diff options
Diffstat (limited to 'config/haproxy-devel')
| -rw-r--r-- | config/haproxy-devel/haproxy.inc | 210 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy.widget.php | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy.xml | 33 | ||||
| -rwxr-xr-x | config/haproxy-devel/haproxy_global.php | 88 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_htmllist.inc | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_listeners.php | 10 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_listeners_edit.php | 39 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_pool_edit.php | 65 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_pools.php | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_socketinfo.inc | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_stats.php | 7 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_utils.inc | 2 |
12 files changed, 327 insertions, 135 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 273091b3..76b836b6 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -158,6 +158,88 @@ $a_sticky_type['stick_rdp_cookie'] = array('name' => 'Stick on RDP-cookie', 'descr' => "Uses a RDP-Cookie send by the mstsc client, note that not all clients send this.", 'cookiedescr' => 'EXAMPLE: msts or mstshash'); +if(!function_exists('group_ports')){ +// function group_ports() is present in pfSense 2.2 in util.inc +/* create ranges of sequential port numbers (200:215) and remove duplicates */ +function group_ports($ports) { + if (!is_array($ports) || empty($ports)) + return; + + $uniq = array(); + foreach ($ports as $port) { + if (is_portrange($port)) { + list($begin, $end) = explode(":", $port); + if ($begin > $end) { + $aux = $begin; + $begin = $end; + $end = $aux; + } + for ($i = $begin; $i <= $end; $i++) + if (!in_array($i, $uniq)) + $uniq[] = $i; + } else if (is_port($port)) { + if (!in_array($port, $uniq)) + $uniq[] = $port; + } + } + sort($uniq, SORT_NUMERIC); + + $result = array(); + foreach ($uniq as $idx => $port) { + if ($idx == 0) { + $result[] = $port; + continue; + } + + $last = end($result); + if (is_portrange($last)) + list($begin, $end) = explode(":", $last); + else + $begin = $end = $last; + + if ($port == ($end+1)) { + $end++; + $result[count($result)-1] = "{$begin}:{$end}"; + } else { + $result[] = $port; + } + } + + return $result; +} +} + +function haproxy_portoralias_to_list($port_or_alias) { + // input: a port or aliasname: 80 https MyPortAlias + // returns: a array of ports and portranges 80 443 8000:8010 + global $config; + $portresult = array(); + if (is_alias($port_or_alias)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $port_or_alias && preg_match("/port/i", $alias['type'])) { + $ports = explode(' ',$alias['address']); + foreach($ports as $port) { + $portresults = haproxy_portoralias_to_list($port); + $portresult = array_merge($portresult, $portresults); + } + return $portresult; + } + } + } + } else if (is_portrange($port_or_alias)) { + return (array)$port_or_alias; + } else if (is_port($port_or_alias)) { + if (getservbyname($port_or_alias, "tcp")) + return (array)getservbyname($port_or_alias, "tcp"); + if (getservbyname($port_or_alias, "udp")) + return (array)getservbyname($port_or_alias, "udp"); + return (array)$port_or_alias; + } + else + return null; +} + function haproxy_custom_php_deinstall_command() { global $static_output; $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command()\n"; @@ -196,7 +278,7 @@ function haproxy_custom_php_install_command() { name="haproxy" rcvar=`set_rcvar` -command="/usr/local/bin/haproxy" +command="/usr/pbi/haproxy-devel-`uname -m`/sbin/haproxy" haproxy_enable=\${haproxy-"YES"} start_cmd="haproxy_start" @@ -636,13 +718,11 @@ function write_backend($fd, $name, $pool, $frontend) { function haproxy_configure() { global $g; // reload haproxy - haproxy_writeconf("{$g['varetc_path']}/haproxy"); return haproxy_check_run(1); } function haproxy_check_and_run(&$messages, $reload) { global $g; - $configpath = "{$g['varetc_path']}/haproxy"; $testpath = "{$g['varetc_path']}/haproxy_test"; haproxy_writeconf($testpath); $retval = exec("haproxy -c -V -f $testpath/haproxy.cfg 2>&1", $output, $err); @@ -660,7 +740,6 @@ function haproxy_check_and_run(&$messages, $reload) { $ok = strstr($retval, "Configuration file is valid"); if ($ok && $reload) { global $haproxy_run_message; - haproxy_writeconf($configpath); rmdir_recursive($testpath); $ok = haproxy_check_run(1) == 0; $messages = $haproxy_run_message; @@ -734,7 +813,8 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "\tbind 127.0.0.1:$localstatsport\n"); fwrite ($fd, "\tmode http\n"); fwrite ($fd, "\tstats enable\n"); - fwrite ($fd, "\tstats refresh 10\n"); + if (is_numeric($a_global['localstats_refreshtime'])) + fwrite ($fd, "\tstats refresh {$a_global['localstats_refreshtime']}\n"); fwrite ($fd, "\tstats admin if TRUE\n"); fwrite ($fd, "\tstats uri /haproxy_stats.php?haproxystats=1\n"); fwrite ($fd, "\ttimeout client 5000\n"); @@ -841,9 +921,13 @@ function haproxy_writeconf($configpath) { // Process and add bind directives for ports $ip = haproxy_interface_ip($bind['extaddr']); if ($ip){ - foreach($ports as $port) { - if($port) { - $listenip .= "\tbind\t\t\t$ip:{$port} {$ssl_info} {$advanced_bind}\n"; + foreach($ports as $alias_or_port) { + if($alias_or_port) { + $portsnumeric = group_ports(haproxy_portoralias_to_list($alias_or_port)); + foreach($portsnumeric as $portnumeric) { + $portnumeric = str_replace(":","-",$portnumeric); + $listenip .= "\tbind\t\t\t$ip:{$portnumeric} {$ssl_info} {$advanced_bind}\n"; + } } } } @@ -899,10 +983,8 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $i = 0; foreach ($bind['config'] as $frontend) { - $a_acl=&$frontend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); - + $a_acl = get_frontend_acls($frontend); + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); // Create different pools if the svrport is set @@ -914,31 +996,6 @@ function haproxy_writeconf($configpath) { $a_pendingpl[$poolname]['name'] = $poolname; $a_pendingpl[$poolname]['frontend'] = $frontend; } - - if (strtolower($bind['type']) == "http" && $frontend['ssloffload']) { - $aclname = "SNI_" . $poolname; - if ($frontend['ssloffloadacl']){ - $cert = lookup_cert($frontend['ssloffloadcert']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - if ($frontend['ssloffloadacladditional']){ - $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ - if (count($certs) > 0){ - foreach($certs as $certref){ - $cert = lookup_cert($certref['ssl_certificate']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - } - } - } - } // Write this out once, and must be before any backend config text if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { @@ -948,8 +1005,8 @@ function haproxy_writeconf($configpath) { // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. $a_acl_combine = array(); foreach ($a_acl as $entry) { - $name = $entry['name']; - $a_acl_combine[$name][] = $entry; + $name = $entry['ref']['name']; + $a_acl_combine[$name][] = $entry['ref']; } foreach ($a_acl_combine as $a_usebackend) { @@ -1132,18 +1189,27 @@ function load_ipfw_rules() { mwexec("/sbin/ipfw -x $ipfw_zone_haproxy -q {$g['tmp_path']}/ipfw_{$ipfw_zone_haproxy}.haproxy.rules", true); } +function haproxy_plugin_carp($pluginparams) { + // called by pfSense when a CARP interface changes its state (called multiple times when multiple interfaces change state) + // $pluginparams['type'] always 'carp' + // $pluginparams['event'] either 'rc.carpmaster' or 'rc.carpbackup' + // $pluginparams['interface'] contains the affected interface + $type = $pluginparams['type']; + $event = $pluginparams['event']; + $interface = $pluginparams['interface']; + haproxy_check_run(0); +} + function haproxy_check_run($reload) { global $config, $g, $haproxy_run_message; + $haproxylock = lock("haproxy", LOCK_EX); $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; - - if(use_transparent_clientip_proxying()) { - filter_configure(); - load_ipfw_rules(); - } else - mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if ($reload) + haproxy_writeconf($configpath); + if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { $status = get_carp_interface_status($a_global['carpdev']); @@ -1153,15 +1219,25 @@ function haproxy_check_run($reload) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile haproxy_kill(); } + unlock($haproxylock); return (0); } else if (haproxy_is_running() && $reload == 0) { + unlock($haproxylock); return (0); } log_error("Starting haproxy on CARP master."); /* fallthrough */ - } else if ($reload == 0) + } else if ($reload == 0){ + unlock($haproxylock); return (0); + } + if(use_transparent_clientip_proxying()) { + filter_configure(); + load_ipfw_rules(); + } else + mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if (haproxy_is_running()) { if (isset($a_global['terminate_on_reload'])) $sf_st = "-st";//terminate old process as soon as the new process is listening @@ -1173,14 +1249,15 @@ function haproxy_check_run($reload) { } foreach($output as $line) $haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n"; - return ($errcode); } else { if ($reload && haproxy_is_running()) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile haproxy_kill(); } - return (0); + $errcode = 0; } + unlock($haproxylock); + return ($errcode); } function haproxy_kill($killimmediately = true) { @@ -1337,6 +1414,43 @@ function get_frontend_acls($frontend) { $result[] = $acl_item; } } + + $mainfrontend = get_primaryfrontend($frontend); + if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) { + $a_acl = &$frontend['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); + $aclname = "SNI_" . $poolname; + if ($frontend['ssloffloadacl']){ + $cert = lookup_cert($frontend['ssloffloadcert']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Certificate ACL ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + if ($frontend['ssloffloadacladditional']){ + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + if (count($certs) > 0){ + foreach($certs as $certref){ + $cert = lookup_cert($certref['ssl_certificate']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Additional certificate ACLs: ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + } + } + } + } return $result; } diff --git a/config/haproxy-devel/haproxy.widget.php b/config/haproxy-devel/haproxy.widget.php index 7954e404..5d664e81 100644 --- a/config/haproxy-devel/haproxy.widget.php +++ b/config/haproxy-devel/haproxy.widget.php @@ -3,7 +3,7 @@ Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.com) + Part of pfSense widgets (www.pfsense.org) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index bbc32575..5c534522 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -58,76 +58,81 @@ <executable>haproxy</executable> <description>The Reliable, High Performance TCP/HTTP Load Balancer</description> </service> + <plugins> + <item> + <type>plugin_carp</type> + </item> + </plugins> <configpath>installedpackages->haproxy->config</configpath> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_listeners.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners_edit.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_listeners_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_global.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_global.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pools.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pools.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pool_edit.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pool_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_stats.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_stats.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_socketinfo.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_socketinfo.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_htmllist.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_htmllist.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_utils.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_utils.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/widgets/widgets/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.widget.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.widget.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/shortcuts/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/pkg_haproxy_tabs.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/pkg_haproxy_tabs.inc</item> </additional_files_needed> <custom_delete_php_command> </custom_delete_php_command> diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 8264558f..44f01dc5 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool.php,v 1.5.2.6 2007/03/02 23:48:32 smos Exp $ */ /* haproxy_global.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -36,6 +36,8 @@ require_once("haproxy_utils.inc"); require_once("globals.inc"); require_once("pkg_haproxy_tabs.inc"); +$simplefields = array('localstats_refreshtime','localstats_sticktable_refreshtime'); + if (!is_array($config['installedpackages']['haproxy'])) $config['installedpackages']['haproxy'] = array(); @@ -68,7 +70,13 @@ if ($_POST) { $input_errors[] = "The maximum number of connections should be numeric."; if ($_POST['localstatsport'] && (!is_numeric($_POST['localstatsport']))) - $input_errors[] = "The local stats port should be numeric."; + $input_errors[] = "The local stats port should be numeric or empty."; + + if ($_POST['localstats_refreshtime'] && (!is_numeric($_POST['localstats_refreshtime']))) + $input_errors[] = "The local stats refresh time should be numeric or empty."; + + if ($_POST['localstats_sticktable_refreshtime'] && (!is_numeric($_POST['localstats_sticktable_refreshtime']))) + $input_errors[] = "The local stats sticktable refresh time should be numeric or empty."; /*if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) $input_errors[] = "Synchost1 needs to be an IPAddress."; @@ -93,6 +101,8 @@ if ($_POST) { $config['installedpackages']['haproxy']['localstatsport'] = $_POST['localstatsport'] ? $_POST['localstatsport'] : false; $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; + foreach($simplefields as $stat) + $config['installedpackages']['haproxy'][$stat] = $_POST[$stat]; touch($d_haproxyconfdirty_path); write_config(); } @@ -114,6 +124,8 @@ $pconfig['carpdev'] = $config['installedpackages']['haproxy']['carpdev']; $pconfig['localstatsport'] = $config['installedpackages']['haproxy']['localstatsport']; $pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); $pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; +foreach($simplefields as $stat) + $pconfig[$stat] = $config['installedpackages']['haproxy'][$stat]; // defaults if (!$pconfig['logfacility']) @@ -162,20 +174,6 @@ function enable_change(enable_change) { <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic">Recalculate certificate chain.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"> </td> - <td width="78%" class="vtable"> - <input type="hidden" name="calculate_certificate_chain" id="calculate_certificate_chain" /> - <input type="button" class="formbtn" value="Recalculate certificate chains" onclick="$('calculate_certificate_chain').value='true';document.iform.submit();" /> - <br/> - This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not - always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. - </td> - </tr> - - <tr> <td colspan="2" valign="top" class="listtopic">General settings</td> </tr> <tr> @@ -199,11 +197,17 @@ function enable_change(enable_change) { </table> Sets the maximum per-process number of concurrent connections to X.<br/> <strong>NOTE:</strong> setting this value too high will result in HAProxy not being able to allocate enough memory.<br/> + <p> <?php $memusage = trim(`ps auxw | grep haproxy | grep -v grep | awk '{ print $5 }'`); if($memusage) - echo "<p>Current memory usage: {$memusage} K.</p>"; + echo "Current memory usage: <b>{$memusage} kB.</b><br/>"; ?> + Current <a href='/system_advanced_sysctl.php'>'System Tunables'</a> settings.<br/> + 'kern.maxfiles': <b><?=`sysctl kern.maxfiles | awk '{ print $2 }'`?></b><br/> + 'kern.maxfilesperproc': <b><?=`sysctl kern.maxfilesperproc | awk '{ print $2 }'`?></b><br/> + </p> + Full memory usage will only show after all connections have actually been used. </td><td> <table style="border: 1px solid #000;"> <tr> @@ -216,23 +220,29 @@ function enable_change(enable_change) { </td> </tr> <tr> - <td align="right"><font size=-1>999</font></td> - <td><font size=-1>1888K</font></td> + <td align="right"><font size=-1>1</font></td> + <td><font size=-1>50 kB</font></td> + </tr> + <tr> + <td align="right"><font size=-1>1.000</font></td> + <td><font size=-1>48 MB</font></td> </tr> <tr> - <td align="right"><font size=-1>99999</font></td> - <td><font size=-1>8032K</font></td> + <td align="right"><font size=-1>10.000</font></td> + <td><font size=-1>488 MB</font></td> </tr> <tr> - <td align="right"><font size=-1>999999</font></td> - <td><font size=-1>50016K</font></td> + <td align="right"><font size=-1>100.000</font></td> + <td><font size=-1>4,8 GB</font></td> </tr> <tr> - <td align="right"><font size=-1>9999999</font></td> - <td><font size=-1>467M</font></td> + <td colspan="2" style="white-space: nowrap"><font size=-2>Calculated for plain HTTP connections,<br/>using ssl offloading will increase this.</font></td> </tr> </table> </td></tr></table> + When setting a high amount of allowed simultaneous connections you will need to add and or increase the following two <b><a href='/system_advanced_sysctl.php'>'System Tunables'</a></b> kern.maxfiles and kern.maxfilesperproc. + For HAProxy alone set these to at least the number of allowed connections * 2 + 31. So for 100.000 connections these need to be 200.031 or more to avoid trouble, take into account that handles are also used by other processes when setting kern.maxfiles. + <br/> </td> </tr> <tr> @@ -352,12 +362,25 @@ function enable_change(enable_change) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Internal stats refresh rate</td> + <td class="vtable"> + <input name="localstats_refreshtime" type="text" <?if(isset($pconfig['localstats_refreshtime'])) echo "value=\"{$pconfig['localstats_refreshtime']}\"";?> size="10" maxlength="5" /> Seconds, Leave this setting empty to not refresh the page automatically. EXAMPLE: 10 + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sticktable page refresh rate</td> + <td class="vtable"> + <input name="localstats_sticktable_refreshtime" type="text" <?if(isset($pconfig['localstats_sticktable_refreshtime'])) echo "value=\"{$pconfig['localstats_sticktable_refreshtime']}\"";?> size="10" maxlength="5" /> Seconds, Leave this setting empty to not refresh the page automatically. EXAMPLE: 10 + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">Global Advanced pass thru</td> </tr> <tr> <td width="22%" valign="top" class="vncell"> </td> <td width="78%" class="vtable"> - <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <? $textrowcount = max(substr_count($pconfig['advanced'],"\n"), 2) + 2; ?> + <textarea name='advanced' rows="<?=$textrowcount;?>" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru in the global settings area. </td> @@ -368,6 +391,19 @@ function enable_change(enable_change) { </td> </tr> <tr> + <td colspan="2" valign="top" class="listtopic">Recalculate certificate chain.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input type="hidden" name="calculate_certificate_chain" id="calculate_certificate_chain" /> + <input type="button" class="formbtn" value="Recalculate certificate chains" onclick="$('calculate_certificate_chain').value='true';document.iform.submit();" />(Other changes on this page will be lost) + <br/> + This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not + always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">Configuration synchronization</td> </tr> <tr> diff --git a/config/haproxy-devel/haproxy_htmllist.inc b/config/haproxy-devel/haproxy_htmllist.inc index 2e93ca2a..ae46ffd4 100644 --- a/config/haproxy-devel/haproxy_htmllist.inc +++ b/config/haproxy-devel/haproxy_htmllist.inc @@ -1,7 +1,7 @@ <?php /* haproxy_htmllist.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL All rights reserved. diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 2a1f12e6..b259c6fb 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ /* haproxy_listeners.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -167,18 +167,14 @@ include("head.inc"); $acls = get_frontend_acls($frontend); $isaclset = ""; foreach ($acls as $acl) { - $isaclset .= " " . $acl['descr']; + $isaclset .= " " . htmlspecialchars($acl['descr']); } - if ($frontend['ssloffloadacl']) - $isaclset .= " " . "Certificate ACL"; - if ($frontend['ssloffloadacladditional']) - $isaclset .= " " . "Additional certificate ACLs"; if ($isaclset) echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\" />"; $isadvset = ""; - if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; + if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: ".htmlspecialchars($frontend['advanced_bind'])."\r\n"; if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) echo "<img src=\"$img_adv\" title=\"" . gettext("Advanced settings set") . ": {$isadvset}\" border=\"0\" />"; diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index bd0f93d5..5bc039b7 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ /* haproxy_listeners_edit.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> Copyright (C) 2013 PiBa-NL merging (some of the) "haproxy-devel" changes from: Marcello Coutinho <marcellocoutinho@gmail.com> @@ -57,8 +57,6 @@ function haproxy_js_acl_select($mode) { return $seltext; } -$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; - if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); } @@ -80,6 +78,12 @@ if (isset($_GET['dup'])) $id = get_frontend_id($id); +if (!is_numeric($id)) +{ + //default value for new items. + $pconfig['ssloffloadacl'] = "yes"; +} + $servercerts = get_certificates_server(); $fields_sslCertificates=array(); @@ -151,8 +155,8 @@ if ($_POST) { $ports = split(",", $_POST['port'] . ","); foreach($ports as $port) - if ($port && !is_numeric($port)) - $input_errors[] = "The field 'Port' value is not a number."; + if ($port && !is_numeric($port) && !is_portoralias($port)) + $input_errors[] = "The field 'Port' value '".htmlspecialchars($port)."' is not a number or alias thereof."; if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) $input_errors[] = "The field 'Client timeout' value is not a number."; @@ -227,17 +231,13 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -if (!$id) -{ - //default value for new items. - $pconfig['ssloffloadacl'] = "yes"; -} - $closehead = false; $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); -$primaryfrontends = get_haproxy_frontends($pconfig['name']); +if (!isset($_GET['dup'])) + $excludefrontend = $pconfig['name']; +$primaryfrontends = get_haproxy_frontends($excludefrontend); $interfaces = haproxy_get_bindable_interfaces(); ?> @@ -247,6 +247,8 @@ $interfaces = haproxy_get_bindable_interfaces(); .haproxy_primary{} .haproxy_secondary{display:none;} </style> + <script type="text/javascript" src="/javascript/suggestions.js"></script> + <script type="text/javascript" src="/javascript/autosuggest.js"></script> </head> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> @@ -255,7 +257,6 @@ $interfaces = haproxy_get_bindable_interfaces(); <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> <?php endif; ?> - <script type="text/javascript"> function htmllist_get_select_options(tableId) { var seltext; @@ -444,8 +445,8 @@ $interfaces = haproxy_get_bindable_interfaces(); <tr class="haproxy_primary" align="left"> <td width="22%" valign="top" class="vncellreq">External port</td> <td width="78%" class="vtable" colspan="2"> - <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="500" /> - <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> + <input name="port" id="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="500" /> + <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,8000</div> </td> </tr> <tr class="haproxy_primary" align="left"> @@ -546,7 +547,8 @@ $interfaces = haproxy_get_bindable_interfaces(); <tr align="left"> <td width="22%" valign="top" class="vncell">Advanced pass thru</td> <td width="78%" class="vtable" colspan="2"> - <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo htmlspecialchars($pconfig['advanced']); ?></textarea> + <? $textrowcount = max(substr_count($pconfig['advanced'],"\n"), 2) + 2; ?> + <textarea name='advanced' rows="<?=$textrowcount;?>" cols="70" id='advanced'><?php echo htmlspecialchars($pconfig['advanced']); ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru. </td> @@ -597,7 +599,7 @@ $interfaces = haproxy_get_bindable_interfaces(); <tr class="haproxy_ssloffloading_enabled haproxy_primary" align="left"> <td width="22%" valign="top" class="vncell">Advanced ssl options</td> <td width="78%" class="vtable" colspan="2"> - <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> maxlength="64" /> + <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> /> <br/> NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/> some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets @@ -638,6 +640,9 @@ $interfaces = haproxy_get_bindable_interfaces(); <script type="text/javascript"> totalrows = <?php echo $counter; ?>; updatevisibility(); + + var customarray = <?= json_encode(get_alias_list(array("port", "url_ports", "urltable_ports"))) ?>; + var oTextbox1 = new AutoSuggestControl(document.getElementById("port"), new StateSuggestions(customarray)); </script> <?php haproxy_htmllist_js(); diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 9b64df87..726dab30 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ /* haproxy_pool_edit.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -221,12 +221,8 @@ if ($_POST) { $pool['ha_servers']['item']=$a_servers; - update_if_changed("name", $pool['name'], $_POST['name']); - update_if_changed("cookie", $pool['cookie'], $_POST['cookie']); update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); update_if_changed("advanced_backend", $pool['advanced_backend'], base64_encode($_POST['advanced_backend'])); - update_if_changed("checkinter", $pool['checkinter'], $_POST['checkinter']); - update_if_changed("monitor_uri", $pool['monitor_uri'], $_POST['monitor_uri']); global $simplefields; foreach($simplefields as $stat) @@ -308,6 +304,18 @@ foreach($simplefields as $field){ } } } + function toggleCSSdisplay(cssID) + { + var ss = document.styleSheets; + for (var i=0; i<ss.length; i++) { + var rules = ss[i].cssRules || ss[i].rules; + for (var j=0; j<rules.length; j++) { + if (rules[j].selectorText === cssID) { + rules[j].style.display = rules[j].style.display == "none" ? "" : "none"; + } + } + } + } function updatevisibility() { @@ -383,11 +391,36 @@ foreach($simplefields as $field){ </tr> <tr align="left"> <td class="vncell" colspan="3"><strong>Server list</strong> + <span style="float:right;"> + Toggle serverlist help. <a onclick="toggleCSSdisplay('.haproxy_help_serverlist');" title="<?php echo gettext("Help"); ?>"><img style="vertical-align:middle" src="/themes/<?php echo $g['theme']; ?>/images/icons/icon_help.gif" border="0" alt="help" /></a> + </span> <? $counter=0; $a_servers = $pconfig['a_servers']; haproxy_htmllist("tableA_servers", $a_servers, $fields_servers); ?> + <table class="haproxy_help_serverlist" style="border:1px dashed green" cellspacing="0"> + <tr><td class="vncell"> + Mode: </td><td class="vncell">Active: server will be used normally<br/> + Backup: server is only used in load balancing when all other non-backup servers are unavailable<br/> + Disabled: server is marked down in maintenance mode<br/> + Inactive: server will not be available for use + </td></tr><tr><td class="vncell"> + Name: </td><td class="vncell">Used to as a name for the server in for example the stats<br/>EXAMPLE: MyWebServer + </td></tr><tr><td class="vncell"> + Address: </td><td class="vncell">IP or hostname(only resolved on start-up.)<br/>EXAMPLE: 192.168.1.22 , fe80::1000:2000:3000:4000%em0 , WebServer1.localdomain + </td></tr><tr><td class="vncell"> + Port: </td><td class="vncell">The port of the backend.<br/>EXAMPLE: 80 or 443<br/> + </td></tr><tr><td class="vncell"> + SSL: </td><td class="vncell">Is the backend using SSL (commonly with port 443)<br/> + </td></tr><tr><td class="vncell"> + Weight: </td><td class="vncell">A weight between 0 and 256, this setting can be used when multiple servers on different hardware need to be balanced with with a different part the traffic. A server with weight 0 wont get new traffic. Default if empty: 1 + </td></tr><tr><td class="vncell"> + Cookie: </td><td class="vncell">the value of the cookie used to identify a server (only when cookie-persistence is enabled below) + </td></tr><tr><td class="vncell"> + Advanced: </td><td class="vncell">More advanced settings like rise,fall,error-limit,send-proxy and others can be configured here.<br/>For a full list of options see the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2">HAProxy manual: Server and default-server options</a> + </td></tr> + </table> </td> </tr> <tr align="left"> @@ -459,6 +492,7 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncell">Transparent ClientIP</td> <td width="78%" class="vtable" colspan="2"> + WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.<br/> <input id="transparent_clientip" name="transparent_clientip" type="checkbox" value="yes" <?php if ($pconfig['transparent_clientip']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> Use Client-IP to connect to backend servers. <div class="haproxy_transparent_clientip"> @@ -479,13 +513,13 @@ foreach($simplefields as $field){ For proper workings this requires the reply's traffic to pass through pfSense by means of correct routing. (uses the option "source 0.0.0.0 usesrc clientip") <br/><br/> - Note : When this is enabled for a single backend HAProxy will run as 'root', which reduces security. + Note : When this is enabled for a single backend HAProxy will run as 'root' instead of chrooting to a lower privileged user, this reduces security in case of a a bit. </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Per server pass thru</td> <td width="78%" class="vtable" colspan="2"> - <input type="text" name='advanced' id='advanced' value='<?php echo $pconfig['advanced']; ?>' size="64" /> + <input type="text" name='advanced' id='advanced' value='<?php echo htmlspecialchars($pconfig['advanced']); ?>' size="64" /> <br/> NOTE: paste text into this box that you would like to pass thru. Applied to each 'server' line. </td> @@ -494,7 +528,8 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncell">Backend pass thru</td> <td width="78%" class="vtable" colspan="2"> - <textarea rows="4" cols="70" name='advanced_backend' id='advanced_backend'><?php echo $pconfig['advanced_backend']; ?></textarea> + <? $textrowcount = max(substr_count($pconfig['advanced_backend'],"\n"), 2) + 2; ?> + <textarea rows="<?=$textrowcount;?>" cols="70" name='advanced_backend' id='advanced_backend'><?php echo htmlspecialchars($pconfig['advanced_backend']); ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru. Applied to the backend section. </td> @@ -629,10 +664,10 @@ set by the 'retries' parameter.</div> </td> </tr> <tr><td> </td></tr> - <tr> + <tr> <td colspan="2" valign="top" class="listtopic">Cookie persistence</td> - </tr> - <tr align="left"> + </tr> + <tr align="left"> <td width="22%" valign="top" class="vncell">Cookie Enabled</td> <td width="78%" class="vtable" colspan="2"> <input id="persist_cookie_enabled" name="persist_cookie_enabled" type="checkbox" value="yes" <?php if ($pconfig['persist_cookie_enabled']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> @@ -664,7 +699,7 @@ set by the 'retries' parameter.</div> <br/> <textarea readonly="yes" cols="60" rows="2" id="persist_cookie_mode_description" name="persist_cookie_mode_description" style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea> </td> - </tr> + </tr> <tr class="haproxy_cookie_visible" align="left"> <td width="22%" valign="top" class="vncell">Cookie Cachable</td> <td width="78%" class="vtable" colspan="2"> @@ -673,11 +708,11 @@ set by the 'retries' parameter.</div> </td> </tr> <tr><td> </td></tr> - <tr> + <tr> <td colspan="2" valign="top" class="listtopic">Stick-table persistence</td> - </tr> + </tr> <tr><td class="vncell"></td><td class="vncell">These options are used to make sure seperate requests from a single client go to the same backend. This can be required for servers that keep track of for example a shopping cart.</td></tr> - <tr align="left"> + <tr align="left"> <td width="22%" valign="top" class="vncell">Stick tables</td> <td width="78%" class="vtable" colspan="2"> <? diff --git a/config/haproxy-devel/haproxy_pools.php b/config/haproxy-devel/haproxy_pools.php index 01655006..15567807 100644 --- a/config/haproxy-devel/haproxy_pools.php +++ b/config/haproxy-devel/haproxy_pools.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ /* haproxy_pools.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc index 5c6e847d..6beb17c5 100644 --- a/config/haproxy-devel/haproxy_socketinfo.inc +++ b/config/haproxy-devel/haproxy_socketinfo.inc @@ -3,7 +3,7 @@ Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.com) + Part of pfSense widgets (www.pfsense.org) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/config/haproxy-devel/haproxy_stats.php b/config/haproxy-devel/haproxy_stats.php index 8ad04c92..cbf5b2b2 100644 --- a/config/haproxy-devel/haproxy_stats.php +++ b/config/haproxy-devel/haproxy_stats.php @@ -1,7 +1,7 @@ <?php /* haproxy_stats.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL All rights reserved. @@ -65,7 +65,8 @@ if (isset($_GET['haproxystats']) || isset($_GET['scope']) || (isset($_POST) && i } require_once("guiconfig.inc"); if (isset($_GET['showsticktablecontent'])){ - header("Refresh: 2"); + if (is_numeric($pconfig['localstats_sticktable_refreshtime'])) + header("Refresh: {$pconfig['localstats_sticktable_refreshtime']}"); } $shortcut_section = "haproxy"; require_once("haproxy.inc"); @@ -163,7 +164,7 @@ include("head.inc"); if (isset($_GET['showsticktablecontent'])){ $sticktablename = $_GET['showsticktablecontent']; echo "<td colspan='2'>"; - echo "TESTJe<br/>"; + echo "Contents of the sticktable: $sticktablename<br/>"; $res = haproxy_socket_command("show table $sticktablename"); foreach($res as $line){ echo "<br/>".print_r($line,true); diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc index 058efc98..03bd434f 100644 --- a/config/haproxy-devel/haproxy_utils.inc +++ b/config/haproxy-devel/haproxy_utils.inc @@ -1,7 +1,7 @@ <?php /* haproxy_utils.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL All rights reserved. |