aboutsummaryrefslogtreecommitdiffstats
path: root/config/haproxy-devel/haproxy.inc
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2013-03-02 21:57:23 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2013-03-02 21:57:23 +0100
commitfea3c94f99d40325bfb17a3861b55866a216ed1f (patch)
tree857d5c95be463b6f8759d3bb11ac70dd83f642df /config/haproxy-devel/haproxy.inc
parentbad003299aeb2038d0c9a2531263392455d2941c (diff)
downloadpfsense-packages-fea3c94f99d40325bfb17a3861b55866a216ed1f.tar.gz
pfsense-packages-fea3c94f99d40325bfb17a3861b55866a216ed1f.tar.bz2
pfsense-packages-fea3c94f99d40325bfb17a3861b55866a216ed1f.zip
haproxy-devel, make it work and include the possibility for both SNI checking and/or SSL offloading.
Diffstat (limited to 'config/haproxy-devel/haproxy.inc')
-rw-r--r--config/haproxy-devel/haproxy.inc642
1 files changed, 511 insertions, 131 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index 9fbb606d..ab56f34c 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -32,12 +32,49 @@ require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("notices.inc");
+
+global $haproxy_sni_ssloffloading;
+$haproxy_sni_ssloffloading=true;// can only be used with recent 1.5-dev17 builds.
+
$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty";
+$a_acltypes = array();
+$a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with',
+ 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i');
+$a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with',
+ 'mode' =>'http', 'syntax' => 'hdr_end(host) -i');
+$a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches',
+ 'mode' =>'http', 'syntax' => 'hdr(host) -i');
+$a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex',
+ 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i');
+$a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains',
+ 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i');
+$a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with',
+ 'mode' => 'http', 'syntax' => 'path_beg -i');
+$a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with',
+ 'mode' => 'http', 'syntax' => 'path_end -i');
+$a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches',
+ 'mode' => 'http', 'syntax' => 'path -i');
+$a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex',
+ 'mode' => 'http', 'syntax' => 'path_reg -i');
+$a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains',
+ 'mode' => 'http', 'syntax' => 'path_dir -i');
+$a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP',
+ 'mode' => '', 'syntax' => 'src');
+if ($haproxy_sni_ssloffloading)
+{
+ $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches',
+ 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }");
+}
+
function haproxy_custom_php_deinstall_command() {
- exec("rm /usr/local/sbin/haproxy");
+ exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`");
exec("rm /usr/local/pkg/haproxy.inc");
exec("rm /usr/local/www/haproxy*");
+ exec("rm /usr/local/etc/rc.d/haproxy.sh");
+ exec("rm /etc/devd/haproxy.conf");
+ exec("/etc/rc.d/devd restart");
+ haproxy_install_cron(false);
}
function haproxy_custom_php_install_command() {
@@ -60,6 +97,8 @@ haproxy_enable=\${haproxy-"YES"}
start_cmd="haproxy_start"
stop_postcmd="haproxy_stop"
+check_cmd="haproxy_check"
+extra_commands="check"
load_rc_config \$name
@@ -77,6 +116,20 @@ haproxy_start () {
ENDOFF
}
+haproxy_check () {
+ echo "Checking haproxy."
+ /usr/bin/env \
+ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+ /usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF
+ <?php
+ require_once("globals.inc");
+ require_once("functions.inc");
+ require_once("haproxy.inc");
+ haproxy_check_run(0);
+ ?>
+ENDOFF
+}
+
haproxy_stop () {
echo "Stopping haproxy."
killall haproxy
@@ -91,18 +144,292 @@ EOD;
fclose($fd);
exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh");
+ $devd = <<<EOD
+notify 0 {
+ match "system" "IFNET";
+ match "subsystem" "carp[0-9]+";
+ match "type" "LINK_UP";
+ action "/usr/local/etc/rc.d/haproxy.sh check";
+};
+notify 0 {
+ match "system" "IFNET";
+ match "subsystem" "carp[0-9]+";
+ match "type" "LINK_DOWN";
+ action "/usr/local/etc/rc.d/haproxy.sh check";
+};
+
+EOD;
+ exec("mkdir -p /etc/devd");
+ $fd = fopen("/etc/devd/haproxy.conf", "w");
+ fwrite($fd, $devd);
+ fclose($fd);
+ exec("/etc/rc.d/devd restart");
+
+ /* Do XML upgrade from haproxy 0.31 to haproxy-dev */
+ if (is_array($config['installedpackages']['haproxy']['ha_servers'])) {
+ /* We have an old config */
+ $config['installedpackages']['haproxy']['ha_pools']['item'] = array();
+ $a_global = &$config['installedpackages']['haproxy'];
+ $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
+ $a_oldservers = &$config['installedpackages']['haproxy']['ha_servers']['item'];
+ $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
+
+ foreach ($a_backends as $id => $be) {
+ $a_backends[$id]['status'] = 'active';
+ }
+ $id = 0;
+ foreach ($a_oldservers as $oldserver) {
+ $pool=$oldserver;
+ /* make server sub array */
+ $server=array();
+ $server['name'] = $oldserver['name'];
+ $server['address'] = $oldserver['address'];
+ $server['port'] = $oldserver['port'];
+ $server['weight'] = $oldserver['weight'];
+ $a_servers=array();
+ $a_servers[]=$server;
+ /* set new pool */
+ $pool['name'] = "pool$id";
+ $id++;
+ $pool['ha_servers']['item']=$a_servers;
+ /* link to frontend */
+ foreach ($a_backends as $id => $be) {
+ if ($a_backends[$id]['name'] == $oldserver['backend']) {
+ $a_backends[$id]['backend_serverpool'] = $pool['name'];
+ $pool['monitor_uri'] = $be['monitor_uri'];
+ unset($a_backends[$id]['monitor_uri']);
+ break;
+ }
+ }
+ unset($pool['backend']);
+ unset($pool['address']);
+ unset($pool['port']);
+ unset($pool['weight']);
+ $a_pools[] = $pool;
+ }
+ unset($config['installedpackages']['haproxy']['ha_servers']);
+ write_config();
+ }
+
+ /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */
+ if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool']))
+ {
+ foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend)
+ {
+ $backend_serverpool = $frontend['pool'][0];
+ $frontend['backend_serverpool'] = $backend_serverpool;
+ unset($frontend['pool']);
+ }
+ write_config();
+ }
+ //also move setting for existing 2.0 installations as only the new variable is used
+ if (isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool']))
+ {
+ foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend)
+ {
+ $backend_serverpool = $frontend['pool'];
+ $frontend['backend_serverpool'] = $backend_serverpool;
+ unset($frontend['pool']);
+ }
+ write_config();
+ }
+
conf_mount_ro();
exec("/usr/local/etc/rc.d/haproxy.sh start");
}
+function haproxy_install_cron($should_install) {
+ global $config, $g;
+ if($g['booting']==true)
+ return;
+ $is_installed = false;
+ if(!$config['cron']['item'])
+ return;
+ $x=0;
+ foreach($config['cron']['item'] as $item) {
+ if(strstr($item['command'], "/usr/local/etc/rc.d/haproxy.sh")) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+ switch($should_install) {
+ case true:
+ if(!$is_installed) {
+ $cron_item = array();
+ $cron_item['minute'] = "*/2";
+ $cron_item['hour'] = "*";
+ $cron_item['mday'] = "*";
+ $cron_item['month'] = "*";
+ $cron_item['wday'] = "*";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/local/etc/rc.d/haproxy.sh check";
+ $config['cron']['item'][] = $cron_item;
+ parse_config(true);
+ write_config();
+ configure_cron();
+ }
+ break;
+ case false:
+ if($is_installed == true) {
+ if($x > 0) {
+ unset($config['cron']['item'][$x]);
+ parse_config(true);
+ write_config();
+ }
+ configure_cron();
+ }
+ break;
+ }
+}
+
+function haproxy_find_acl($name) {
+ global $a_acltypes;
+
+ /* XXX why is this broken from xmlsync? */
+ if (!$a_acltypes) {
+ $a_acltypes = array();
+ $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with',
+ 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i');
+ $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with',
+ 'mode' =>'http', 'syntax' => 'hdr_end(host) -i');
+ $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches',
+ 'mode' =>'http', 'syntax' => 'hdr(host) -i');
+ $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex',
+ 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i');
+ $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains',
+ 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i');
+ $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with',
+ 'mode' => 'http', 'syntax' => 'path_beg -i');
+ $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with',
+ 'mode' => 'http', 'syntax' => 'path_end -i');
+ $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches',
+ 'mode' => 'http', 'syntax' => 'path -i');
+ $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex',
+ 'mode' => 'http', 'syntax' => 'path_reg -i');
+ $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains',
+ 'mode' => 'http', 'syntax' => 'path_dir -i');
+ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP',
+ 'mode' => '', 'syntax' => 'src');
+ }
+
+ if($a_acltypes) {
+ foreach ($a_acltypes as $acl) {
+ if ($acl['name'] == $name)
+ return $acl;
+ }
+ }
+}
+
+function write_backend($fd, $name, $pool, $frontend) {
+ if(!is_array($pool['ha_servers']['item']))
+ return;
+
+ fwrite ($fd, "backend " . $name . "\n");
+ if($pool['cookie_name'] && strtolower($frontend['type']) == "http")
+ fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n");
+
+ // https is an alias for tcp for clarity purpouses
+ if(strtolower($frontend['type']) == "https") {
+ $backend_type = "tcp";
+ $httpchk = "ssl-hello-chk";
+ } else {
+ $backend_type = $frontend['type'];
+ $httpchk = "httpchk";
+ }
+
+ fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n");
+
+ if($frontend['balance'])
+ fwrite ($fd, "\tbalance\t\t\t" . $frontend['balance'] . "\n");
+
+ if($frontend['connection_timeout'])
+ fwrite ($fd, "\tcontimeout\t\t" . $frontend['connection_timeout'] . "\n");
+
+ if($frontend['server_timeout'])
+ fwrite ($fd, "\tsrvtimeout\t\t" . $frontend['server_timeout'] . "\n");
+
+ if($frontend['retries'])
+ fwrite ($fd, "\tretries\t\t\t" . $frontend['retries'] . "\n");
+
+ if($frontend['stats_enabled']=='yes') {
+ fwrite ($fd, "\tstats\t\t\tenable\n");
+ if($frontend['stats_uri'])
+ fwrite ($fd, "\tstats\t\t\turi ".$frontend['stats_uri']."\n");
+ if($frontend['stats_realm'])
+ fwrite ($fd, "\tstats\t\t\trealm " . $frontend['stats_realm'] . "\n");
+ else
+ fwrite ($fd, "\tstats\t\t\trealm .\n");
+ fwrite ($fd, "\tstats\t\t\tauth " . $frontend['stats_username'].":". $frontend['stats_password']."\n");
+
+ if($frontend['stats_node_enabled']=='yes')
+ fwrite ($fd, "\tstats\t\t\tshow-node " . $frontend['stats_node'] . "\n");
+ if($frontend['stats_desc'])
+ fwrite ($fd, "\tstats\t\t\tshow-desc " . $frontend['stats_desc'] . "\n");
+ if($frontend['stats_refresh'])
+ fwrite ($fd, "\tstats\t\t\trefresh " . $frontend['stats_refresh'] . "\n");
+ }
+
+ $uri = $pool['monitor_uri'];
+ if ($pool['monitor_uri'])
+ $uri = $pool['monitor_uri'];
+ else
+ $uri = "/";
+ fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
+
+ if($pool['cookie'] && strtolower($frontend['type']) == "http")
+ $cookie = " cookie {$pool['cookie']} ";
+ else
+ $cookie = "";
+ if($pool['advanced']) {
+ $advanced = base64_decode($pool['advanced']);
+ $advanced_txt = " " . $advanced;
+ } else {
+ $advanced_txt = "";
+ }
+ if($pool['checkinter'])
+ $checkinter = "check inter {$pool['checkinter']}";
+ else if (strtolower($frontend['type']) != "tcp")
+ $checkinter = "check inter 1000";
+ else
+ $checkinter = "";
+
+ $a_servers = &$pool['ha_servers']['item'];
+ foreach($a_servers as $be) {
+ if(!$be['port']) {
+ // the listener can specify a default port
+ $be['port'] = $frontend['svrport'];
+ }
+ if(!$be['port']) {
+ // last resort, use the frontend port
+ $ports = split(",", "{$frontend['port']},");
+ $be['port'] = $ports[0];
+ }
+ if (!$be['name'])
+ $be['name'] = $be['address'];
+ if($be['backup']) {
+ $isbackup = "backup";
+ } else {
+ $isbackup = "";
+ }
+ fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
+ }
+ fwrite ($fd, "\n");
+}
+
function haproxy_configure() {
+ // reload haproxy
+ haproxy_writeconf();
+ return haproxy_check_run(1);
+}
+
+function haproxy_writeconf() {
global $config, $g;
$a_global = &$config['installedpackages']['haproxy'];
$a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
- $a_frontends = &$config['installedpackages']['haproxy']['ha_frontends']['item'];
- $a_servers = &$config['installedpackages']['haproxy']['ha_servers']['item'];
+ $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
$fd = fopen("{$g['varetc_path']}/haproxy.cfg", "w");
@@ -112,7 +439,7 @@ function haproxy_configure() {
fwrite ($fd, "\t" . base64_decode($a_global['advanced']) . "\n");
fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n");
if($a_global['remotesyslog'])
- fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\tlocal0\n");
+ fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n");
fwrite ($fd, "\tuid\t\t\t80\n");
fwrite ($fd, "\tgid\t\t\t80\n");
// Set numprocs if defined or use system default (#cores)
@@ -126,9 +453,21 @@ function haproxy_configure() {
fwrite ($fd, "\n");
}
- // Construct and write out configuration file
+ // Try and get a unique array for address:port as frontends can duplicate
+ $a_bind = array();
if(is_array($a_backends)) {
foreach ($a_backends as $backend) {
+ if($backend['status'] != 'active')
+ {
+ unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
+ continue;
+ }
+ if(!$backend['backend_serverpool'])
+ {
+ unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
+ continue;
+ }
+
//check ssl info
if ($backend['ssloffload']){
//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
@@ -138,189 +477,230 @@ function haproxy_configure() {
$ssl_info="";
unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
}
- // Define our backend name
- $backendinfo = "listen {$backend['name']}\n";
+
+ $bname = $backend['extaddr'] . ":" . $backend['port'];
+ if (!is_array($a_bind[$bname])) {
+ $a_bind[$bname] = array();
+ $a_bind[$bname]['config'] = array();
+ // Settings which are constant for a merged frontend
+ $a_bind[$bname]['name'] = $backend['name'];
+ $a_bind[$bname]['extaddr'] = $backend['extaddr'];
+ $a_bind[$bname]['port'] = $backend['port'];
+ }
+ $b = &$a_bind[$bname];
+
+ // Overwrite ?
+ $b['type'] = $backend['type'];
+ $b['forwardfor'] = $backend['forwardfor'];
+ $b['httpclose'] = $backend['httpclose'];
+ $b['max_connections'] = $backend['max_connections'];
+ $b['client_timeout'] = $backend['client_timeout'];
+ $b['advanced'] = $backend['advanced'];
+ $b['ssl_info'] = $ssl_info;
+
+ // pointer to each backend
+ $b['config'][] = $backend;
+ }
+ }
+
+ $a_pendingpl = array();
+
+ // Construct and write out configuration file
+ if(is_array($a_bind)) {
+ foreach ($a_bind as $bind) {
+ if (count($bind['config']) > 1)
+ $frontendinfo = "frontend {$bind['name']}-merged\n";
+ else
+ $frontendinfo = "frontend {$bind['name']}\n";
// Prepare ports for processing by splitting
- $portss = "{$backend['port']},";
+ $portss = "{$bind['port']},";
$ports = split(",", $portss);
-
+ $ssl_info = $bind['ssl_info'];
// Initialize variable
$listenip = "";
// Process and add bind directives for ports
foreach($ports as $port) {
if($port) {
- if($backend['extaddr'] == "any")
+ if($bind['extaddr'] == "any")
$listenip .= "\tbind\t\t\t0.0.0.0:{$port} {$ssl_info}\n";
- elseif($backend['extaddr'])
- $listenip .= "\tbind\t\t\t{$backend['extaddr']}:{$port} {$ssl_info}\n";
- else
+ elseif($bind['extaddr'])
+ $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port} {$ssl_info}\n";
+ else
$listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port} {$ssl_info}\n";
}
}
- fwrite ($fd, "{$backendinfo}");
+ fwrite ($fd, "{$frontendinfo}");
fwrite ($fd, "{$listenip}");
// Advanced pass thru
- if($backend['advanced']) {
- $advanced = base64_decode($backend['advanced']);
+ if($bind['advanced']) {
+ $advanced = base64_decode($bind['advanced']);
fwrite($fd, "\t" . $advanced . "\n");
}
// https is an alias for tcp for clarity purpouses
- if(strtolower($backend['type']) == "https") {
+ if(strtolower($bind['type']) == "https") {
$backend_type = "tcp";
$httpchk = "ssl-hello-chk";
} else {
- $backend_type = $backend['type'];
+ $backend_type = $bind['type'];
$httpchk = "httpchk";
}
- fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n");
+ fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n");
fwrite ($fd, "\tlog\t\t\tglobal\n");
fwrite ($fd, "\toption\t\t\tdontlognull\n");
- if($backend['httpclose'])
+ if($bind['httpclose'])
fwrite ($fd, "\toption\t\t\thttpclose\n");
- if($backend['forwardfor'])
+ if($bind['forwardfor'])
fwrite ($fd, "\toption\t\t\tforwardfor\n");
- if($backend['max_connections'])
- fwrite ($fd, "\tmaxconn\t\t\t" . $backend['max_connections'] . "\n");
-
- if($backend['client_timeout'])
- fwrite ($fd, "\tclitimeout\t\t" . $backend['client_timeout'] . "\n");
-
- if($backend['balance'])
- fwrite ($fd, "\tbalance\t\t\t" . $backend['balance'] . "\n");
-
- if($backend['connection_timeout'])
- fwrite ($fd, "\tcontimeout\t\t" . $backend['connection_timeout'] . "\n");
-
- if($backend['server_timeout'])
- fwrite ($fd, "\tsrvtimeout\t\t" . $backend['server_timeout'] . "\n");
-
- if($backend['retries'])
- fwrite ($fd, "\tretries\t\t\t" . $backend['retries'] . "\n");
-
- if($backend['cookie_name'])
- fwrite ($fd, "\tcookie\t\t\t" . $backend['cookie_name'] . " insert indirect\n");
-
- if($backend['monitor_uri'])
- fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $backend['monitor_uri'] . " HTTP/1.0\n");
-
- if($backend['stats_enabled']=='yes') {
- fwrite ($fd, "\tstats\t\t\tenable\n");
- if($backend['stats_uri'])
- fwrite ($fd, "\tstats\t\t\turi ".$backend['stats_uri']."\n");
- if($backend['stats_realm'])
- fwrite ($fd, "\tstats\t\t\trealm " . $backend['stats_realm'] . "\n");
- else
- fwrite ($fd, "\tstats\t\t\trealm .\n");
- fwrite ($fd, "\tstats\t\t\tauth " . $backend['stats_username'].":". $backend['stats_password']."\n");
- if($backend['stats_node_enabled']=='yes')
- fwrite ($fd, "\tstats\t\t\tshow-node " . $backend['stats_node'] . "\n");
- if($backend['stats_desc'])
- fwrite ($fd, "\tstats\t\t\tshow-desc " . $backend['stats_desc'] . "\n");
- if($backend['stats_refresh'])
- fwrite ($fd, "\tstats\t\t\trefresh " . $backend['stats_refresh'] . "\n");
- }
+ if($bind['max_connections'])
+ fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n");
- $a_acl=&$frontend['ha_acls']['item'];
- if(!is_array($a_acl))
- $a_acl=array();
+ if($bind['client_timeout'])
+ fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n");
+
+
+ // Combine the rest of the listener configs
+ $default_once = 0;
+ $i = 0;
+ foreach ($bind['config'] as $bconfig) {
+ $a_acl=&$bconfig['ha_acls']['item'];
+ if(!is_array($a_acl))
+ $a_acl=array();
- foreach ($a_acl as $acl)
- fwrite ($fd, "\tacl\t\t\t".$acl['name']."\t\t".$acl['expression']."\n");
-
- $server['backend'] .= " ";
- if(is_array($a_servers)) {
- foreach ($a_servers as $server) {
- $backends_to_process = split(" ", $server['backend']);
- foreach($backends_to_process as $backends) {
- if($backends == "")
- continue;
- if($backends == $backend['name']) {
- $server_ports = array();
- if($server['status'] != 'inactive') {
- if($server['cookie'])
- $cookie = " cookie {$server['cookie']} ";
- else
- $cookie = "";
- if(!$server['port']) {
- foreach($ports as $port) {
- if($port)
- $server_ports[] = $port;
- }
- } else {
- $server_ports[] = $server['port'];
- }
- if($server['advanced']) {
- $advanced = base64_decode($server['advanced']);
- $advanced_txt = " " . $advanced;
- } else {
- $advanced_txt = "";
- }
- if($server['status'] != 'active') {
- $status = " " . $server['status'];
- } else {
- $status = "";
- }
- if($server['checkinter'])
- $checkinter = "check inter {$server['checkinter']}";
- else
- $checkinter = "check inter 1000";
- foreach($server_ports as $pport)
- fwrite ($fd, "\tserver\t\t\t" . $server['name'] . " " . $server['address'].":" . $pport . " $cookie " . " $checkinter weight " . $server['weight'] . $status . "{$advanced_txt}\n");
- }
- }
- }
+ $poolname = $bconfig['backend_serverpool'] . "_" . strtolower($bconfig['type']);
+
+ // Create different pools if the svrport is set
+ if ($bconfig['svrport'] > 0)
+ $poolname .= "_" . $bconfig['svrport'];
+
+ // Write this out once, and must be before any backend config text
+ if ($default_once == 0) {
+ fwrite ($fd, "\tdefault_backend\t\t" . $poolname . "\n");
+ $default_once++;
+ }
+
+ if (!isset($a_pendingpl[$poolname])) {
+ $a_pendingpl[$poolname] = array();
+ $a_pendingpl[$poolname]['name'] = $poolname;
+ $a_pendingpl[$poolname]['frontend'] = $bconfig;
+ }
+
+ foreach ($a_acl as $entry) {
+ $acl = haproxy_find_acl($entry['expression']);
+ if (!$acl)
+ continue;
+
+ // Filter out acls for different modes
+ if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type']))
+ continue;
+
+ if ($acl['syntax'] != '')
+ $expr = $acl['syntax'] . " " . $entry['value'];
+ else
+ $expr = $entry['expression'] . " " . $entry['value'];
+
+ $aclname = $i . "_" . $entry['name'];
+ fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n");
+ fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n");
+ $i++;
}
+
}
fwrite ($fd, "\n");
}
- // Sync HAProxy configuration (if enabled)
- if(isset($config['installedpackages']['haproxy']['enablesync'])) {
- if($config['installedpackages']['haproxy']['synchost1']) {
- haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'],
- $config['installedpackages']['haproxy']['syncpassword']);
- }
- if($config['installedpackages']['haproxy']['synchost2']) {
- haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'],
- $config['installedpackages']['haproxy']['syncpassword']);
- }
- if($config['installedpackages']['haproxy']['synchost3']) {
- haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'],
- $config['installedpackages']['haproxy']['syncpassword']);
+ }
+ if (is_array($a_pendingpl) && is_array($a_pools)) {
+ foreach ($a_pendingpl as $pending) {
+ foreach ($a_pools as $pool) {
+ if ($pending['frontend']['backend_serverpool'] == $pool['name']) {
+ write_backend($fd, $pending['name'], $pool, $pending['frontend']);
+ }
}
}
}
+ fwrite ($fd, "\n");
+
+ // Sync HAProxy configuration (if enabled)
+ if(isset($config['installedpackages']['haproxy']['enablesync'])) {
+ if($config['installedpackages']['haproxy']['synchost1']) {
+ haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'],
+ $config['installedpackages']['haproxy']['syncpassword']);
+ }
+ if($config['installedpackages']['haproxy']['synchost2']) {
+ haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'],
+ $config['installedpackages']['haproxy']['syncpassword']);
+ }
+ if($config['installedpackages']['haproxy']['synchost3']) {
+ haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'],
+ $config['installedpackages']['haproxy']['syncpassword']);
+ }
+ }
// create config file
fclose($fd);
+ if (isset($a_global['carpdev']))
+ haproxy_install_cron(true);
+ else
+ haproxy_install_cron(false);
+
$freebsd_version = substr(trim(`uname -r`), 0, 1);
if(!file_exists("/usr/bin/limits")) {
exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits");
exec("chmod a+rx /usr/bin/limits");
}
+}
+
+function haproxy_is_running() {
+ $running = (shell_exec("/bin/pgrep -x haproxy") != '');
+ return $running;
+}
+
+function haproxy_check_run($reload) {
+ global $config, $g;
+
+ $a_global = &$config['installedpackages']['haproxy'];
exec("/usr/bin/limits -n 300014");
- // reload haproxy
if(isset($a_global['enable'])) {
- if(is_process_running('haproxy')) {
+ if (isset($a_global['carpdev'])) {
+ $status = get_carp_interface_status($a_global['carpdev']);
+ if ($status != "MASTER") {
+ if (haproxy_is_running()) {
+ log_error("Stopping haproxy on CARP backup.");
+ exec("/bin/pkill -F /var/run/haproxy.pid haproxy");
+ }
+ return (0);
+ } else if (haproxy_is_running() && $reload == 0) {
+ return (0);
+ }
+ log_error("Starting haproxy on CARP master.");
+ /* fallthrough */
+ } else if ($reload == 0)
+ return (0);
+
+ if (haproxy_is_running()) {
exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -st `cat /var/run/haproxy.pid`");
} else {
exec("/usr/local/sbin/haproxy -f /var/etc/haproxy.cfg -p /var/run/haproxy.pid -D");
}
return (0);
} else {
+ if ($reload && haproxy_is_running()) {
+ exec("/bin/pkill -F /var/run/haproxy.pid haproxy");
+ }
return (1);
}
+
}
function haproxy_do_xmlrpc_sync($sync_to_ip, $password) {
@@ -370,11 +750,11 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) {
$xml['haproxy'] = $config['installedpackages']['haproxy'];
// Prevent sync loops
- unset($xml['haproxy']['synchost1']);
- unset($xml['haproxy']['synchost2']);
- unset($xml['haproxy']['synchost3']);
- unset($xml['haproxy']['syncpassword']);
-
+ unset($xml['synchost1']);
+ unset($xml['synchost2']);
+ unset($xml['synchost3']);
+ unset($xml['syncpassword']);
+
/* assemble xmlrpc payload */
$params = array(
XML_RPC_encode($password),
@@ -423,7 +803,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) {
$cli->setCredentials('admin', $password);
$resp = $cli->send($msg, "250");
if(!$resp) {
- $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
+ $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (exec_php).";
log_error($error);
file_notice("sync_settings", $error, "HAProxy Settings Reload", "");
} elseif($resp->faultCode()) {
@@ -433,7 +813,7 @@ function haproxy_do_xmlrpc_sync($sync_to_ip, $password) {
log_error($error);
file_notice("sync_settings", $error, "HAProxy Settings Sync", "");
} else {
- log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (exec_php).");
}
}