diff options
| -rw-r--r-- | config/haproxy-devel/haproxy.inc | 57 | ||||
| -rw-r--r-- | pkg_config.10.xml | 2 | ||||
| -rw-r--r-- | pkg_config.8.xml | 6 | ||||
| -rw-r--r-- | pkg_config.8.xml.amd64 | 6 |
4 files changed, 51 insertions, 20 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 20f6847c..5ae86bb9 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -617,6 +617,7 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "\tnbproc\t\t\t$numprocs\n"); fwrite ($fd, "\tchroot\t\t\t/var/empty\n"); fwrite ($fd, "\tdaemon\n"); + fwrite ($fd, "\tssl-server-verify none\n"); // Keep the advanced options on the bottom of the global settings, to allow additional sections to be easely added if($a_global['advanced']) { @@ -950,16 +951,9 @@ function use_transparent_clientip_proxying() { return false; } -function load_ipfw_rules() { - // On FreeBSD 8 pf does not support "divert-reply" so ipfw is needed. - global $g, $config; - $ipfw_zone_haproxy = "haproxy"; - +function haproxy_get_transparent_backends(){ + global $config; $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; - - haproxy_load_modules(); - - $transparent_interfaces = array(); $transparent_backends = array(); foreach ($a_backends as $backend) { if ($backend["transparent_clientip"] != 'yes') @@ -975,15 +969,51 @@ function load_ipfw_rules() { if (!is_ipaddr($be['address'])) continue; $item = array(); + $item['name'] = $be['name']; + $item['interface'] = $real_if; $item['address'] = $be['address']; $item['port'] = $be['port']; - $item['interface'] = $real_if; $transparent_backends[] = $item; - $transparent_interfaces[$real_if] = 1; } } } } + return $transparent_backends; +} + +function haproxy_generate_rules($type) { + // called by filter.inc when pfSense rules generation happens + global $g, $config; + $rules = ""; + switch($type) { + case 'filter': + $transparent_backends = haproxy_get_transparent_backends(); + foreach($transparent_backends as $tb){ + // This sloppy rule is needed because of ipfw is used to 'catch' return traffic. + $rules .= "# allow HAProxy transparent traffic\n"; + $rules .= "pass out quick on {$tb['interface']} inet proto tcp from any to {$tb['address']} port {$tb['port']} flags S/SA keep state ( sloppy ) label \"HAPROXY_transparent_rule_{$tb['name']}\"\n"; + } + break; + } + return $rules; +} + +function load_ipfw_rules() { + // On FreeBSD 8 pf does not support "divert-reply" so ipfw is needed. + global $g, $config; + $ipfw_zone_haproxy = "haproxy"; + + $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; + + haproxy_load_modules(); + + $transparent_backends = haproxy_get_transparent_backends(); + + $transparent_interfaces = array(); + foreach($transparent_backends as $transparent_backend){ + $interface = $transparent_backend['interface']; + $transparent_interfaces[$interface] = 1; + } mwexec("/usr/local/sbin/ipfw_context -a $ipfw_zone_haproxy", true); foreach($transparent_interfaces as $transparent_if => $value) { @@ -1011,9 +1041,10 @@ function haproxy_check_run($reload) { exec("/usr/bin/limits -n 300014"); - if(use_transparent_clientip_proxying()) + if(use_transparent_clientip_proxying()) { + filter_configure(); load_ipfw_rules(); - else + } else mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); if(isset($a_global['enable'])) { diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 869fb93b..86243ec7 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -187,7 +187,7 @@ Supports acl's for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.5-dev22 pkg v 0.6.1</version> + <version>1.5-dev22 pkg v 0.7</version> <status>Release</status> <required_version>2.2</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.xml</config_file> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index a35b7e6b..b3f16cb2 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -192,14 +192,14 @@ Supports acl's for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.5-dev21 pkg v 0.6.1</version> + <version>1.5-dev22 pkg v 0.7</version> <status>Release</status> <required_version>2.1</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> - <depends_on_package>haproxy-1.4.21.tbz</depends_on_package> - <depends_on_package_pbi>haproxy-devel-1.5-dev21-i386.pbi</depends_on_package_pbi> + <depends_on_package>haproxy-1.4.22.tbz</depends_on_package> + <depends_on_package_pbi>haproxy-devel-1.5-dev22-i386.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/haproxy-devel</build_port_path> <build_pbi> <ports_before>security/openssl</ports_before> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index d09981cf..f628aff4 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -179,14 +179,14 @@ Supports acl's for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>1.5-dev21 pkg v 0.6.1</version> + <version>1.5-dev22 pkg v 0.7</version> <status>Release</status> <required_version>2.1</required_version> <config_file>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.xml</config_file> <configurationfile>haproxy.xml</configurationfile> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> - <depends_on_package>haproxy-1.4.21.tbz</depends_on_package> - <depends_on_package_pbi>haproxy-devel-1.5-dev21-amd64.pbi</depends_on_package_pbi> + <depends_on_package>haproxy-1.4.22.tbz</depends_on_package> + <depends_on_package_pbi>haproxy-devel-1.5-dev22-amd64.pbi</depends_on_package_pbi> <build_port_path>/usr/ports/net/haproxy-devel</build_port_path> <build_pbi> <ports_before>security/openssl</ports_before> |