aboutsummaryrefslogtreecommitdiffstats
path: root/config/haproxy-devel
diff options
context:
space:
mode:
Diffstat (limited to 'config/haproxy-devel')
-rw-r--r--config/haproxy-devel/haproxy.inc105
-rw-r--r--config/haproxy-devel/haproxy_listeners.php12
-rw-r--r--config/haproxy-devel/haproxy_pool_edit.php27
-rw-r--r--config/haproxy-devel/haproxy_socketinfo.inc6
-rw-r--r--config/haproxy-devel/haproxy_utils.inc56
5 files changed, 109 insertions, 97 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index ce367fb8..a4e9ba06 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -32,6 +32,7 @@
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("notices.inc");
+require_once("filter.inc");
require_once("haproxy_utils.inc");
require_once("haproxy_xmlrpcsyncclient.inc");
@@ -66,7 +67,7 @@ $a_acltypes["ssl_c_verify"] = array('name' => 'SSL Client certificate valid.',
'mode' => 'http', 'syntax' => 'ssl_fc_has_crt ssl_c_verify 0 ');
$a_acltypes["ssl_c_ca_commonname"] = array('name' => 'SSL Client issued by CA common-name:',
'mode' => 'http', 'syntax' => 'ssl_c_i_dn(CN) %1$s');
-$a_acltypes["source_ip"] = array('name' => 'Source IP:',
+$a_acltypes["source_ip"] = array('name' => 'Source IP matches IP or Alias:',
'mode' => '', 'syntax' => 'src %1$s');
$a_acltypes["backendservercount"] = array('name' => 'Minimum count usable servers:',
'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname');
@@ -78,11 +79,13 @@ $a_acltypes["traffic_is_ssl"] = array('name' => 'Traffic is ssl (no value needed
$a_acltypes["ssl_sni_matches"] = array('name' => 'Server Name Indication TLS extension matches:', 'inspect-delay' => '5',
'mode' => 'https', 'syntax' => 'req.ssl_sni -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
$a_acltypes["ssl_sni_contains"] = array('name' => 'Server Name Indication TLS extension contains:', 'inspect-delay' => '5',
- 'mode' => 'https', 'syntax' => 'req.ssl_sni -m sub -i example %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
+ 'mode' => 'https', 'syntax' => 'req.ssl_sni -m sub -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
$a_acltypes["ssl_sni_starts_with"] = array('name' => 'Server Name Indication TLS extension starts with:', 'inspect-delay' => '5',
- 'mode' => 'https', 'syntax' => 'req.ssl_sni -m beg -i example %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
+ 'mode' => 'https', 'syntax' => 'req.ssl_sni -m beg -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
$a_acltypes["ssl_sni_ends_with"] = array('name' => 'Server Name Indication TLS extension ends with:', 'inspect-delay' => '5',
- 'mode' => 'https', 'syntax' => 'req.ssl_sni -m end -i example %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
+ 'mode' => 'https', 'syntax' => 'req.ssl_sni -m end -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
+$a_acltypes["custom"] = array('name' => 'Custom acl:',
+ 'mode' => '', 'syntax' => '%1$s');
global $a_checktypes;
$a_checktypes = array();
@@ -95,7 +98,7 @@ $a_checktypes['HTTP'] = array('name' => 'HTTP', 'syntax' => 'httpchk',
// 'Agent' was added in HAProxy1.5dev18, and removed in 1.5dev20, in favor of the seperate agent-check option.
$a_checktypes['Agent'] = array('name' => 'Agent', 'syntax' => 'lb-agent-chk', 'usedifferenport' => 'yes',
'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)',
- deprecated => true);
+ 'deprecated' => true);
$a_checktypes['LDAP'] = array('name' => 'LDAP', 'syntax' => 'ldap-check',
'descr' => 'Use LDAPv3 health checks for server testing');
$a_checktypes['MySQL'] = array('name' => 'MySQL', 'syntax' => 'mysql-check',
@@ -261,6 +264,16 @@ function haproxy_portoralias_to_list($port_or_alias) {
return null;
}
+function haproxy_hostoralias_to_list($host_or_alias) {
+ if (is_alias($host_or_alias)){
+ $result = filter_expand_alias_array($host_or_alias);
+ } else {
+ $result = array();
+ $result[] = $host_or_alias;
+ }
+ return $result;
+}
+
function haproxy_custom_php_deinstall_command() {
global $static_output;
$static_output .= "HAProxy, running haproxy_custom_php_deinstall_command()\n";
@@ -1144,8 +1157,16 @@ function haproxy_writeconf($configpath) {
// Filter out acls for different modes
if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type']))
continue;
-
- $expr = sprintf($acl['syntax'],$entry['value'],$poolname);
+ if (($entry['expression'] == "source_ip") && is_alias($entry['value'])) {
+ $filename = "$configpath/ipalias_{$entry['value']}.lst";
+ $listitems = haproxy_hostoralias_to_list($entry['value']);
+ $fd_alias = fopen("$filename", "w");
+ foreach($listitems as $item)
+ fwrite($fd_alias, $item."\r\n");
+ fclose($fd_alias);
+ $expr = "src -f $filename";
+ } else
+ $expr = sprintf($acl['syntax'],$entry['value'],$poolname);
$aclname = $i . "_" . $entry['name'];
$aclnames .= $aclname." ";
@@ -1396,15 +1417,29 @@ function haproxy_check_run($reload) {
} else
mwexec("/usr/local/sbin/ipfw_context -d haproxy", true);
+ if (file_exists('/var/run/haproxy.pid')){
+ $old_pid = file_get_contents('/var/run/haproxy.pid');
+ } else
+ $old_pid = 'none';
+
if (haproxy_is_running()) {
if (isset($a_global['terminate_on_reload']))
$sf_st = "-st";//terminate old process as soon as the new process is listening
else
$sf_st = "-sf";//finish serving existing connections exit when done, and the new process is listening
+
+ syslog(LOG_NOTICE, "haproxy: reload old pid:$old_pid");
exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode);
} else {
+ syslog(LOG_NOTICE, "haproxy: starting old pid:$old_pid");
exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid -D 2>&1", $output, $errcode);
}
+ if (file_exists('/var/run/haproxy.pid')){
+ $new_pid = file_get_contents('/var/run/haproxy.pid');
+ } else
+ $new_pid = 'none';
+ syslog(LOG_NOTICE, "haproxy: started new pid:$new_pid");
+
foreach($output as $line)
$haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n";
} else {
@@ -1560,31 +1595,6 @@ function get_haproxy_frontends($excludeitem="") {
return $result;
}
-function explode_ports($ports_list) {
- $ports_list = split(",", $ports_list);
- $result = array();
- foreach($ports_list as $port){
- //$result = array_merge($result,haproxy_portoralias_to_list($port));
- $items = haproxy_portoralias_to_list($port);
- foreach($items as $item){
- if (is_portrange($item)) {
- $portrange = explode(":", $item);
- for($i=$portrange[0];$i<=$portrange[1];$i++)
- $result[] = $i;
- } else if (is_port($item)) // in pfSense 2.1 is_port returns true for a portrange also..
- $result[] = $item;
- }
- }
- //$result = group_ports($result); << deze maakt er weer portranges van.. maar zoekt wel de unieke. wat dan wel weer handig was.
- return $result;
-}
-
-function get_frontend_ports($mainfrontend) {
-
- $ports = $mainfrontend['port'];
- return explode_ports($ports);
-}
-
function generate_cert_acl($crt, $defaultport, $nondefaultport){
// The host header send by a browser will contain the portnumber when a nondefault port is used for the server side.
@@ -1620,19 +1630,18 @@ function get_frontend_acls($frontend) {
$poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']);
$aclname = "SNI_" . $poolname;
- //$ports = get_frontend_ports($mainfrontend);
- if ($frontend['ssloffloadacl'] || $frontend['ssloffloadaclnondefault']) {
+ if (ifset($frontend['ssloffloadacl']) == 'yes' || ifset($frontend['ssloffloadaclnondefault']) == 'yes') {
$cert = lookup_cert($frontend['ssloffloadcert']);
$cert_cn = cert_get_cn($cert['crt']);
$descr = haproxy_escape_acl_name($cert['descr']);
unset($cert);
$acl_item = array();
- if ($frontend['ssloffloadacl'] && $frontend['ssloffloadaclnondefault']) {
+ if (ifset($frontend['ssloffloadacl']) == 'yes' && ifset($frontend['ssloffloadaclnondefault']) == 'yes') {
$acl_item['descr'] = "Certificate ACL match regex: ^{$cert_cn}(:([0-9]){1,5})?$";
$acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => "^{$cert_cn}(:([0-9]){1,5})?$");
- } elseif ($frontend['ssloffloadaclnondefault']) {
+ } elseif (ifset($frontend['ssloffloadaclnondefault']) == 'yes') {
$acl_item['descr'] = "Certificate ACL starts with: {$cert_cn}:";
$acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_starts_with', 'value' => $cert_cn.":");
} else {
@@ -1641,7 +1650,7 @@ function get_frontend_acls($frontend) {
}
$result[] = $acl_item;
}
- if ($frontend['ssloffloadacladditional'] || $frontend['ssloffloadacladditionalnondefault']) {
+ if (ifset($frontend['ssloffloadacladditional']) == 'yes' || ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') {
$certs = $frontend['ha_certificates']['item'];
if (is_array($certs)){
foreach($certs as $certref){
@@ -1651,10 +1660,10 @@ function get_frontend_acls($frontend) {
unset($cert);
$acl_item = array();
- if ($frontend['ssloffloadacladditional'] && $frontend['ssloffloadacladditionalnondefault']) {
+ if (ifset($frontend['ssloffloadacladditional']) == 'yes' && ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') {
$acl_item['descr'] = "Certificate ACL match regex: ^{$cert_cn}(:([0-9]){1,5})?$";
$acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => "^({$cert_cn}(($)|(:.*)))");
- } elseif ($frontend['ssloffloadacladditionalnondefault']) {
+ } elseif (ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') {
$acl_item['descr'] = "Certificate ACL starts with: {$cert_cn}:";
$acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_starts_with', 'value' => $cert_cn.":");
} else {
@@ -1726,13 +1735,17 @@ function haproxy_find_create_certificate($certificatename) {
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = gettext($certificatename);
- mwexec("/usr/local/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key");
- mwexec("/usr/local/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt");
- $crt = file_get_contents("{$g['tmp_path']}/ssl.crt");
- $key = file_get_contents("{$g['tmp_path']}/ssl.key");
- unlink("{$g['tmp_path']}/ssl.key");
- unlink("{$g['tmp_path']}/ssl.crt");
- cert_import($cert, $crt, $key);
+
+ $new_cert = array();
+ $dn = array(
+ "organizationName" => "haproxy-pfsense",
+ "commonName" => "haproxy-pfsense"
+ );
+ $new_cert = array();
+ ca_create($new_cert, 1024, 2000, $dn);
+ $crt = base64_decode($new_cert['crt']);
+ $prv = base64_decode($new_cert['prv']);
+ cert_import($cert, $crt, $prv);
$a_cert[] = $cert;
return $cert;
}
diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php
index 10a355df..1deabdbb 100644
--- a/config/haproxy-devel/haproxy_listeners.php
+++ b/config/haproxy-devel/haproxy_listeners.php
@@ -134,10 +134,12 @@ include("head.inc");
$img_cert = "/themes/{$g['theme']}/images/icons/icon_frmfld_cert.png";
$img_adv = "/themes/{$g['theme']}/images/icons/icon_advanced.gif";
$img_acl = "/themes/{$g['theme']}/images/icons/icon_ts_rule.gif";
+ $textgray = "";
+ $first = true;
$last_frontend_shared = false;
foreach ($a_frontend_grouped as $a_frontend) {
usort($a_frontend,'sort_sharedfrontends');
- if (count($a_frontend) > 1 || $last_frontend_shared) {
+ if ((count($a_frontend) > 1 || $last_frontend_shared) && !$first) {
?> <tr class="<?=$textgray?>"><td colspan="7">&nbsp;</td></tr> <?
}
$last_frontend_shared = count($a_frontend) > 1;
@@ -162,8 +164,8 @@ include("head.inc");
if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']) {
$cert = lookup_cert($frontend['ssloffloadcert']);
$descr = htmlspecialchars($cert['descr']);
- $certs = $frontend['ha_certificates']['item'];
- if (is_array($certs)){
+ if (is_array($frontend['ha_certificates']) && is_array($frontend['ha_certificates']['item'])) {
+ $certs = $frontend['ha_certificates']['item'];
if (count($certs) > 0){
foreach($certs as $certitem){
$cert = lookup_cert($certitem['ssl_certificate']);
@@ -182,12 +184,12 @@ include("head.inc");
$backend_serverpool = $frontend['backend_serverpool'];
$backend = get_backend($backend_serverpool );
- if ($backend && is_array($backend['ha_servers']['item'])){
+ if ($backend && is_array($backend['ha_servers']) && is_array($backend['ha_servers']['item'])){
$servers = $backend['ha_servers']['item'];
$backend_serverpool_hint = gettext("Servers in pool:");
if (is_array($servers)){
foreach($servers as $server){
- if ($server['forwardto'] && $server['forwardto'] != "")
+ if (isset($server['forwardto']) && $server['forwardto'] != "")
$backend_serverpool_hint .= "\n[".$server['forwardto']."]";
else
$backend_serverpool_hint .= "\n".$server['address'].":".$server['port'];
diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php
index aa1fa5da..a3a0879d 100644
--- a/config/haproxy-devel/haproxy_pool_edit.php
+++ b/config/haproxy-devel/haproxy_pool_edit.php
@@ -196,26 +196,16 @@ if ($_POST) {
$reqdfields = explode(" ", "name");
$reqdfieldsn = explode(",", "Name");
- $pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
- if ($pf_version < 2.1)
- $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;');
- else
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if ($_POST['stats_enabled']) {
$reqdfields = explode(" ", "name stats_uri");
$reqdfieldsn = explode(",", "Name,Stats Uri");
- if ($pf_version < 2.1)
- $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;');
- else
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if ($_POST['stats_username']) {
$reqdfields = explode(" ", "stats_password stats_realm");
$reqdfieldsn = explode(",", "Stats Password,Stats Realm");
- if ($pf_version < 2.1)
- $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;');
- else
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
}
}
@@ -317,7 +307,7 @@ if ($_POST) {
} else {
$a_pools[] = $pool;
}
- if (!$input_errors) {
+ if (!isset($input_errors)) {
if ($changecount > 0) {
touch($d_haproxyconfdirty_path);
write_config($changedesc);
@@ -334,10 +324,6 @@ if ($_POST) {
$pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item'];
}
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version < 2.0)
- $one_two = true;
-
$closehead = false;
$pgtitle = "HAProxy: Backend server pool: Edit";
include("head.inc");
@@ -453,10 +439,7 @@ foreach($simplefields as $field){
}
</script>
<?php include("fbegin.inc"); ?>
-<?php if ($input_errors) print_input_errors($input_errors); ?>
-<?php if($one_two): ?>
-<p class="pgtitle"><?=$pgtitle?></p>
-<?php endif; ?>
+<?php if (isset($input_errors)) print_input_errors($input_errors); ?>
<form action="haproxy_pool_edit.php" method="post" name="iform" id="iform">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc
index 6beb17c5..cbfb131b 100644
--- a/config/haproxy-devel/haproxy_socketinfo.inc
+++ b/config/haproxy-devel/haproxy_socketinfo.inc
@@ -122,6 +122,8 @@ function haproxy_get_clients($show_traffic = false){// "show sess"
$clients=array();
$sessions = haproxy_socket_command("show sess");
foreach($sessions as $line) {
+ if (trim($line) == "")
+ continue;
list($sessid,$proto,$src,$fe,$be,$srv,$ts,$age,$calls,$rq,$rp,$s0,$s1,$exp) = explode(" ", $line);
#Retrieve data
$sessid = explode(":", $sessid);
@@ -149,10 +151,10 @@ function haproxy_get_clients($show_traffic = false){// "show sess"
$session_data = haproxy_socket_command("show sess {$client['sessid']}");
$client['session_data'] = $session_data;
- $req = explode(" ",$session_data[13]);
+ $req = explode(" ",$session_data[12]);
$x = explode("=",$req[7]);
$client['session_datareq'] = $x[1];
- $res = explode(" ",$session_data[16]);
+ $res = explode(" ",$session_data[15]);
$x = explode("=",$res[7]);
$client['session_datares'] = $x[1];
}
diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc
index a5fb7c64..37c1d623 100644
--- a/config/haproxy-devel/haproxy_utils.inc
+++ b/config/haproxy-devel/haproxy_utils.inc
@@ -33,6 +33,12 @@
require_once("config.inc");
+if(!function_exists('ifset')){
+ function ifset(&$var, $default = ''){
+ return isset($var) ? $var : $default;
+ };
+}
+
function haproxy_compareByName($a, $b) {
return strcasecmp($a['name'], $b['name']);
}
@@ -291,24 +297,28 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal
$type = ",$type,";
$certificates = array();
if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) {
- $a_cert = &$config['cert'];
- foreach ($a_cert as $cert) {
- $purpose = cert_get_purpose($cert['crt']);
-
- $ok = false;
- $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
- $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
- if (!$ok)
- continue;
- if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
- continue;
- $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+ if (is_array($config['cert'])) {
+ $a_cert = &$config['cert'];
+ foreach ($a_cert as $cert) {
+ $purpose = cert_get_purpose($cert['crt']);
+
+ $ok = false;
+ $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
+ $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
+ if (!$ok)
+ continue;
+ if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
+ continue;
+ $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+ }
}
}
if (strpos($type,',ca,') !== false) {
- $a_cert = &$config['ca'];
- foreach ($a_cert as $cert) {
- $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+ if (is_array($config['ca'])) {
+ $a_cert = &$config['ca'];
+ foreach ($a_cert as $cert) {
+ $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
+ }
}
}
uasort($certificates, haproxy_compareByName);
@@ -318,13 +328,15 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal
function haproxy_get_crls() {
global $config;
$certificates=array();
- foreach ($config['crl'] as $crl) {
- $caname = "";
- $ca = lookup_ca($crl['caref']);
- if ($ca)
- $caname = " (CA: {$ca['descr']})";
-
- $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
+ if (is_array($config['crl'])) {
+ foreach ($config['crl'] as $crl) {
+ $caname = "";
+ $ca = lookup_ca($crl['caref']);
+ if ($ca)
+ $caname = " (CA: {$ca['descr']})";
+
+ $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
+ }
}
uasort($certificates, haproxy_compareByName);
return $certificates;