diff options
Diffstat (limited to 'config/haproxy-devel')
-rw-r--r-- | config/haproxy-devel/haproxy.inc | 105 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_listeners.php | 12 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_pool_edit.php | 27 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_socketinfo.inc | 6 | ||||
-rw-r--r-- | config/haproxy-devel/haproxy_utils.inc | 56 |
5 files changed, 109 insertions, 97 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index ce367fb8..a4e9ba06 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -32,6 +32,7 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("notices.inc"); +require_once("filter.inc"); require_once("haproxy_utils.inc"); require_once("haproxy_xmlrpcsyncclient.inc"); @@ -66,7 +67,7 @@ $a_acltypes["ssl_c_verify"] = array('name' => 'SSL Client certificate valid.', 'mode' => 'http', 'syntax' => 'ssl_fc_has_crt ssl_c_verify 0 '); $a_acltypes["ssl_c_ca_commonname"] = array('name' => 'SSL Client issued by CA common-name:', 'mode' => 'http', 'syntax' => 'ssl_c_i_dn(CN) %1$s'); -$a_acltypes["source_ip"] = array('name' => 'Source IP:', +$a_acltypes["source_ip"] = array('name' => 'Source IP matches IP or Alias:', 'mode' => '', 'syntax' => 'src %1$s'); $a_acltypes["backendservercount"] = array('name' => 'Minimum count usable servers:', 'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname'); @@ -78,11 +79,13 @@ $a_acltypes["traffic_is_ssl"] = array('name' => 'Traffic is ssl (no value needed $a_acltypes["ssl_sni_matches"] = array('name' => 'Server Name Indication TLS extension matches:', 'inspect-delay' => '5', 'mode' => 'https', 'syntax' => 'req.ssl_sni -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); $a_acltypes["ssl_sni_contains"] = array('name' => 'Server Name Indication TLS extension contains:', 'inspect-delay' => '5', - 'mode' => 'https', 'syntax' => 'req.ssl_sni -m sub -i example %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); + 'mode' => 'https', 'syntax' => 'req.ssl_sni -m sub -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); $a_acltypes["ssl_sni_starts_with"] = array('name' => 'Server Name Indication TLS extension starts with:', 'inspect-delay' => '5', - 'mode' => 'https', 'syntax' => 'req.ssl_sni -m beg -i example %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); + 'mode' => 'https', 'syntax' => 'req.ssl_sni -m beg -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); $a_acltypes["ssl_sni_ends_with"] = array('name' => 'Server Name Indication TLS extension ends with:', 'inspect-delay' => '5', - 'mode' => 'https', 'syntax' => 'req.ssl_sni -m end -i example %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); + 'mode' => 'https', 'syntax' => 'req.ssl_sni -m end -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }"); +$a_acltypes["custom"] = array('name' => 'Custom acl:', + 'mode' => '', 'syntax' => '%1$s'); global $a_checktypes; $a_checktypes = array(); @@ -95,7 +98,7 @@ $a_checktypes['HTTP'] = array('name' => 'HTTP', 'syntax' => 'httpchk', // 'Agent' was added in HAProxy1.5dev18, and removed in 1.5dev20, in favor of the seperate agent-check option. $a_checktypes['Agent'] = array('name' => 'Agent', 'syntax' => 'lb-agent-chk', 'usedifferenport' => 'yes', 'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)', - deprecated => true); + 'deprecated' => true); $a_checktypes['LDAP'] = array('name' => 'LDAP', 'syntax' => 'ldap-check', 'descr' => 'Use LDAPv3 health checks for server testing'); $a_checktypes['MySQL'] = array('name' => 'MySQL', 'syntax' => 'mysql-check', @@ -261,6 +264,16 @@ function haproxy_portoralias_to_list($port_or_alias) { return null; } +function haproxy_hostoralias_to_list($host_or_alias) { + if (is_alias($host_or_alias)){ + $result = filter_expand_alias_array($host_or_alias); + } else { + $result = array(); + $result[] = $host_or_alias; + } + return $result; +} + function haproxy_custom_php_deinstall_command() { global $static_output; $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command()\n"; @@ -1144,8 +1157,16 @@ function haproxy_writeconf($configpath) { // Filter out acls for different modes if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) continue; - - $expr = sprintf($acl['syntax'],$entry['value'],$poolname); + if (($entry['expression'] == "source_ip") && is_alias($entry['value'])) { + $filename = "$configpath/ipalias_{$entry['value']}.lst"; + $listitems = haproxy_hostoralias_to_list($entry['value']); + $fd_alias = fopen("$filename", "w"); + foreach($listitems as $item) + fwrite($fd_alias, $item."\r\n"); + fclose($fd_alias); + $expr = "src -f $filename"; + } else + $expr = sprintf($acl['syntax'],$entry['value'],$poolname); $aclname = $i . "_" . $entry['name']; $aclnames .= $aclname." "; @@ -1396,15 +1417,29 @@ function haproxy_check_run($reload) { } else mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if (file_exists('/var/run/haproxy.pid')){ + $old_pid = file_get_contents('/var/run/haproxy.pid'); + } else + $old_pid = 'none'; + if (haproxy_is_running()) { if (isset($a_global['terminate_on_reload'])) $sf_st = "-st";//terminate old process as soon as the new process is listening else $sf_st = "-sf";//finish serving existing connections exit when done, and the new process is listening + + syslog(LOG_NOTICE, "haproxy: reload old pid:$old_pid"); exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode); } else { + syslog(LOG_NOTICE, "haproxy: starting old pid:$old_pid"); exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid -D 2>&1", $output, $errcode); } + if (file_exists('/var/run/haproxy.pid')){ + $new_pid = file_get_contents('/var/run/haproxy.pid'); + } else + $new_pid = 'none'; + syslog(LOG_NOTICE, "haproxy: started new pid:$new_pid"); + foreach($output as $line) $haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n"; } else { @@ -1560,31 +1595,6 @@ function get_haproxy_frontends($excludeitem="") { return $result; } -function explode_ports($ports_list) { - $ports_list = split(",", $ports_list); - $result = array(); - foreach($ports_list as $port){ - //$result = array_merge($result,haproxy_portoralias_to_list($port)); - $items = haproxy_portoralias_to_list($port); - foreach($items as $item){ - if (is_portrange($item)) { - $portrange = explode(":", $item); - for($i=$portrange[0];$i<=$portrange[1];$i++) - $result[] = $i; - } else if (is_port($item)) // in pfSense 2.1 is_port returns true for a portrange also.. - $result[] = $item; - } - } - //$result = group_ports($result); << deze maakt er weer portranges van.. maar zoekt wel de unieke. wat dan wel weer handig was. - return $result; -} - -function get_frontend_ports($mainfrontend) { - - $ports = $mainfrontend['port']; - return explode_ports($ports); -} - function generate_cert_acl($crt, $defaultport, $nondefaultport){ // The host header send by a browser will contain the portnumber when a nondefault port is used for the server side. @@ -1620,19 +1630,18 @@ function get_frontend_acls($frontend) { $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); $aclname = "SNI_" . $poolname; - //$ports = get_frontend_ports($mainfrontend); - if ($frontend['ssloffloadacl'] || $frontend['ssloffloadaclnondefault']) { + if (ifset($frontend['ssloffloadacl']) == 'yes' || ifset($frontend['ssloffloadaclnondefault']) == 'yes') { $cert = lookup_cert($frontend['ssloffloadcert']); $cert_cn = cert_get_cn($cert['crt']); $descr = haproxy_escape_acl_name($cert['descr']); unset($cert); $acl_item = array(); - if ($frontend['ssloffloadacl'] && $frontend['ssloffloadaclnondefault']) { + if (ifset($frontend['ssloffloadacl']) == 'yes' && ifset($frontend['ssloffloadaclnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL match regex: ^{$cert_cn}(:([0-9]){1,5})?$"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => "^{$cert_cn}(:([0-9]){1,5})?$"); - } elseif ($frontend['ssloffloadaclnondefault']) { + } elseif (ifset($frontend['ssloffloadaclnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL starts with: {$cert_cn}:"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_starts_with', 'value' => $cert_cn.":"); } else { @@ -1641,7 +1650,7 @@ function get_frontend_acls($frontend) { } $result[] = $acl_item; } - if ($frontend['ssloffloadacladditional'] || $frontend['ssloffloadacladditionalnondefault']) { + if (ifset($frontend['ssloffloadacladditional']) == 'yes' || ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') { $certs = $frontend['ha_certificates']['item']; if (is_array($certs)){ foreach($certs as $certref){ @@ -1651,10 +1660,10 @@ function get_frontend_acls($frontend) { unset($cert); $acl_item = array(); - if ($frontend['ssloffloadacladditional'] && $frontend['ssloffloadacladditionalnondefault']) { + if (ifset($frontend['ssloffloadacladditional']) == 'yes' && ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL match regex: ^{$cert_cn}(:([0-9]){1,5})?$"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => "^({$cert_cn}(($)|(:.*)))"); - } elseif ($frontend['ssloffloadacladditionalnondefault']) { + } elseif (ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL starts with: {$cert_cn}:"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_starts_with', 'value' => $cert_cn.":"); } else { @@ -1726,13 +1735,17 @@ function haproxy_find_create_certificate($certificatename) { $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = gettext($certificatename); - mwexec("/usr/local/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key"); - mwexec("/usr/local/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt"); - $crt = file_get_contents("{$g['tmp_path']}/ssl.crt"); - $key = file_get_contents("{$g['tmp_path']}/ssl.key"); - unlink("{$g['tmp_path']}/ssl.key"); - unlink("{$g['tmp_path']}/ssl.crt"); - cert_import($cert, $crt, $key); + + $new_cert = array(); + $dn = array( + "organizationName" => "haproxy-pfsense", + "commonName" => "haproxy-pfsense" + ); + $new_cert = array(); + ca_create($new_cert, 1024, 2000, $dn); + $crt = base64_decode($new_cert['crt']); + $prv = base64_decode($new_cert['prv']); + cert_import($cert, $crt, $prv); $a_cert[] = $cert; return $cert; } diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 10a355df..1deabdbb 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -134,10 +134,12 @@ include("head.inc"); $img_cert = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png"; $img_adv = "/themes/{$g['theme']}/images/icons/icon_advanced.gif"; $img_acl = "/themes/{$g['theme']}/images/icons/icon_ts_rule.gif"; + $textgray = ""; + $first = true; $last_frontend_shared = false; foreach ($a_frontend_grouped as $a_frontend) { usort($a_frontend,'sort_sharedfrontends'); - if (count($a_frontend) > 1 || $last_frontend_shared) { + if ((count($a_frontend) > 1 || $last_frontend_shared) && !$first) { ?> <tr class="<?=$textgray?>"><td colspan="7"> </td></tr> <? } $last_frontend_shared = count($a_frontend) > 1; @@ -162,8 +164,8 @@ include("head.inc"); if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']) { $cert = lookup_cert($frontend['ssloffloadcert']); $descr = htmlspecialchars($cert['descr']); - $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ + if (is_array($frontend['ha_certificates']) && is_array($frontend['ha_certificates']['item'])) { + $certs = $frontend['ha_certificates']['item']; if (count($certs) > 0){ foreach($certs as $certitem){ $cert = lookup_cert($certitem['ssl_certificate']); @@ -182,12 +184,12 @@ include("head.inc"); $backend_serverpool = $frontend['backend_serverpool']; $backend = get_backend($backend_serverpool ); - if ($backend && is_array($backend['ha_servers']['item'])){ + if ($backend && is_array($backend['ha_servers']) && is_array($backend['ha_servers']['item'])){ $servers = $backend['ha_servers']['item']; $backend_serverpool_hint = gettext("Servers in pool:"); if (is_array($servers)){ foreach($servers as $server){ - if ($server['forwardto'] && $server['forwardto'] != "") + if (isset($server['forwardto']) && $server['forwardto'] != "") $backend_serverpool_hint .= "\n[".$server['forwardto']."]"; else $backend_serverpool_hint .= "\n".$server['address'].":".$server['port']; diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index aa1fa5da..a3a0879d 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -196,26 +196,16 @@ if ($_POST) { $reqdfields = explode(" ", "name"); $reqdfieldsn = explode(",", "Name"); - $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); - if ($pf_version < 2.1) - $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;'); - else - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if ($_POST['stats_enabled']) { $reqdfields = explode(" ", "name stats_uri"); $reqdfieldsn = explode(",", "Name,Stats Uri"); - if ($pf_version < 2.1) - $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;'); - else - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if ($_POST['stats_username']) { $reqdfields = explode(" ", "stats_password stats_realm"); $reqdfieldsn = explode(",", "Stats Password,Stats Realm"); - if ($pf_version < 2.1) - $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;'); - else - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); } } @@ -317,7 +307,7 @@ if ($_POST) { } else { $a_pools[] = $pool; } - if (!$input_errors) { + if (!isset($input_errors)) { if ($changecount > 0) { touch($d_haproxyconfdirty_path); write_config($changedesc); @@ -334,10 +324,6 @@ if ($_POST) { $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; } -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; - $closehead = false; $pgtitle = "HAProxy: Backend server pool: Edit"; include("head.inc"); @@ -453,10 +439,7 @@ foreach($simplefields as $field){ } </script> <?php include("fbegin.inc"); ?> -<?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></p> -<?php endif; ?> +<?php if (isset($input_errors)) print_input_errors($input_errors); ?> <form action="haproxy_pool_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc index 6beb17c5..cbfb131b 100644 --- a/config/haproxy-devel/haproxy_socketinfo.inc +++ b/config/haproxy-devel/haproxy_socketinfo.inc @@ -122,6 +122,8 @@ function haproxy_get_clients($show_traffic = false){// "show sess" $clients=array(); $sessions = haproxy_socket_command("show sess"); foreach($sessions as $line) { + if (trim($line) == "") + continue; list($sessid,$proto,$src,$fe,$be,$srv,$ts,$age,$calls,$rq,$rp,$s0,$s1,$exp) = explode(" ", $line); #Retrieve data $sessid = explode(":", $sessid); @@ -149,10 +151,10 @@ function haproxy_get_clients($show_traffic = false){// "show sess" $session_data = haproxy_socket_command("show sess {$client['sessid']}"); $client['session_data'] = $session_data; - $req = explode(" ",$session_data[13]); + $req = explode(" ",$session_data[12]); $x = explode("=",$req[7]); $client['session_datareq'] = $x[1]; - $res = explode(" ",$session_data[16]); + $res = explode(" ",$session_data[15]); $x = explode("=",$res[7]); $client['session_datares'] = $x[1]; } diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc index a5fb7c64..37c1d623 100644 --- a/config/haproxy-devel/haproxy_utils.inc +++ b/config/haproxy-devel/haproxy_utils.inc @@ -33,6 +33,12 @@ require_once("config.inc"); +if(!function_exists('ifset')){ + function ifset(&$var, $default = ''){ + return isset($var) ? $var : $default; + }; +} + function haproxy_compareByName($a, $b) { return strcasecmp($a['name'], $b['name']); } @@ -291,24 +297,28 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal $type = ",$type,"; $certificates = array(); if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) { - $a_cert = &$config['cert']; - foreach ($a_cert as $cert) { - $purpose = cert_get_purpose($cert['crt']); - - $ok = false; - $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; - $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; - if (!$ok) - continue; - if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) - continue; - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + if (is_array($config['cert'])) { + $a_cert = &$config['cert']; + foreach ($a_cert as $cert) { + $purpose = cert_get_purpose($cert['crt']); + + $ok = false; + $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; + $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; + if (!$ok) + continue; + if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) + continue; + $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + } } } if (strpos($type,',ca,') !== false) { - $a_cert = &$config['ca']; - foreach ($a_cert as $cert) { - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + if (is_array($config['ca'])) { + $a_cert = &$config['ca']; + foreach ($a_cert as $cert) { + $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + } } } uasort($certificates, haproxy_compareByName); @@ -318,13 +328,15 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal function haproxy_get_crls() { global $config; $certificates=array(); - foreach ($config['crl'] as $crl) { - $caname = ""; - $ca = lookup_ca($crl['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - - $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; + if (is_array($config['crl'])) { + foreach ($config['crl'] as $crl) { + $caname = ""; + $ca = lookup_ca($crl['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + + $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; + } } uasort($certificates, haproxy_compareByName); return $certificates; |