aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/haproxy-devel/pkg/haproxy.inc17
-rw-r--r--config/haproxy-devel/pkg/haproxy_utils.inc41
-rw-r--r--config/haproxy-devel/www/haproxy_listeners_edit.php3
-rw-r--r--config/haproxy-devel/www/haproxy_pool_edit.php2
-rw-r--r--pkg_config.10.xml4
5 files changed, 39 insertions, 28 deletions
diff --git a/config/haproxy-devel/pkg/haproxy.inc b/config/haproxy-devel/pkg/haproxy.inc
index 6e07625f..eceef783 100644
--- a/config/haproxy-devel/pkg/haproxy.inc
+++ b/config/haproxy-devel/pkg/haproxy.inc
@@ -957,18 +957,23 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) {
unset($crl);
}
-function haproxy_write_certificate_fullchain($filename, $certid, $append = false) {
+function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) {
$cert = haproxy_lookup_cert($certid);
$certcontent = base64_decode($cert['crt']);
if (isset($cert['prv']))
$certcontent .= "\r\n".base64_decode($cert['prv']);
- $certchaincontent = ca_chain($cert);
- if ($certchaincontent != "") {
- $certcontent .= "\r\n" . $certchaincontent;
+ $ca = $cert;
+ while(!empty($ca['caref'])) {
+ $ca = lookup_ca($ca['caref']);
+ if ($ca) {
+ if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt'])))
+ break;
+ $certcontent .= "\r\n" . base64_decode($ca['crt']);
+ } else
+ break;
}
- unset($certchaincontent);
$flags = $append ? FILE_APPEND : 0;
file_put_contents($filename, $certcontent, $flags);
unset($certcontent);
@@ -1155,7 +1160,7 @@ function haproxy_writeconf($configpath) {
if ($frontend['sslocsp'] == 'yes') {
if (!empty(haproxy_getocspurl($filename))) {
haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']);
- touch($filename . ".ocsp");
+ touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp
}
}
diff --git a/config/haproxy-devel/pkg/haproxy_utils.inc b/config/haproxy-devel/pkg/haproxy_utils.inc
index 3d841a25..ec72b986 100644
--- a/config/haproxy-devel/pkg/haproxy_utils.inc
+++ b/config/haproxy-devel/pkg/haproxy_utils.inc
@@ -39,32 +39,37 @@ class haproxy_utils {
public function query_dns($host, $querytype="A,AAAA") {
$result = array();
$types = explode(',',$querytype);
- $recordtypes = 0;
+ $recordtype = 0;
foreach($types as $type){
switch ($type) {
case 'A':
- $recordtypes += DNS_A;
+ $recordtype = DNS_A;
break;
case 'AAAA':
- $recordtypes += DNS_AAAA;
+ $recordtype = DNS_AAAA;
break;
}
- }
- if ($recordtypes == 0)
- return $result;
-
- $dnsresult = dns_get_record($host, $recordtypes);
- foreach($dnsresult as $item) {
- $newitem["typeid"] = $item['type'];
- switch ($item['type']) {
- case 'A':
- $newitem["data"] = $item['ip'];
- break;
- case 'AAAA':
- $newitem["data"] = $item['ipv6'];
- break;
+ if ($recordtype != 0) {
+ //query one type at a time, querying multiple types in one call dns_get_record fails if one is not present..
+ $errreporting = error_reporting();
+ error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved..
+ $dnsresult = dns_get_record($host, $recordtype);
+ error_reporting($errreporting);
+ if (is_array($dnsresult)) {
+ foreach($dnsresult as $item) {
+ $newitem["typeid"] = $item['type'];
+ switch ($item['type']) {
+ case 'A':
+ $newitem["data"] = $item['ip'];
+ break;
+ case 'AAAA':
+ $newitem["data"] = $item['ipv6'];
+ break;
+ }
+ $result[] = $newitem;
+ }
+ }
}
- $result[] = $newitem;
}
return $result;
}
diff --git a/config/haproxy-devel/www/haproxy_listeners_edit.php b/config/haproxy-devel/www/haproxy_listeners_edit.php
index 5b726d08..6998e099 100644
--- a/config/haproxy-devel/www/haproxy_listeners_edit.php
+++ b/config/haproxy-devel/www/haproxy_listeners_edit.php
@@ -811,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend);
<input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> />
<br/>
NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/>
- some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
+ some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets<br/>
+ Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES
</td>
</tr>
<tr class="haproxy_ssloffloading_enabled haproxy_primary">
diff --git a/config/haproxy-devel/www/haproxy_pool_edit.php b/config/haproxy-devel/www/haproxy_pool_edit.php
index 5e38b12d..0824e45c 100644
--- a/config/haproxy-devel/www/haproxy_pool_edit.php
+++ b/config/haproxy-devel/www/haproxy_pool_edit.php
@@ -961,7 +961,7 @@ set by the 'retries' parameter.</div>
<td colspan="2" valign="top" class="listtopic">Advanced</td>
</tr>
<tr class="" align="left" id='Strict-Transport-Security'>
- <td width="22%" valign="top" class="vncell">Strict-Transport-Security</td>
+ <td width="22%" valign="top" class="vncell">HSTS Strict-Transport-Security</td>
<td width="78%" class="vtable" colspan="2">
When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)<br/>
<b>WARNING! the domain will only work over https with a valid certificate!</b><br/>
diff --git a/pkg_config.10.xml b/pkg_config.10.xml
index a37e9819..66b3360e 100644
--- a/pkg_config.10.xml
+++ b/pkg_config.10.xml
@@ -175,7 +175,7 @@
Supports ACLs for smart backend switching.]]></descr>
<website>http://haproxy.1wt.eu/</website>
<category>Services</category>
- <version>0.24</version>
+ <version>0.26</version>
<status>Release</status>
<required_version>2.2</required_version>
<config_file>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml</config_file>
@@ -189,7 +189,7 @@
<custom_name>haproxy-devel</custom_name>
<port>net/haproxy-devel</port>
</build_pbi>
- <build_options>WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE</build_options>
+ <build_options>WITH_OPENSSL_PORT=yes;haproxy_UNSET_FORCE=DPCRE;haproxy_SET_FORCE=OPENSSL SPCRE LUA</build_options>
</package>
<package>
<name>Apache with mod_security-dev</name>