diff options
author | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-09 01:06:56 +0100 |
---|---|---|
committer | PiBa-NL <pba_2k3@yahoo.com> | 2013-03-09 01:06:56 +0100 |
commit | e1a963c1f543873630b104d244151ed70c0b9da7 (patch) | |
tree | a44b8db726e44fe4bc8f4cee117052bc224cb601 /config | |
parent | 923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a (diff) | |
download | pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.gz pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.bz2 pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.zip |
haproxy-devel, small bugfixes.. maintain ssl checkbox selection, dont use httpcheck for ssl backends, use req_ssl_hello_type for https with SNI acl's.
Diffstat (limited to 'config')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 39 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_listeners_edit.php | 18 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_pool_edit.php | 4 |
3 files changed, 49 insertions, 12 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index cd440eb0..e246b8e0 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -63,7 +63,7 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', 'mode' => '', 'syntax' => 'src'); if ($haproxy_sni_ssloffloading) { $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', - 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }"); + 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); } function haproxy_custom_php_deinstall_command() { @@ -324,7 +324,20 @@ function haproxy_find_acl($name) { function write_backend($fd, $name, $pool, $frontend) { if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') return; + + $a_servers = &$pool['ha_servers']['item']; + unset($sslserverpresent); + if (is_array($a_servers)) + { + foreach($a_servers as $be) { + if (!$be['status'] == "inactive") + continue; + if ($be['ssl']) + $sslserverpresent = true; + } + } + fwrite ($fd, "backend " . $name . "\n"); if($pool['cookie_name'] && strtolower($frontend['type']) == "http") fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n"); @@ -333,7 +346,7 @@ function write_backend($fd, $name, $pool, $frontend) { if(strtolower($frontend['type']) == "https") { $backend_type = "tcp"; $httpchk = "ssl-hello-chk"; - } else { + } else { $backend_type = $frontend['type']; $httpchk = "httpchk"; } @@ -378,7 +391,9 @@ function write_backend($fd, $name, $pool, $frontend) { $uri = $pool['monitor_uri']; else $uri = "/"; - fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); + + if (!$sslserverpresent) + fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n"); if ($pool['advanced_backend']) { $adv_be = explode("\n", base64_decode($pool['advanced_backend'])); @@ -407,7 +422,6 @@ function write_backend($fd, $name, $pool, $frontend) { else $checkinter = ""; - $a_servers = &$pool['ha_servers']['item']; if (is_array($a_servers)) { foreach($a_servers as $be) { @@ -421,7 +435,8 @@ function write_backend($fd, $name, $pool, $frontend) { } else { $isbackup = ""; } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); + $ssl = ($backend_type == "http" && $be['ssl'] == 'yes') ? ' ssl' : ""; + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); } } fwrite ($fd, "\n"); @@ -486,7 +501,7 @@ function haproxy_writeconf() { } //check ssl info - if ($backend['ssloffload']){ + if (strtolower($backend['type']) == "http" && $backend['ssloffload']){ //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt"; $cert = lookup_cert($backend['ssloffloadcert']); @@ -497,6 +512,9 @@ function haproxy_writeconf() { $ssl_crt=""; unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt"); } + + if ($backend['extaddr']=='localhost') + $backend['extaddr'] = "127.0.0.1"; $bname = $backend['extaddr'] . ":" . $backend['port']; if (!is_array($a_bind[$bname])) { @@ -538,6 +556,8 @@ function haproxy_writeconf() { else $frontendinfo = "frontend {$bind['name']}\n"; + $advancedextra = array(); + // Prepare ports for processing by splitting $portss = "{$bind['port']},"; $ports = split(",", $portss); @@ -622,7 +642,7 @@ function haproxy_writeconf() { $a_pendingpl[$poolname]['frontend'] = $bconfig; } - if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { + if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { $aclname = "SNI_" . $poolname; $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); //$expr = "req_ssl_sni -i $cert_cn"; @@ -648,10 +668,15 @@ function haproxy_writeconf() { $aclname = $i . "_" . $entry['name']; fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + + if ($acl['advancedoptions'] != '') + $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; $i++; } } + foreach($advancedextra as $extra) + fwrite ($fd, "\t".$extra."\n"); fwrite ($fd, "\n"); } } diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index c61954ac..3139250c 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -33,6 +33,16 @@ require("guiconfig.inc"); require_once("haproxy.inc"); +/* Compatibility function for pfSense 2.0 */ +if (!function_exists("cert_get_purpose")) { + function cert_get_purpose(){ + $result = array(); + $result['server'] = "Yes"; + return $result; + } +} +/**/ + function get_certificat_usage($refid) { $usage = array(); $cert = lookup_cert($refid); @@ -55,7 +65,7 @@ function get_certificat_usage($refid) { return $usage; } -/// This function (is intendet to) provides a uniform way to retrieve a list of use selectable certificates +// This function (is intended to) provides a uniform way to retrieve a list of server certificates function get_certificates_server($get_includeWebCert=false) { global $config; $certificates=array(); @@ -64,7 +74,7 @@ function get_certificates_server($get_includeWebCert=false) { { if ($get_ca == false && is_webgui_cert($cert['refid'])) continue; - + $purpose = cert_get_purpose($cert['crt']); if ($purpose['server'] != 'Yes') continue; @@ -496,7 +506,8 @@ include("head.inc"); <td width="78%" class="vtable" colspan="2"> <input id="secondary" name="secondary" type="checkbox" value="yes" <?php if ($pconfig['secondary']=='yes') echo "checked"; ?> onclick="updatevisibility();">secondary backend</checkbox><br/> Use this setting to configure multiple backends/accesslists for a single frontend.<br/> - All settings of which only 1 can exist will be hidden. And + All settings of which only 1 can exist will be hidden.<br/> + The frontend settings will be merged into 1 set of frontend configuration. </td> </tr> <tr align="left"> @@ -513,6 +524,7 @@ include("head.inc"); <td width="78%" class="vtable"> <select name="extaddr" class="formfld"> <option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option> + <option value="localhost" <?php if ('localhost' == $pconfig['extaddr']) echo "selected"; ?>>Localhost</option> <?php if (is_array($config['virtualip']['vip'])): foreach ($config['virtualip']['vip'] as $sn): diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 5fb43b49..f244d3df 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -326,7 +326,7 @@ row_helper(); <td class="vtable listlr"><?=$server['name']; ?></td> <td class="vtable listr"><?=$server['address']; ?></td> <td class="vtable listr"><?=$server['port']; ?></td> - <td class="vtable listr"><?=$server['ssl']; ?></td> + <td class="vtable listr"><?=$server['ssl']=='yes'?'yes':'no'; ?></td> <td class="vtable listr"><?=$server['weight']; ?></td> <td class="vtable listr"><?=$server['status']; ?></td> <td class="list"> @@ -350,7 +350,7 @@ row_helper(); <td class="vtable"> <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td> <td class="vtable"> - <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="<?=$server['ssl']; ?>" size="5"/></td> + <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="yes" <?=$server['ssl']=='yes'?"checked":""; ?> size="5"/></td> <td class="vtable"> <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td> <td class="vtable"> |