diff options
| author | PiBa-NL <pba_2k3@yahoo.com> | 2015-07-19 17:14:03 +0200 |
|---|---|---|
| committer | PiBa-NL <pba_2k3@yahoo.com> | 2015-07-19 17:14:03 +0200 |
| commit | 6479eab976d425ae2f8d3eb988a4f79d701001a5 (patch) | |
| tree | 430897f649275330f0e36ea4a349a99e92a7ad38 /config/haproxy1_5 | |
| parent | 06a66c936672073525ea2626b85ccc42db104f16 (diff) | |
| download | pfsense-packages-6479eab976d425ae2f8d3eb988a4f79d701001a5.tar.gz pfsense-packages-6479eab976d425ae2f8d3eb988a4f79d701001a5.tar.bz2 pfsense-packages-6479eab976d425ae2f8d3eb988a4f79d701001a5.zip | |
haproxy-1_5, haproxy-devel, bump binary versions to 1.5.14 / 1.6-dev2.
Also copy fixes made -devel to the -1_5 package.
Diffstat (limited to 'config/haproxy1_5')
| -rw-r--r-- | config/haproxy1_5/pkg/haproxy.inc | 208 | ||||
| -rw-r--r-- | config/haproxy1_5/pkg/haproxy_utils.inc | 44 | ||||
| -rw-r--r-- | config/haproxy1_5/pkg/haproxy_utils.inc.bak | 460 | ||||
| -rw-r--r-- | config/haproxy1_5/www/haproxy_listeners_edit.php | 11 | ||||
| -rw-r--r-- | config/haproxy1_5/www/haproxy_pool_edit.php | 2 |
5 files changed, 234 insertions, 491 deletions
diff --git a/config/haproxy1_5/pkg/haproxy.inc b/config/haproxy1_5/pkg/haproxy.inc index 793c5c28..eceef783 100644 --- a/config/haproxy1_5/pkg/haproxy.inc +++ b/config/haproxy1_5/pkg/haproxy.inc @@ -345,10 +345,12 @@ function haproxy_custom_php_deinstall_command() { update_output_window($static_output); $static_output .= "HAProxy, deleting haproxy webgui\n"; update_output_window($static_output); - exec("rm /usr/local/etc/rc.d/haproxy.sh"); + unlink_if_exists("/usr/local/etc/rc.d/haproxy.sh"); + unlink_if_exists("/etc/rc.haproxy_ocsp.sh"); $static_output .= "HAProxy, installing cron job if needed\n"; update_output_window($static_output); haproxy_install_cron(false); + haproxy_install_cronjob(false, '/etc/rc.haproxy_ocsp.sh'); $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command() DONE\n"; update_output_window($static_output); } @@ -362,6 +364,12 @@ function haproxy_custom_php_install_command() { update_output_window($static_output); conf_mount_rw(); + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version == "2.1" || $pf_version == "2.2") + $haproxy_binary = "/usr/pbi/haproxy-devel-" . php_uname("m") . "/sbin/haproxy"; + else + $haproxy_binary = "/usr/local/sbin/haproxy"; + $static_output .= "HAProxy, create '/usr/local/etc/rc.d/haproxy.sh'\n"; update_output_window($static_output); $haproxy = <<<EOD @@ -375,7 +383,7 @@ function haproxy_custom_php_install_command() { name="haproxy" rcvar="\${name}_enable" -command="/usr/pbi/haproxy-devel-`uname -m`/sbin/haproxy" +command="{$haproxy_binary}" haproxy_enable=\${haproxy-"YES"} start_cmd="haproxy_start" @@ -425,7 +433,32 @@ EOD; $fd = fopen("/usr/local/etc/rc.d/haproxy.sh", "w"); fwrite($fd, $haproxy); fclose($fd); - exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); + chmod("/usr/local/etc/rc.d/haproxy.sh", 0755); + + $haproxy_ocsp = <<<EOD +#!/usr/local/bin/php -f + +<?php + +/* + Updates haproxy OCSP responses. +*/ + +require_once("globals.inc"); +require_once("functions.inc"); +require_once("haproxy.inc"); +require_once("haproxy_socketinfo.inc"); +haproxy_updateocsp(); + +?> + +EOD; + // removing the \r prevents the "No input file specified." error.. + $haproxy_ocsp = str_replace("\r\n","\n", $haproxy_ocsp); + $fd = fopen("/etc/rc.haproxy_ocsp.sh", "w"); + fwrite($fd, $haproxy_ocsp); + fclose($fd); + chmod("/etc/rc.haproxy_ocsp.sh", 0755); $static_output .= "HAProxy, update configuration\n"; update_output_window($static_output); @@ -447,6 +480,51 @@ EOD; update_output_window($static_output); } +function haproxy_install_cronjob($should_install, $script, $interval = 60, $parameters = "") { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], $script)) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "*/{$interval}"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "$script $parameters"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("haproxy, install cron job"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config("haproxy, remove cron job"); + } + configure_cron(); + } + break; + } +} + function haproxy_install_cron($should_install) { global $config, $g; if($g['booting']==true) @@ -879,24 +957,108 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) { unset($crl); } -function haproxy_write_certificate_fullchain($filename, $certid, $append = false) { +function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) { $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); if (isset($cert['prv'])) $certcontent .= "\r\n".base64_decode($cert['prv']); + $ca = $cert; + while(!empty($ca['caref'])) { + $ca = lookup_ca($ca['caref']); + if ($ca) { + if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) + break; + $certcontent .= "\r\n" . base64_decode($ca['crt']); + } else + break; + } + $flags = $append ? FILE_APPEND : 0; + file_put_contents($filename, $certcontent, $flags); + unset($certcontent); + unset($cert); +} + +function haproxy_write_certificate_issuer($filename, $certid) { + $cert = haproxy_lookup_cert($certid); $certchaincontent = ca_chain($cert); if ($certchaincontent != "") { $certcontent .= "\r\n" . $certchaincontent; } unset($certchaincontent); - $flags = $append ? FILE_APPEND : 0; - file_put_contents($filename, $certcontent, $flags); + file_put_contents($filename, $certcontent, 0); unset($certcontent); unset($cert); } +function haproxy_uses_ocsp() { + global $config; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_frontends)) + return false; + + $configpath = "{$g['varetc_path']}/haproxy"; + foreach ($a_frontends as $frontend) { + if ($frontend['sslocsp'] == 'yes') { + return true; + } + } + return false; +} + +function haproxy_getocspurl($filename) { + return exec("openssl x509 -noout -ocsp_uri -in $filename", $output, $err); +} + +function haproxy_updateocsp_one($socketupdate, $filename, $name) { + if (file_exists("{$filename}.ocsp")) { + // If the .ocsp file exists we want to use ocsp + syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. "); + $ocsp_url = haproxy_getocspurl($filename); + $ocsp_host = parse_url($ocsp_url, PHP_URL_HOST); + if (empty($ocsp_url)) { + // If cert does not have a ocsp_uri, it cannot be updated.. + syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri"); + } else { + $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err); + if ($socketupdate) { + $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp")); + $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse"); + if ($r[0] == "OCSP Response updated!\n") + syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval); + else { + syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}"); + } + } else { + syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval); + } + } + } +} + +function haproxy_updateocsp($socketupdate = true) { + global $config, $g; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_frontends)) + return true; + + $configpath = "{$g['varetc_path']}/haproxy"; + foreach ($a_frontends as $frontend) { + $filename = "$configpath/{$frontend['name']}.pem"; + haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']); + + $subfolder = "$configpath/{$frontend['name']}"; + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + foreach($certs as $cert){ + $filename = "$subfolder/{$cert['ssl_certificate']}.pem"; + haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']); + } + } + } +} + function haproxy_writeconf($configpath) { global $config; global $aliastable; @@ -993,14 +1155,29 @@ function haproxy_writeconf($configpath) { //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $filename = "$configpath/{$frontend['name']}.pem"; $ssl_crt = " crt $filename"; + haproxy_write_certificate_fullchain($filename, $frontend['ssloffloadcert']); + if ($frontend['sslocsp'] == 'yes') { + if (!empty(haproxy_getocspurl($filename))) { + haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']); + touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp + } + } + $subfolder = "$configpath/{$frontend['name']}"; $certs = $frontend['ha_certificates']['item']; if (is_array($certs)){ if (count($certs) > 0){ @mkdir($subfolder, 0755, true); foreach($certs as $cert){ - haproxy_write_certificate_fullchain("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']); + $filenamefoldercert = "$subfolder/{$cert['ssl_certificate']}.pem"; + haproxy_write_certificate_fullchain($filenamefoldercert, $cert['ssl_certificate']); + if ($frontend['sslocsp'] == 'yes') { + if (!empty(haproxy_getocspurl($filenamefoldercert))) { + haproxy_write_certificate_issuer($filenamefoldercert . ".issuer", $cert['ssl_certificate']); + touch($filenamefoldercert . ".ocsp"); + } + } } $ssl_crt .= " crt $subfolder"; } @@ -1344,11 +1521,6 @@ function haproxy_writeconf($configpath) { haproxy_do_xmlrpc_sync(); } } - - if (isset($a_global['carpdev'])) - haproxy_install_cron(true); - else - haproxy_install_cron(false); } function haproxy_is_running() { @@ -1560,8 +1732,18 @@ function haproxy_check_run($reload) { $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; - if ($reload) + if ($reload) { haproxy_writeconf($configpath); + haproxy_updateocsp(false); + + if (isset($a_global['carpdev'])) + haproxy_install_cron(true); + else + haproxy_install_cron(false); + + $useocsp = haproxy_uses_ocsp(); + haproxy_install_cronjob($useocsp, '/etc/rc.haproxy_ocsp.sh', 120); + } if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc b/config/haproxy1_5/pkg/haproxy_utils.inc index d8c4faf4..ec72b986 100644 --- a/config/haproxy1_5/pkg/haproxy_utils.inc +++ b/config/haproxy1_5/pkg/haproxy_utils.inc @@ -36,24 +36,38 @@ require_once("config.inc"); class haproxy_utils { public static $pf_version; - public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") { + public function query_dns($host, $querytype="A,AAAA") { $result = array(); - $host = trim($host, " \t\n\r\0\x0B[];\"'"); - $host_esc = escapeshellarg($host); $types = explode(',',$querytype); + $recordtype = 0; foreach($types as $type){ - $resolved = gethostbyname($host); - if($resolved) { - $resolved = array(); - if (haproxy_utils::$pf_version < '2.2') - exec("/usr/bin/dig {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - else - exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - foreach($resolved as $item) { - $newitem = array(); - $newitem["typeid"] = $type; - $newitem["data"] = $item; - $result[] = $newitem; + switch ($type) { + case 'A': + $recordtype = DNS_A; + break; + case 'AAAA': + $recordtype = DNS_AAAA; + break; + } + if ($recordtype != 0) { + //query one type at a time, querying multiple types in one call dns_get_record fails if one is not present.. + $errreporting = error_reporting(); + error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved.. + $dnsresult = dns_get_record($host, $recordtype); + error_reporting($errreporting); + if (is_array($dnsresult)) { + foreach($dnsresult as $item) { + $newitem["typeid"] = $item['type']; + switch ($item['type']) { + case 'A': + $newitem["data"] = $item['ip']; + break; + case 'AAAA': + $newitem["data"] = $item['ipv6']; + break; + } + $result[] = $newitem; + } } } } diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc.bak b/config/haproxy1_5/pkg/haproxy_utils.inc.bak deleted file mode 100644 index 26c77b45..00000000 --- a/config/haproxy1_5/pkg/haproxy_utils.inc.bak +++ /dev/null @@ -1,460 +0,0 @@ -<?php -/* - haproxy_utils.php - part of pfSense (https://www.pfsense.org/) - Copyright (C) 2013-2015 PiBa-NL - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. -*/ -/* - This file contains functions which are NOT specific to HAProxy and may/could/should - be moved to the general pfSense php library for possible easy use by other parts of pfSense -*/ - -require_once("config.inc"); - -class haproxy_utils { - public static $pf_version; - - public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") { - $result = array(); - $host = trim($host, " \t\n\r\0\x0B[];\"'"); - $host_esc = escapeshellarg($host); - $types = explode(',',$querytype); - foreach($types as $type){ - $resolved = gethostbyname($host); - if($resolved) { - $resolved = array(); - if (haproxy_utils::$pf_version < '2.2') - exec("/usr/bin/dig {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - else - exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - foreach($resolved as $item) { - $newitem = array(); - $newitem["typeid"] = $type; - $newitem["data"] = $item; - $result[] = $newitem; - } - } - } - return $result; - } -} -haproxy_utils::$pf_version = substr(trim(file_get_contents("/etc/version")),0,3); - -if(!function_exists('ifset')){ - function ifset(&$var, $default = ''){ - return isset($var) ? $var : $default; - }; -} - -if(!function_exists('is_arrayset')){ - function is_arrayset(&$array, $items){ - if (!isset($array)) - return false; - $item = $array; - $arg = func_get_args(); - for($i = 1; $i < count($arg); $i++) { - - $itemindex = $arg[$i]; - if (!isset($item[$itemindex]) || !is_array($item[$itemindex])) - return false; - $item = $item[$itemindex]; - - } - return true; - } -} - -function haproxy_compareByName($a, $b) { - return strcasecmp($a['name'], $b['name']); -} - -function haproxy_interface_ip($interfacebindname,$userfriendly=false){ - $list = haproxy_get_bindable_interfaces(); - $item = $list[$interfacebindname]; - $result = $item['ip']; - if ($userfriendly && !$result) - $result = $item['name']; - return $result; -} - -function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,localhost,real,carp,ipalias"){ - // returns a list of ALL interface/IPs that can be used to bind a service to. - // filtered by the conditions given in the two filter parameters. - // result array includes: - // $bindable[key] can be stored and compared with previous setings - // $bindable[key]['ip'] the current IP (possibly changes for dhcp enabled interfaces..) - // $bindable[key]['description'] can be shown to user in a selection box - - global $config; - $ipverions = split(',',$ipv); - $interfacetypes= split(',',$interfacetype); - - $bindable = array(); - if (in_array("ipv4",$ipverions)){ - if (in_array('any',$interfacetypes)){ - $item = array(); - $item[ip] = '0.0.0.0'; - $item[name] = 'any (IPv4)'; - $bindable['any_ipv4'] = $item; - } - if (in_array('localhost',$interfacetypes)){ - $item = array(); - $item[ip] = '127.0.0.1'; - $item[name] = 'localhost (IPv4)'; - $bindable['localhost_ipv4'] = $item; - } - if (in_array('real',$interfacetypes)){ - foreach($config['interfaces'] as $if => $ifdetail) { - if (!isset($ifdetail['enable'])) - continue; - if (!isset($ifdetail['ipaddr'])) - continue; - $descr = $ifdetail['descr']; - if (!$descr){ - if ($if == "wan" && !$ifdetail['descr']) - $descr = "WAN"; - else if ($if == "lan" && !$ifdetail['descr']) - $descr = "LAN"; - else - $descr = $if; - } - $item = array(); - $item['ip'] = get_interface_ip($if); - $item['name'] = "$descr address (IPv4)"; - $bindable[$if.'_ipv4'] = $item; - } - } - if (in_array('carp',$interfacetypes)){ - $carplist = get_configured_carp_interface_list(); - foreach ($carplist as $carpif => $carpip){ - if (is_ipaddrv4($carpip)){ - $item = array(); - $item['ip'] = $carpip; - $item['name'] = $carpip." (".get_vip_descr($carpip).")"; - $bindable[$carpip] = $item; - } - } - - } - if (in_array('ipalias',$interfacetypes)){ - $aliaslist = get_configured_ip_aliases_list(); - foreach ($aliaslist as $aliasip => $aliasif){ - if (is_ipaddrv4($aliasip)){ - $item = array(); - $item['ip'] = $aliasip; - $item['name'] = $aliasip." (".get_vip_descr($aliasip).")"; - $bindable[$aliasip.'_ipv4'] = $item; - } - } - } - } - if (!isset($config['system']['ipv6allow'])) - return $bindable;// skip adding the IPv6 addresses if those are not 'allowed' - - if (in_array("ipv6",$ipverions)){ - if (in_array('any',$interfacetypes)){ - $item = array(); - $item[ip] = '::'; - $item[name] = 'any (IPv6)'; - $bindable['any_ipv6'] = $item; - } - if (in_array('localhost',$interfacetypes)){ - $item = array(); - $item[ip] = '::1'; - $item[name] = 'localhost (IPv6)'; - $bindable['localhost_ipv6'] = $item; - } - if (in_array('real',$interfacetypes)){ - foreach($config['interfaces'] as $if => $ifdetail) { - if (!isset($ifdetail['enable'])) - continue; - if (!isset($ifdetail['ipaddrv6'])) - continue; - $descr = $ifdetail['descr']; - if (!$descr){ - if ($if == "wan" && !$ifdetail['descr']) - $descr = "WAN"; - else if ($if == "lan" && !$ifdetail['descr']) - $descr = "LAN"; - else - $descr = $if; - } - $item = array(); - $item['ip'] = get_interface_ipv6($if); - $item['name'] = "$descr address (IPv6)"; - $bindable[$if.'_ipv6'] = $item; - } - } - if (in_array('carp',$interfacetypes)){ - $carplist = get_configured_carp_interface_list(); - foreach ($carplist as $carpif => $carpip){ - if (is_ipaddrv6($carpip)){ - $item = array(); - $item['ip'] = $carpip; - $item['name'] = $carpip." (".get_vip_descr($carpip).")"; - $bindable[$carpip] = $item; - } - } - - } - if (in_array('ipalias',$interfacetypes)){ - $aliaslist = get_configured_ip_aliases_list(); - foreach ($aliaslist as $aliasip => $aliasif){ - if (is_ipaddrv6($aliasip)){ - $item = array(); - $item['ip'] = $aliasip; - $item['name'] = $aliasip." (".get_vip_descr($aliasip).")"; - $bindable[$aliasip] = $item; - } - } - } - } - return $bindable; -} - -function haproxy_get_cert_extensions($crt){ - $cert = openssl_x509_parse(base64_decode($crt['crt'])); - return $cert['extensions']; -} - -function haproxy_get_cert_authoritykeyidentifier($cert) -{ - $certextension = haproxy_get_cert_extensions($cert); - $lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']); - return substr($lines[0],6);// cut off the starting string 'keyid:' -} -function haproxy_get_cert_subjectKeyIdentifier($cert) -{ - $certextension = haproxy_get_cert_extensions($cert); - $lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']); - return $lines[0]; -} - -function haproxy_cert_signed_by($cert, $signedbycert) { - // checks if $cert was signed by $signedbycert - // this does NOT validate a proper signature but only checks if the extension properties match. - $authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert); - $subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert); - return $authoritykeyid == $subjectid; -} - -function haproxy_recalculate_certifcate_chain(){ - // and set "selfsigned" for certificates that where used to sign themselves - // recalculate the "caref" for all certificates where it is currently unkown. - - $allcertificates = haproxy_get_certificates('ca,server,user',true); - $items_recalculated = 0; - foreach($allcertificates as &$cert){ - $recalculate=false; - if (!isset($cert['selfsigned'])){ - if (!isset($cert['caref'])) - $recalculate=true; - else { - $ca = lookup_ca($cert['caref']); - if (!$ca) - $recalculate=true; - } - } - if ($recalculate){ - foreach($allcertificates as &$signedbycert){ - if(haproxy_cert_signed_by($cert, $signedbycert)){ - if ($cert['refid'] == $signedbycert['refid']){ - $cert['selfsigned'] = true; - } else { - $cert['caref'] = $signedbycert['refid']; - } - $items_recalculated++; - } - } - } - } - if ($items_recalculated > 0) - write_config("Services: HAProxy: Recalculated $items_recalculated certificate chains."); - return $items_recalculated; -} - -function get_certificat_usage($refid) { - $usage = array(); - $cert = lookup_cert($refid); - if (is_cert_revoked($cert)) - $usage[] = "*Revoked"; - if (is_webgui_cert($refid)) - $usage[] = "webConfigurator"; - if (is_user_cert($refid)) - $usage[] = "User Cert"; - if (is_openvpn_server_cert($refid)) - $usage[] = "OpenVPN Server"; - if (is_openvpn_client_cert($refid)) - $usage[] = "OpenVPN Client"; - if (is_ipsec_cert($refid)) - $usage[] = "IPsec Tunnel"; - if (function_exists("is_captiveportal_cert")) - if (is_captiveportal_cert($refid)) - $usage[] = "Captive Portal"; - return $usage; -} - -function haproxy_get_certificate_descriptivename($cert) { - $usage = get_certificat_usage($cert['crt']); - foreach($usage as $use){ - $usagestr .= " " . $use; - } - if ($usagestr != "") - $usagestr = " (".trim($usagestr).")"; - - $purpose = cert_get_purpose($cert['crt']); - $certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : ""; - - $caname = ""; - $ca = lookup_ca($cert['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - - return $cert['descr'] . $caname . $certserverpurpose . $usagestr; -} - -function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) { - // $type one or multiple of these separated by a comma: ca,server,user - // $get_includeWebCert if the webgui certificate may be included. - - // This function (is intended to) provide a uniform way to retrieve a list of server certificates - global $config; - $type = ",$type,"; - $certificates = array(); - if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) { - if (is_array($config['cert'])) { - $a_cert = &$config['cert']; - foreach ($a_cert as $cert) { - $purpose = cert_get_purpose($cert['crt']); - - $ok = false; - $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; - $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; - if (!$ok) - continue; - //if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) - if ($get_includeWebCert == false && $cert['descr'] == "def web cert") - continue; - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); - } - } - } - if (strpos($type,',ca,') !== false) { - if (is_array($config['ca'])) { - $a_cert = &$config['ca']; - foreach ($a_cert as $cert) { - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); - } - } - } - uasort($certificates, haproxy_compareByName); - return $certificates; -} - -function haproxy_get_crls() { - global $config; - $certificates=array(); - if (is_array($config['crl'])) { - foreach ($config['crl'] as $crl) { - $caname = ""; - $ca = lookup_ca($crl['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - - $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; - } - } - uasort($certificates, haproxy_compareByName); - return $certificates; -} - -function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { - $offset = str_repeat(' ',$nestID); - $itemName = "item$nestID"; - echo "{$offset}$nodeName = {};\n"; - if (is_array($items)) - foreach ($items as $key => $item) - { - if (in_array($path.'/'.$key, $includeitems)) - $subpath = $path.'/'.$key; - else - $subpath = $path.'/*'; - if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) { - if (is_array($item)) { - $subNodeName = "item$nestID"; - phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems); - echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n"; - } else { - $item = json_encode($item); - echo "{$offset}{$nodeName}['$key'] = $item;\n"; - } - } - } -} -function phparray_to_javascriptarray($items, $javaMapName, $includeitems) { - phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems); -} - -function haproxy_html_select_options($keyvaluelist, $selected="") { - $result = ""; - foreach($keyvaluelist as $key => $desc){ - $selectedhtml = $key == $selected ? "selected" : ""; - if ($desc['deprecated'] && $key != $selected){ - continue; - } - $name = htmlspecialchars($desc['name']); - $result .= "<option value='{$key}' {$selectedhtml}>{$name}</option>"; - } - return $result; -} - -function haproxy_js_select_options($keyvaluelist, $selected="") { - $result = ""; - foreach($keyvaluelist as $key => $desc){ - $selectedhtml = $key == $selected ? "selected" : ""; - if ($desc['deprecated'] && $key != $selected){ - continue; - } - $name = htmlspecialchars($desc['name']); - $result .= "<option value='{$key}' {$selectedhtml}>{$name}<\/option>"; - } - return $result; -} - -function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="", $style="") { - if (count($keyvaluelist)>0){ - if ($onchangeEvent != "") - $onchangeEvent = " onchange='$onchangeEvent'"; - if ($style != "") - $style = " style='$style'"; - echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent$style>"; - echo haproxy_html_select_options($keyvaluelist, $selected); - echo "</select>"; - } else { - echo $listEmptyMessage; - } -} - -?>
\ No newline at end of file diff --git a/config/haproxy1_5/www/haproxy_listeners_edit.php b/config/haproxy1_5/www/haproxy_listeners_edit.php index d8841c33..6998e099 100644 --- a/config/haproxy1_5/www/haproxy_listeners_edit.php +++ b/config/haproxy1_5/www/haproxy_listeners_edit.php @@ -71,7 +71,7 @@ uasort($a_pools, haproxy_compareByName); global $simplefields; $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', 'max_connections','client_timeout','port','advanced_bind', - 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid', + 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid','sslocsp', 'socket-stats', 'dontlognull','dontlog-normal','log-separate-errors','log-detailed'); @@ -787,6 +787,12 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. (host header matches the 'CN' of the certificate)<br/> </td> </tr> + <tr class="haproxy_ssloffloading_enabled" align="left"> + <td width="22%" valign="top" class="vncell">OCSP</td> + <td width="78%" class="vtable" colspan="2"> + <input id="sslocsp" name="sslocsp" type="checkbox" value="yes" <?php if ($pconfig['sslocsp']=='yes') echo "checked";?> onclick="updatevisibility();" />Load certificate ocsp responses for easy certificate validation by the client.<br/> + </td> + </tr> <tr class="haproxy_ssloffloading_enabled"> <td width="22%" valign="top" class="vncell">Additional certificates</td> <td width="78%" class="vtable" colspan="2" valign="top"> @@ -805,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> /> <br/> NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/> - some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets + some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets<br/> + Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES </td> </tr> <tr class="haproxy_ssloffloading_enabled haproxy_primary"> diff --git a/config/haproxy1_5/www/haproxy_pool_edit.php b/config/haproxy1_5/www/haproxy_pool_edit.php index 5e38b12d..0824e45c 100644 --- a/config/haproxy1_5/www/haproxy_pool_edit.php +++ b/config/haproxy1_5/www/haproxy_pool_edit.php @@ -961,7 +961,7 @@ set by the 'retries' parameter.</div> <td colspan="2" valign="top" class="listtopic">Advanced</td> </tr> <tr class="" align="left" id='Strict-Transport-Security'> - <td width="22%" valign="top" class="vncell">Strict-Transport-Security</td> + <td width="22%" valign="top" class="vncell">HSTS Strict-Transport-Security</td> <td width="78%" class="vtable" colspan="2"> When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)<br/> <b>WARNING! the domain will only work over https with a valid certificate!</b><br/> |