aboutsummaryrefslogtreecommitdiffstats
path: root/config/haproxy-devel/haproxy_utils.inc
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2014-09-14 16:47:39 +0200
committerPiBa-NL <pba_2k3@yahoo.com>2014-09-14 16:47:39 +0200
commitf052b1e4fcec837f819fe05dbd38a0ed87e39333 (patch)
treec0de072d591bb926411914da96f6cc686edcb1c3 /config/haproxy-devel/haproxy_utils.inc
parent83e6b603975839d981294f8c19e06dbbe21c7d05 (diff)
downloadpfsense-packages-f052b1e4fcec837f819fe05dbd38a0ed87e39333.tar.gz
pfsense-packages-f052b1e4fcec837f819fe05dbd38a0ed87e39333.tar.bz2
pfsense-packages-f052b1e4fcec837f819fe05dbd38a0ed87e39333.zip
haproxy-devel improvements
-server certificate check options -client-certificate support -logging options -unix sockets for faster backend>frontend communication
Diffstat (limited to 'config/haproxy-devel/haproxy_utils.inc')
-rw-r--r--config/haproxy-devel/haproxy_utils.inc110
1 files changed, 65 insertions, 45 deletions
diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc
index 03bd434f..a5fb7c64 100644
--- a/config/haproxy-devel/haproxy_utils.inc
+++ b/config/haproxy-devel/haproxy_utils.inc
@@ -33,6 +33,10 @@
require_once("config.inc");
+function haproxy_compareByName($a, $b) {
+ return strcasecmp($a['name'], $b['name']);
+}
+
function haproxy_interface_ip($interfacebindname,$userfriendly=false){
$list = haproxy_get_bindable_interfaces();
$item = $list[$interfacebindname];
@@ -203,20 +207,11 @@ function haproxy_cert_signed_by($cert, $signedbycert) {
return $authoritykeyid == $subjectid;
}
-function haproxy_get_certificates(){
- global $config;
- $allcerts = array();
- foreach($config['cert'] as &$cert)
- $allcerts[] = &$cert;
- foreach($config['ca'] as &$cert)
- $allcerts[] = &$cert;
- return $allcerts;
-}
function haproxy_recalculate_certifcate_chain(){
// and set "selfsigned" for certificates that where used to sign themselves
// recalculate the "caref" for all certificates where it is currently unkown.
- $allcertificates = haproxy_get_certificates();
+ $allcertificates = haproxy_get_certificates('ca,server,user',true);
$items_recalculated = 0;
foreach($allcertificates as &$cert){
$recalculate=false;
@@ -251,7 +246,7 @@ function get_certificat_usage($refid) {
$usage = array();
$cert = lookup_cert($refid);
if (is_cert_revoked($cert))
- $usage[] = "Revoked";
+ $usage[] = "*Revoked";
if (is_webgui_cert($refid))
$usage[] = "webConfigurator";
if (is_user_cert($refid))
@@ -260,56 +255,81 @@ function get_certificat_usage($refid) {
$usage[] = "OpenVPN Server";
if (is_openvpn_client_cert($refid))
$usage[] = "OpenVPN Client";
- if (is_ipsec_cert($cert['refid']))
+ if (is_ipsec_cert($refid))
$usage[] = "IPsec Tunnel";
if (function_exists("is_captiveportal_cert"))
if (is_captiveportal_cert($refid))
$usage[] = "Captive Portal";
-
return $usage;
}
-function get_certificates_server($get_includeWebCert=false) {
+
+function haproxy_get_certificate_descriptivename($cert) {
+ $usage = get_certificat_usage($cert['crt']);
+ foreach($usage as $use){
+ $usagestr .= " " . $use;
+ }
+ if ($usagestr != "")
+ $usagestr = " (".trim($usagestr).")";
+
+ $purpose = cert_get_purpose($cert['crt']);
+ $certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : "";
+
+ $caname = "";
+ $ca = lookup_ca($cert['caref']);
+ if ($ca)
+ $caname = " (CA: {$ca['descr']})";
+
+ return $cert['descr'] . $caname . $certserverpurpose . $usagestr;
+}
+
+function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) {
+ // $type one or multiple of these separated by a comma: ca,server,user
+ // $get_includeWebCert if the webgui certificate may be included.
+
// This function (is intended to) provide a uniform way to retrieve a list of server certificates
global $config;
- $certificates=array();
- $a_cert = &$config['cert'];
- foreach ($a_cert as $cert)
- {
- if ($get_ca == false && is_webgui_cert($cert['refid']))
- continue;
-
- $purpose = cert_get_purpose($cert['crt']);
- //$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : "";
- $certserverpurpose = "";
+ $type = ",$type,";
+ $certificates = array();
+ if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) {
+ $a_cert = &$config['cert'];
+ foreach ($a_cert as $cert) {
+ $purpose = cert_get_purpose($cert['crt']);
+
+ $ok = false;
+ $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
+ $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
+ if (!$ok)
+ continue;
+ if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
+ continue;
+ $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+ }
+ }
+ if (strpos($type,',ca,') !== false) {
+ $a_cert = &$config['ca'];
+ foreach ($a_cert as $cert) {
+ $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+ }
+ }
+ uasort($certificates, haproxy_compareByName);
+ return $certificates;
+}
- $selected = "";
+function haproxy_get_crls() {
+ global $config;
+ $certificates=array();
+ foreach ($config['crl'] as $crl) {
$caname = "";
- $inuse = "";
- $revoked = "";
- $ca = lookup_ca($cert['caref']);
+ $ca = lookup_ca($crl['caref']);
if ($ca)
$caname = " (CA: {$ca['descr']})";
- if ($pconfig['certref'] == $cert['refid'])
- $selected = "selected";
- if (cert_in_use($cert['refid']))
- $inuse = " *In Use";
- if (is_cert_revoked($cert))
- $revoked = " *Revoked";
-
- $usagestr="";
- $usage = get_certificat_usage($cert['refid']);
- foreach($usage as $use){
- $usagestr .= " " . $use;
- }
- if ($usagestr != "")
- $usagestr = " (".trim($usagestr).")";
-
- $certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr;
+
+ $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
}
+ uasort($certificates, haproxy_compareByName);
return $certificates;
}
-
function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) {
$offset = str_repeat(' ',$nestID);
$itemName = "item$nestID";