aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2015-02-08 00:53:11 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2015-02-08 00:53:11 +0100
commitcec43bb753d271b84aa6610315fdc02f784895c4 (patch)
treec7d77bfcc1e543a18a33466e7376ca6f1f210e79 /config
parent75372116092d861ab829d52f3d245325696cee66 (diff)
downloadpfsense-packages-cec43bb753d271b84aa6610315fdc02f784895c4.tar.gz
pfsense-packages-cec43bb753d271b84aa6610315fdc02f784895c4.tar.bz2
pfsense-packages-cec43bb753d271b84aa6610315fdc02f784895c4.zip
haproxy-devel, 0.18, make sure frontend without acl's is last 'default' even when system acl is added
Diffstat (limited to 'config')
-rw-r--r--config/haproxy-devel/haproxy.inc21
1 files changed, 16 insertions, 5 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index a7394cf3..fd4262a5 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -1147,6 +1147,7 @@ function haproxy_writeconf($configpath) {
$default_backend = "";
$config_acls = "";
$config_usebackends = "";
+ $config_usedefaultbackends = "";
$transparent_clientip = false;
foreach ($bind['config'] as $frontend) {
@@ -1171,11 +1172,13 @@ function haproxy_writeconf($configpath) {
$backend = haproxy_find_backend($frontend['backend_serverpool']);
$transparent_clientip = $backend["transparent_clientip"] == 'yes';
+ $allowfordefaultbackend = true;
$ipv = array();
if ($transparent_clientip) {
if ($useipv4 && $useipv6) {
$ipv["ipv4"]['acl'] = " src_is_ipv4 ";
$ipv["ipv6"]['acl'] = " !src_is_ipv4 ";
+ $allowfordefaultbackend = false; // transparent backend must always match client-ip which is ipv4 v.s. ipv6 specific so there cannot be a default.
} else if ($useipv6)
$ipv["ipv6"]['acl'] = " ";
else
@@ -1217,10 +1220,12 @@ function haproxy_writeconf($configpath) {
$a_pendingpl[$poolname]['frontend'] = $bind;
$a_pendingpl[$poolname]['ipversion'] = $ipversion;
}
-
+ $canbedefaultbackend = false;
// Write this out once, and must be before any backend config text
if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) {
- $default_backend = $poolname;
+ $canbedefaultbackend = true;
+ if ($allowfordefaultbackend)
+ $default_backend = $poolname;
}
foreach ($a_acl_combine as $a_usebackend) {
@@ -1281,12 +1286,17 @@ function haproxy_writeconf($configpath) {
$y++;
}
- if (count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once.
+ $systemacl = trim("{$certacl}{$ipversionoptions['acl']}");
+ if (!empty($systemacl) && count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once when a system acl is pressent.
foreach($useracls as $useracl) {
$backendacl = "";
- $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}";
+ $backendacl .= "|| {$useracl}{$systemacl}";
$backendacl = substr($backendacl, 3);
- $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n";
+ if ($canbedefaultbackend) {
+ // makes sure these come last even though systemacl's might have been added.
+ $config_usedefaultbackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n";
+ } else
+ $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n";
}
}
}
@@ -1302,6 +1312,7 @@ function haproxy_writeconf($configpath) {
// Write backends after advanced options so custom use_backend rules can be applied first.
fwrite ($fd, $config_usebackends);
+ fwrite ($fd, $config_usedefaultbackends);
if ($default_backend)
fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n");