diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2014-09-14 16:47:39 +0200 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2014-09-14 16:47:39 +0200 |
commit | f052b1e4fcec837f819fe05dbd38a0ed87e39333 (patch) | |
tree | c0de072d591bb926411914da96f6cc686edcb1c3 /config/haproxy-devel/haproxy_utils.inc | |
parent | 83e6b603975839d981294f8c19e06dbbe21c7d05 (diff) | |
download | pfsense-packages-f052b1e4fcec837f819fe05dbd38a0ed87e39333.tar.gz pfsense-packages-f052b1e4fcec837f819fe05dbd38a0ed87e39333.tar.bz2 pfsense-packages-f052b1e4fcec837f819fe05dbd38a0ed87e39333.zip |
haproxy-devel improvements
-server certificate check options
-client-certificate support
-logging options
-unix sockets for faster backend>frontend communication
Diffstat (limited to 'config/haproxy-devel/haproxy_utils.inc')
-rw-r--r-- | config/haproxy-devel/haproxy_utils.inc | 110 |
1 files changed, 65 insertions, 45 deletions
diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc index 03bd434f..a5fb7c64 100644 --- a/config/haproxy-devel/haproxy_utils.inc +++ b/config/haproxy-devel/haproxy_utils.inc @@ -33,6 +33,10 @@ require_once("config.inc"); +function haproxy_compareByName($a, $b) { + return strcasecmp($a['name'], $b['name']); +} + function haproxy_interface_ip($interfacebindname,$userfriendly=false){ $list = haproxy_get_bindable_interfaces(); $item = $list[$interfacebindname]; @@ -203,20 +207,11 @@ function haproxy_cert_signed_by($cert, $signedbycert) { return $authoritykeyid == $subjectid; } -function haproxy_get_certificates(){ - global $config; - $allcerts = array(); - foreach($config['cert'] as &$cert) - $allcerts[] = &$cert; - foreach($config['ca'] as &$cert) - $allcerts[] = &$cert; - return $allcerts; -} function haproxy_recalculate_certifcate_chain(){ // and set "selfsigned" for certificates that where used to sign themselves // recalculate the "caref" for all certificates where it is currently unkown. - $allcertificates = haproxy_get_certificates(); + $allcertificates = haproxy_get_certificates('ca,server,user',true); $items_recalculated = 0; foreach($allcertificates as &$cert){ $recalculate=false; @@ -251,7 +246,7 @@ function get_certificat_usage($refid) { $usage = array(); $cert = lookup_cert($refid); if (is_cert_revoked($cert)) - $usage[] = "Revoked"; + $usage[] = "*Revoked"; if (is_webgui_cert($refid)) $usage[] = "webConfigurator"; if (is_user_cert($refid)) @@ -260,56 +255,81 @@ function get_certificat_usage($refid) { $usage[] = "OpenVPN Server"; if (is_openvpn_client_cert($refid)) $usage[] = "OpenVPN Client"; - if (is_ipsec_cert($cert['refid'])) + if (is_ipsec_cert($refid)) $usage[] = "IPsec Tunnel"; if (function_exists("is_captiveportal_cert")) if (is_captiveportal_cert($refid)) $usage[] = "Captive Portal"; - return $usage; } -function get_certificates_server($get_includeWebCert=false) { + +function haproxy_get_certificate_descriptivename($cert) { + $usage = get_certificat_usage($cert['crt']); + foreach($usage as $use){ + $usagestr .= " " . $use; + } + if ($usagestr != "") + $usagestr = " (".trim($usagestr).")"; + + $purpose = cert_get_purpose($cert['crt']); + $certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : ""; + + $caname = ""; + $ca = lookup_ca($cert['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + + return $cert['descr'] . $caname . $certserverpurpose . $usagestr; +} + +function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) { + // $type one or multiple of these separated by a comma: ca,server,user + // $get_includeWebCert if the webgui certificate may be included. + // This function (is intended to) provide a uniform way to retrieve a list of server certificates global $config; - $certificates=array(); - $a_cert = &$config['cert']; - foreach ($a_cert as $cert) - { - if ($get_ca == false && is_webgui_cert($cert['refid'])) - continue; - - $purpose = cert_get_purpose($cert['crt']); - //$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : ""; - $certserverpurpose = ""; + $type = ",$type,"; + $certificates = array(); + if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) { + $a_cert = &$config['cert']; + foreach ($a_cert as $cert) { + $purpose = cert_get_purpose($cert['crt']); + + $ok = false; + $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; + $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; + if (!$ok) + continue; + if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) + continue; + $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + } + } + if (strpos($type,',ca,') !== false) { + $a_cert = &$config['ca']; + foreach ($a_cert as $cert) { + $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + } + } + uasort($certificates, haproxy_compareByName); + return $certificates; +} - $selected = ""; +function haproxy_get_crls() { + global $config; + $certificates=array(); + foreach ($config['crl'] as $crl) { $caname = ""; - $inuse = ""; - $revoked = ""; - $ca = lookup_ca($cert['caref']); + $ca = lookup_ca($crl['caref']); if ($ca) $caname = " (CA: {$ca['descr']})"; - if ($pconfig['certref'] == $cert['refid']) - $selected = "selected"; - if (cert_in_use($cert['refid'])) - $inuse = " *In Use"; - if (is_cert_revoked($cert)) - $revoked = " *Revoked"; - - $usagestr=""; - $usage = get_certificat_usage($cert['refid']); - foreach($usage as $use){ - $usagestr .= " " . $use; - } - if ($usagestr != "") - $usagestr = " (".trim($usagestr).")"; - - $certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr; + + $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; } + uasort($certificates, haproxy_compareByName); return $certificates; } - function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { $offset = str_repeat(' ',$nestID); $itemName = "item$nestID"; |