diff options
| author | Ermal Luçi <eri@pfsense.org> | 2014-03-19 16:29:57 +0100 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2014-03-19 16:29:57 +0100 |
| commit | 6e77b1d72ae1097ea39defc80361db0a8c7fdebd (patch) | |
| tree | 3d59cf568ef8191a3d669c06626ad770abbb8752 /config/haproxy-devel | |
| parent | d50c07fd00ac203332e57a45532a265759922993 (diff) | |
| parent | 1bdd51eeb54147d989ebf288f6c2a1df3e49db6c (diff) | |
| download | pfsense-packages-6e77b1d72ae1097ea39defc80361db0a8c7fdebd.tar.gz pfsense-packages-6e77b1d72ae1097ea39defc80361db0a8c7fdebd.tar.bz2 pfsense-packages-6e77b1d72ae1097ea39defc80361db0a8c7fdebd.zip | |
Merge pull request #594 from PiBa-NL/hap_acl_checks
haproxy-devel, use same checks to show if acl's are used and for writing the configuration file
Diffstat (limited to 'config/haproxy-devel')
| -rw-r--r-- | config/haproxy-devel/haproxy.inc | 72 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_listeners.php | 4 |
2 files changed, 41 insertions, 35 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 1dd3332e..3a0ca782 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -896,10 +896,8 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $i = 0; foreach ($bind['config'] as $frontend) { - $a_acl=&$frontend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); - + $a_acl = get_frontend_acls($frontend); + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); // Create different pools if the svrport is set @@ -911,31 +909,6 @@ function haproxy_writeconf($configpath) { $a_pendingpl[$poolname]['name'] = $poolname; $a_pendingpl[$poolname]['frontend'] = $frontend; } - - if (strtolower($bind['type']) == "http" && $frontend['ssloffload']) { - $aclname = "SNI_" . $poolname; - if ($frontend['ssloffloadacl']){ - $cert = lookup_cert($frontend['ssloffloadcert']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - if ($frontend['ssloffloadacladditional']){ - $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ - if (count($certs) > 0){ - foreach($certs as $certref){ - $cert = lookup_cert($certref['ssl_certificate']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - } - } - } - } // Write this out once, and must be before any backend config text if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { @@ -945,8 +918,8 @@ function haproxy_writeconf($configpath) { // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. $a_acl_combine = array(); foreach ($a_acl as $entry) { - $name = $entry['name']; - $a_acl_combine[$name][] = $entry; + $name = $entry['ref']['name']; + $a_acl_combine[$name][] = $entry['ref']; } foreach ($a_acl_combine as $a_usebackend) { @@ -1354,6 +1327,43 @@ function get_frontend_acls($frontend) { $result[] = $acl_item; } } + + $mainfrontend = get_primaryfrontend($frontend); + if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) { + $a_acl = &$frontend['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); + $aclname = "SNI_" . $poolname; + if ($frontend['ssloffloadacl']){ + $cert = lookup_cert($frontend['ssloffloadcert']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Certificate ACL ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + if ($frontend['ssloffloadacladditional']){ + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + if (count($certs) > 0){ + foreach($certs as $certref){ + $cert = lookup_cert($certref['ssl_certificate']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Additional certificate ACLs: ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + } + } + } + } return $result; } diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index fe5e1a8b..a9630b2d 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -169,10 +169,6 @@ include("head.inc"); foreach ($acls as $acl) { $isaclset .= " " . $acl['descr']; } - if ($frontend['ssloffloadacl']) - $isaclset .= " " . "Certificate ACL"; - if ($frontend['ssloffloadacladditional']) - $isaclset .= " " . "Additional certificate ACLs"; if ($isaclset) echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\" />"; |