diff options
-rw-r--r-- | config/haproxy-devel/pkg/haproxy.inc | 17 | ||||
-rw-r--r-- | config/haproxy-devel/pkg/haproxy_utils.inc | 41 | ||||
-rw-r--r-- | config/haproxy-devel/www/haproxy_listeners_edit.php | 3 | ||||
-rw-r--r-- | config/haproxy-devel/www/haproxy_pool_edit.php | 2 | ||||
-rw-r--r-- | pkg_config.10.xml | 4 |
5 files changed, 39 insertions, 28 deletions
diff --git a/config/haproxy-devel/pkg/haproxy.inc b/config/haproxy-devel/pkg/haproxy.inc index 6e07625f..eceef783 100644 --- a/config/haproxy-devel/pkg/haproxy.inc +++ b/config/haproxy-devel/pkg/haproxy.inc @@ -957,18 +957,23 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) { unset($crl); } -function haproxy_write_certificate_fullchain($filename, $certid, $append = false) { +function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) { $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); if (isset($cert['prv'])) $certcontent .= "\r\n".base64_decode($cert['prv']); - $certchaincontent = ca_chain($cert); - if ($certchaincontent != "") { - $certcontent .= "\r\n" . $certchaincontent; + $ca = $cert; + while(!empty($ca['caref'])) { + $ca = lookup_ca($ca['caref']); + if ($ca) { + if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) + break; + $certcontent .= "\r\n" . base64_decode($ca['crt']); + } else + break; } - unset($certchaincontent); $flags = $append ? FILE_APPEND : 0; file_put_contents($filename, $certcontent, $flags); unset($certcontent); @@ -1155,7 +1160,7 @@ function haproxy_writeconf($configpath) { if ($frontend['sslocsp'] == 'yes') { if (!empty(haproxy_getocspurl($filename))) { haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']); - touch($filename . ".ocsp"); + touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp } } diff --git a/config/haproxy-devel/pkg/haproxy_utils.inc b/config/haproxy-devel/pkg/haproxy_utils.inc index 3d841a25..ec72b986 100644 --- a/config/haproxy-devel/pkg/haproxy_utils.inc +++ b/config/haproxy-devel/pkg/haproxy_utils.inc @@ -39,32 +39,37 @@ class haproxy_utils { public function query_dns($host, $querytype="A,AAAA") { $result = array(); $types = explode(',',$querytype); - $recordtypes = 0; + $recordtype = 0; foreach($types as $type){ switch ($type) { case 'A': - $recordtypes += DNS_A; + $recordtype = DNS_A; break; case 'AAAA': - $recordtypes += DNS_AAAA; + $recordtype = DNS_AAAA; break; } - } - if ($recordtypes == 0) - return $result; - - $dnsresult = dns_get_record($host, $recordtypes); - foreach($dnsresult as $item) { - $newitem["typeid"] = $item['type']; - switch ($item['type']) { - case 'A': - $newitem["data"] = $item['ip']; - break; - case 'AAAA': - $newitem["data"] = $item['ipv6']; - break; + if ($recordtype != 0) { + //query one type at a time, querying multiple types in one call dns_get_record fails if one is not present.. + $errreporting = error_reporting(); + error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved.. + $dnsresult = dns_get_record($host, $recordtype); + error_reporting($errreporting); + if (is_array($dnsresult)) { + foreach($dnsresult as $item) { + $newitem["typeid"] = $item['type']; + switch ($item['type']) { + case 'A': + $newitem["data"] = $item['ip']; + break; + case 'AAAA': + $newitem["data"] = $item['ipv6']; + break; + } + $result[] = $newitem; + } + } } - $result[] = $newitem; } return $result; } diff --git a/config/haproxy-devel/www/haproxy_listeners_edit.php b/config/haproxy-devel/www/haproxy_listeners_edit.php index 5b726d08..6998e099 100644 --- a/config/haproxy-devel/www/haproxy_listeners_edit.php +++ b/config/haproxy-devel/www/haproxy_listeners_edit.php @@ -811,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> /> <br/> NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/> - some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets + some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets<br/> + Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES </td> </tr> <tr class="haproxy_ssloffloading_enabled haproxy_primary"> diff --git a/config/haproxy-devel/www/haproxy_pool_edit.php b/config/haproxy-devel/www/haproxy_pool_edit.php index 5e38b12d..0824e45c 100644 --- a/config/haproxy-devel/www/haproxy_pool_edit.php +++ b/config/haproxy-devel/www/haproxy_pool_edit.php @@ -961,7 +961,7 @@ set by the 'retries' parameter.</div> <td colspan="2" valign="top" class="listtopic">Advanced</td> </tr> <tr class="" align="left" id='Strict-Transport-Security'> - <td width="22%" valign="top" class="vncell">Strict-Transport-Security</td> + <td width="22%" valign="top" class="vncell">HSTS Strict-Transport-Security</td> <td width="78%" class="vtable" colspan="2"> When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)<br/> <b>WARNING! the domain will only work over https with a valid certificate!</b><br/> diff --git a/pkg_config.10.xml b/pkg_config.10.xml index a37e9819..66b3360e 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -175,7 +175,7 @@ Supports ACLs for smart backend switching.]]></descr> <website>http://haproxy.1wt.eu/</website> <category>Services</category> - <version>0.24</version> + <version>0.26</version> <status>Release</status> <required_version>2.2</required_version> <config_file>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml</config_file> @@ -189,7 +189,7 @@ <custom_name>haproxy-devel</custom_name> <port>net/haproxy-devel</port> </build_pbi> - <build_options>WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE</build_options> + <build_options>WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE LUA</build_options> </package> <package> <name>Apache with mod_security-dev</name> |