013-03-09 01:06:56 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2013-03-09 01:06:56 +0100
commite1a963c1f543873630b104d244151ed70c0b9da7 (patch)
treea44b8db726e44fe4bc8f4cee117052bc224cb601 /config/haproxy-devel/haproxy.inc
parent923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a (diff)
downloadpfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.gz
pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.bz2
pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.zip
haproxy-devel, small bugfixes.. maintain ssl checkbox selection, dont use httpcheck for ssl backends, use req_ssl_hello_type for https with SNI acl's.
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r--config/haproxy-devel/haproxy.inc39
1 files changed, 32 insertions, 7 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index cd440eb0..e246b8e0 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -63,7 +63,7 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP',
'mode' => '', 'syntax' => 'src');
if ($haproxy_sni_ssloffloading) {
$a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches',
- 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }");
+ 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }");
}
function haproxy_custom_php_deinstall_command() {
@@ -324,7 +324,20 @@ function haproxy_find_acl($name) {
function write_backend($fd, $name, $pool, $frontend) {
if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes')
return;
+
+ $a_servers = &$pool['ha_servers']['item'];
+ unset($sslserverpresent);
+ if (is_array($a_servers))
+ {
+ foreach($a_servers as $be) {
+ if (!$be['status'] == "inactive")
+ continue;
+ if ($be['ssl'])
+ $sslserverpresent = true;
+ }
+ }
+
fwrite ($fd, "backend " . $name . "\n");
if($pool['cookie_name'] && strtolower($frontend['type']) == "http")
fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n");
@@ -333,7 +346,7 @@ function write_backend($fd, $name, $pool, $frontend) {
if(strtolower($frontend['type']) == "https") {
$backend_type = "tcp";
$httpchk = "ssl-hello-chk";
- } else {
+ } else {
$backend_type = $frontend['type'];
$httpchk = "httpchk";
}
@@ -378,7 +391,9 @@ function write_backend($fd, $name, $pool, $frontend) {
$uri = $pool['monitor_uri'];
else
$uri = "/";
- fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
+
+ if (!$sslserverpresent)
+ fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
if ($pool['advanced_backend']) {
$adv_be = explode("\n", base64_decode($pool['advanced_backend']));
@@ -407,7 +422,6 @@ function write_backend($fd, $name, $pool, $frontend) {
else
$checkinter = "";
- $a_servers = &$pool['ha_servers']['item'];
if (is_array($a_servers))
{
foreach($a_servers as $be) {
@@ -421,7 +435,8 @@ function write_backend($fd, $name, $pool, $frontend) {
} else {
$isbackup = "";
}
- fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
+ $ssl = ($backend_type == "http" && $be['ssl'] == 'yes') ? ' ssl' : "";
+ fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
}
}
fwrite ($fd, "\n");
@@ -486,7 +501,7 @@ function haproxy_writeconf() {
}
//check ssl info
- if ($backend['ssloffload']){
+ if (strtolower($backend['type']) == "http" && $backend['ssloffload']){
//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
$ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt";
$cert = lookup_cert($backend['ssloffloadcert']);
@@ -497,6 +512,9 @@ function haproxy_writeconf() {
$ssl_crt="";
unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
}
+
+ if ($backend['extaddr']=='localhost')
+ $backend['extaddr'] = "127.0.0.1";
$bname = $backend['extaddr'] . ":" . $backend['port'];
if (!is_array($a_bind[$bname])) {
@@ -538,6 +556,8 @@ function haproxy_writeconf() {
else
$frontendinfo = "frontend {$bind['name']}\n";
+ $advancedextra = array();
+
// Prepare ports for processing by splitting
$portss = "{$bind['port']},";
$ports = split(",", $portss);
@@ -622,7 +642,7 @@ function haproxy_writeconf() {
$a_pendingpl[$poolname]['frontend'] = $bconfig;
}
- if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
+ if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
$aclname = "SNI_" . $poolname;
$cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true);
//$expr = "req_ssl_sni -i $cert_cn";
@@ -648,10 +668,15 @@ function haproxy_writeconf() {
$aclname = $i . "_" . $entry['name'];
fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n");
fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n");
+
+ if ($acl['advancedoptions'] != '')
+ $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n";
$i++;
}
}
+ foreach($advancedextra as $extra)
+ fwrite ($fd, "\t".$extra."\n");
fwrite ($fd, "\n");
}
}