aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorPiBa-NL <pba_2k3@yahoo.com>2013-03-09 01:06:56 +0100
committerPiBa-NL <pba_2k3@yahoo.com>2013-03-09 01:06:56 +0100
commite1a963c1f543873630b104d244151ed70c0b9da7 (patch)
treea44b8db726e44fe4bc8f4cee117052bc224cb601 /config
parent923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a (diff)
downloadpfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.gz
pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.tar.bz2
pfsense-packages-e1a963c1f543873630b104d244151ed70c0b9da7.zip
haproxy-devel, small bugfixes.. maintain ssl checkbox selection, dont use httpcheck for ssl backends, use req_ssl_hello_type for https with SNI acl's.
Diffstat (limited to 'config')
-rw-r--r--config/haproxy-devel/haproxy.inc39
-rw-r--r--config/haproxy-devel/haproxy_listeners_edit.php18
-rw-r--r--config/haproxy-devel/haproxy_pool_edit.php4
3 files changed, 49 insertions, 12 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index cd440eb0..e246b8e0 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -63,7 +63,7 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP',
'mode' => '', 'syntax' => 'src');
if ($haproxy_sni_ssloffloading) {
$a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches',
- 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }");
+ 'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }");
}
function haproxy_custom_php_deinstall_command() {
@@ -324,7 +324,20 @@ function haproxy_find_acl($name) {
function write_backend($fd, $name, $pool, $frontend) {
if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes')
return;
+
+ $a_servers = &$pool['ha_servers']['item'];
+ unset($sslserverpresent);
+ if (is_array($a_servers))
+ {
+ foreach($a_servers as $be) {
+ if (!$be['status'] == "inactive")
+ continue;
+ if ($be['ssl'])
+ $sslserverpresent = true;
+ }
+ }
+
fwrite ($fd, "backend " . $name . "\n");
if($pool['cookie_name'] && strtolower($frontend['type']) == "http")
fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n");
@@ -333,7 +346,7 @@ function write_backend($fd, $name, $pool, $frontend) {
if(strtolower($frontend['type']) == "https") {
$backend_type = "tcp";
$httpchk = "ssl-hello-chk";
- } else {
+ } else {
$backend_type = $frontend['type'];
$httpchk = "httpchk";
}
@@ -378,7 +391,9 @@ function write_backend($fd, $name, $pool, $frontend) {
$uri = $pool['monitor_uri'];
else
$uri = "/";
- fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
+
+ if (!$sslserverpresent)
+ fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
if ($pool['advanced_backend']) {
$adv_be = explode("\n", base64_decode($pool['advanced_backend']));
@@ -407,7 +422,6 @@ function write_backend($fd, $name, $pool, $frontend) {
else
$checkinter = "";
- $a_servers = &$pool['ha_servers']['item'];
if (is_array($a_servers))
{
foreach($a_servers as $be) {
@@ -421,7 +435,8 @@ function write_backend($fd, $name, $pool, $frontend) {
} else {
$isbackup = "";
}
- fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
+ $ssl = ($backend_type == "http" && $be['ssl'] == 'yes') ? ' ssl' : "";
+ fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
}
}
fwrite ($fd, "\n");
@@ -486,7 +501,7 @@ function haproxy_writeconf() {
}
//check ssl info
- if ($backend['ssloffload']){
+ if (strtolower($backend['type']) == "http" && $backend['ssloffload']){
//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
$ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt";
$cert = lookup_cert($backend['ssloffloadcert']);
@@ -497,6 +512,9 @@ function haproxy_writeconf() {
$ssl_crt="";
unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
}
+
+ if ($backend['extaddr']=='localhost')
+ $backend['extaddr'] = "127.0.0.1";
$bname = $backend['extaddr'] . ":" . $backend['port'];
if (!is_array($a_bind[$bname])) {
@@ -538,6 +556,8 @@ function haproxy_writeconf() {
else
$frontendinfo = "frontend {$bind['name']}\n";
+ $advancedextra = array();
+
// Prepare ports for processing by splitting
$portss = "{$bind['port']},";
$ports = split(",", $portss);
@@ -622,7 +642,7 @@ function haproxy_writeconf() {
$a_pendingpl[$poolname]['frontend'] = $bconfig;
}
- if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
+ if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
$aclname = "SNI_" . $poolname;
$cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true);
//$expr = "req_ssl_sni -i $cert_cn";
@@ -648,10 +668,15 @@ function haproxy_writeconf() {
$aclname = $i . "_" . $entry['name'];
fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n");
fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n");
+
+ if ($acl['advancedoptions'] != '')
+ $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n";
$i++;
}
}
+ foreach($advancedextra as $extra)
+ fwrite ($fd, "\t".$extra."\n");
fwrite ($fd, "\n");
}
}
diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php
index c61954ac..3139250c 100644
--- a/config/haproxy-devel/haproxy_listeners_edit.php
+++ b/config/haproxy-devel/haproxy_listeners_edit.php
@@ -33,6 +33,16 @@
require("guiconfig.inc");
require_once("haproxy.inc");
+/* Compatibility function for pfSense 2.0 */
+if (!function_exists("cert_get_purpose")) {
+ function cert_get_purpose(){
+ $result = array();
+ $result['server'] = "Yes";
+ return $result;
+ }
+}
+/**/
+
function get_certificat_usage($refid) {
$usage = array();
$cert = lookup_cert($refid);
@@ -55,7 +65,7 @@ function get_certificat_usage($refid) {
return $usage;
}
-/// This function (is intendet to) provides a uniform way to retrieve a list of use selectable certificates
+// This function (is intended to) provides a uniform way to retrieve a list of server certificates
function get_certificates_server($get_includeWebCert=false) {
global $config;
$certificates=array();
@@ -64,7 +74,7 @@ function get_certificates_server($get_includeWebCert=false) {
{
if ($get_ca == false && is_webgui_cert($cert['refid']))
continue;
-
+
$purpose = cert_get_purpose($cert['crt']);
if ($purpose['server'] != 'Yes')
continue;
@@ -496,7 +506,8 @@ include("head.inc");
<td width="78%" class="vtable" colspan="2">
<input id="secondary" name="secondary" type="checkbox" value="yes" <?php if ($pconfig['secondary']=='yes') echo "checked"; ?> onclick="updatevisibility();">secondary backend</checkbox><br/>
Use this setting to configure multiple backends/accesslists for a single frontend.<br/>
- All settings of which only 1 can exist will be hidden. And
+ All settings of which only 1 can exist will be hidden.<br/>
+ The frontend settings will be merged into 1 set of frontend configuration.
</td>
</tr>
<tr align="left">
@@ -513,6 +524,7 @@ include("head.inc");
<td width="78%" class="vtable">
<select name="extaddr" class="formfld">
<option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option>
+ <option value="localhost" <?php if ('localhost' == $pconfig['extaddr']) echo "selected"; ?>>Localhost</option>
<?php
if (is_array($config['virtualip']['vip'])):
foreach ($config['virtualip']['vip'] as $sn):
diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php
index 5fb43b49..f244d3df 100644
--- a/config/haproxy-devel/haproxy_pool_edit.php
+++ b/config/haproxy-devel/haproxy_pool_edit.php
@@ -326,7 +326,7 @@ row_helper();
<td class="vtable listlr"><?=$server['name']; ?></td>
<td class="vtable listr"><?=$server['address']; ?></td>
<td class="vtable listr"><?=$server['port']; ?></td>
- <td class="vtable listr"><?=$server['ssl']; ?></td>
+ <td class="vtable listr"><?=$server['ssl']=='yes'?'yes':'no'; ?></td>
<td class="vtable listr"><?=$server['weight']; ?></td>
<td class="vtable listr"><?=$server['status']; ?></td>
<td class="list">
@@ -350,7 +350,7 @@ row_helper();
<td class="vtable">
<input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td>
<td class="vtable">
- <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="<?=$server['ssl']; ?>" size="5"/></td>
+ <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="yes" <?=$server['ssl']=='yes'?"checked":""; ?> size="5"/></td>
<td class="vtable">
<input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td>
<td class="vtable">