diff options
Diffstat (limited to 'config/haproxy-devel')
| -rw-r--r-- | config/haproxy-devel/haproxy.inc | 388 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy.widget.php | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy.xml | 36 | ||||
| -rwxr-xr-x | config/haproxy-devel/haproxy_global.php | 92 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_htmllist.inc | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_listeners.php | 28 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_listeners_edit.php | 58 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_pool_edit.php | 69 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_pools.php | 6 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_socketinfo.inc | 2 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_stats.php | 11 | ||||
| -rw-r--r-- | config/haproxy-devel/haproxy_utils.inc | 2 |
12 files changed, 458 insertions, 238 deletions
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index d039b55a..1e403c48 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -37,6 +37,7 @@ require_once("haproxy_xmlrpcsyncclient.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; +global $a_acltypes; $a_acltypes = array(); $a_acltypes["host_starts_with"] = array('name' => 'Host starts with', 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i %1$s'); @@ -66,6 +67,7 @@ $a_acltypes["backendservercount"] = array('name' => 'Minimum count usable server $a_acltypes["ssl_sni_matches"] = array('name' => 'Server Name Indication TLS extension matches', 'mode' => 'https', 'syntax' => 'req_ssl_sni -i %1$s', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); +global $a_checktypes; $a_checktypes = array(); $a_checktypes['none'] = array('name' => 'none', 'syntax' => '', 'descr' => 'No health checks will be performed.'); @@ -92,6 +94,7 @@ $a_checktypes['ESMTP'] = array('name' => 'ESMTP', 'syntax' => 'smtpchk EHLO', $a_checktypes['SSL'] = array('name' => 'SSL', 'syntax' => 'ssl-hello-chk', 'descr' => 'Use SSLv3 client hello health checks for server testing.'); +global $a_httpcheck_method; $a_httpcheck_method = array(); $a_httpcheck_method['OPTIONS'] = array('name' => 'OPTIONS', 'syntax' => 'OPTIONS'); $a_httpcheck_method['HEAD'] = array('name' => 'HEAD', 'syntax' => 'HEAD'); @@ -101,6 +104,7 @@ $a_httpcheck_method['PUT'] = array('name' => 'PUT', 'syntax' => 'PUT'); $a_httpcheck_method['DELETE'] = array('name' => 'DELETE', 'syntax' => 'DELETE'); $a_httpcheck_method['TRACE'] = array('name' => 'TRACE', 'syntax' => 'TRACE'); +global $a_closetypes; $a_closetypes = array(); $a_closetypes['none'] = array('name' => 'none', 'syntax' => '', 'descr' => 'No close headers will be changed.'); @@ -113,6 +117,7 @@ $a_closetypes['forceclose'] = array('name' => 'forceclose', 'syntax' => 'forcecl $a_closetypes['http-keep-alive'] = array('name' => 'http-keep-alive', 'syntax' => 'http-keep-alive', 'descr' => 'By default, when a client communicates with a server, HAProxy will only analyze, log, and process the first request of each connection. Setting "option http-keep-alive" enables HTTP keep-alive mode on the client- and server- sides. This provides the lowest latency on the client side (slow network) and the fastest session reuse on the server side at the expense of maintaining idle connections to the servers. In general, it is possible with this option to achieve approximately twice the request rate that the "http-server-close" option achieves on small objects. There are mainly two situations where this option may be useful : - when the server is non-HTTP compliant and authenticates the connection instead of requests (eg: NTLM authentication) - when the cost of establishing the connection to the server is significant compared to the cost of retrieving the associated object from the server.'); +global $a_servermodes; $a_servermodes = array(); $a_servermodes["active"]['name'] = "active"; $a_servermodes["backup"]['name'] = "backup"; @@ -120,6 +125,7 @@ $a_servermodes["disabled"]['name'] = "disabled"; $a_servermodes["inactive"]['name'] = "inactive"; // http://www.exceliance.fr/sites/default/files/biblio/aloha_load_balancer_haproxy_cookie_persistence_methods_memo.pdf +global $a_cookiemode; $a_cookiemode = array(); $a_cookiemode['passive'] = array('name' => 'Passive', 'syntax' => 'cookie <cookie name>', 'descr' => 'Cookie is analysed on incoming request to choose server. HAProxy does not perform any insertion update or deletion on the Cookie or Set-Cookie. If the Cookie is not set, then the load-balancing algorithm is applied.'); @@ -142,6 +148,7 @@ $a_cookiemode['passive-session-prefix'] = array('name' => 'Passive-session-prefi foreach($a_cookiemode as &$cookiemode) $cookiemode['descr'] = $cookiemode['descr'] . "\n\n" . $cookiemode['syntax'] . ""; +global $a_sticky_type; $a_sticky_type = array(); $a_sticky_type['none'] = array('name' => 'none', 'descr' => "No stick-table will be used"); @@ -158,26 +165,108 @@ $a_sticky_type['stick_rdp_cookie'] = array('name' => 'Stick on RDP-cookie', 'descr' => "Uses a RDP-Cookie send by the mstsc client, note that not all clients send this.", 'cookiedescr' => 'EXAMPLE: msts or mstshash'); +if(!function_exists('group_ports')){ +// function group_ports() is present in pfSense 2.2 in util.inc +/* create ranges of sequential port numbers (200:215) and remove duplicates */ +function group_ports($ports) { + if (!is_array($ports) || empty($ports)) + return; + + $uniq = array(); + foreach ($ports as $port) { + if (is_portrange($port)) { + list($begin, $end) = explode(":", $port); + if ($begin > $end) { + $aux = $begin; + $begin = $end; + $end = $aux; + } + for ($i = $begin; $i <= $end; $i++) + if (!in_array($i, $uniq)) + $uniq[] = $i; + } else if (is_port($port)) { + if (!in_array($port, $uniq)) + $uniq[] = $port; + } + } + sort($uniq, SORT_NUMERIC); + + $result = array(); + foreach ($uniq as $idx => $port) { + if ($idx == 0) { + $result[] = $port; + continue; + } + + $last = end($result); + if (is_portrange($last)) + list($begin, $end) = explode(":", $last); + else + $begin = $end = $last; + + if ($port == ($end+1)) { + $end++; + $result[count($result)-1] = "{$begin}:{$end}"; + } else { + $result[] = $port; + } + } + + return $result; +} +} + +function haproxy_portoralias_to_list($port_or_alias) { + // input: a port or aliasname: 80 https MyPortAlias + // returns: a array of ports and portranges 80 443 8000:8010 + global $aliastable; + $portresult = array(); + if (alias_get_type($port_or_alias) == "port") { + $aliasports = $aliastable[$port_or_alias]; + $ports = explode(' ',$aliasports); + foreach($ports as $port) { + $portresults = haproxy_portoralias_to_list($port); + $portresult = array_merge($portresult, $portresults); + } + return $portresult; + } else if (is_portrange($port_or_alias)) { + return (array)$port_or_alias; + } else if (is_port($port_or_alias)) { + if (getservbyname($port_or_alias, "tcp")) + return (array)getservbyname($port_or_alias, "tcp"); + if (getservbyname($port_or_alias, "udp")) + return (array)getservbyname($port_or_alias, "udp"); + return (array)$port_or_alias; + } + else + return null; +} + function haproxy_custom_php_deinstall_command() { - exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); - exec("rm /usr/local/pkg/haproxy*"); - exec("rm /usr/local/www/haproxy*"); + global $static_output; + $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command()\n"; + update_output_window($static_output); + $static_output .= "HAProxy, deleting haproxy webgui\n"; + update_output_window($static_output); exec("rm /usr/local/etc/rc.d/haproxy.sh"); - exec("rm /etc/devd/haproxy.conf"); - exec("/etc/rc.d/devd restart"); + $static_output .= "HAProxy, installing cron job if needed\n"; + update_output_window($static_output); haproxy_install_cron(false); + $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command() DONE\n"; + update_output_window($static_output); } function haproxy_custom_php_install_command() { - global $g, $config; + global $g, $config, $static_output; + $static_output .= "HAProxy, running haproxy_custom_php_install_command()\n"; + update_output_window($static_output); + + $static_output .= "HAProxy, conf_mount_rw\n"; + update_output_window($static_output); conf_mount_rw(); - - $freebsd_version = substr(trim(`uname -r`), 0, 1); - if(!file_exists("/usr/bin/limits")) { - exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); - exec("chmod a+rx /usr/bin/limits"); - } + $static_output .= "HAProxy, create '/usr/local/etc/rc.d/haproxy.sh'\n"; + update_output_window($static_output); $haproxy = <<<EOD #!/bin/sh @@ -189,7 +278,7 @@ function haproxy_custom_php_install_command() { name="haproxy" rcvar=`set_rcvar` -command="/usr/local/bin/haproxy" +command="/usr/pbi/haproxy-devel-`uname -m`/sbin/haproxy" haproxy_enable=\${haproxy-"YES"} start_cmd="haproxy_start" @@ -241,27 +330,11 @@ EOD; fclose($fd); exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh"); - $devd = <<<EOD -notify 0 { - match "system" "IFNET"; - match "subsystem" "carp[0-9]+"; - match "type" "LINK_UP"; - action "/usr/local/etc/rc.d/haproxy.sh check"; -}; -notify 0 { - match "system" "IFNET"; - match "subsystem" "carp[0-9]+"; - match "type" "LINK_DOWN"; - action "/usr/local/etc/rc.d/haproxy.sh check"; -}; -EOD; - exec("mkdir -p /etc/devd"); - $fd = fopen("/etc/devd/haproxy.conf", "w"); - fwrite($fd, $devd); - fclose($fd); - exec("/etc/rc.d/devd restart"); + $static_output .= "HAProxy, update configuration\n"; + update_output_window($static_output); + $writeconfigupdate = false; /* Do XML upgrade from haproxy 0.31 to haproxy-dev */ if (is_array($config['installedpackages']['haproxy']['ha_servers'])) { @@ -332,9 +405,8 @@ EOD; $writeconfigupdate = true; } // update config to "haproxy-devel 1.5-dev19 pkg v0.5" - $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; - if(is_array($a_backends)) { - foreach ($a_backends as &$bind) { + if(is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) { if($bind['httpclose'] && $bind['httpclose'] == "yes" ) { $bind['httpclose'] = "httpclose"; $writeconfigupdate = true; @@ -353,12 +425,22 @@ EOD; } } } - if ($writeconfigupdate) - write_config("haproxy, update xml config version"); + if ($writeconfigupdate) { + $static_output .= "HAProxy, write updated config\n"; + update_output_window($static_output); + write_config("HAProxy, update xml config version"); + } + $static_output .= "HAProxy, conf_mount_ro\n"; + update_output_window($static_output); conf_mount_ro(); - exec("/usr/local/etc/rc.d/haproxy.sh start"); + $static_output .= "HAProxy, starting haproxy (if previously enabled)\n"; + update_output_window($static_output); + haproxy_check_run(1); + + $static_output .= "HAProxy, running haproxy_custom_php_install_command() DONE\n"; + update_output_window($static_output); } function haproxy_install_cron($should_install) { @@ -422,27 +504,17 @@ function write_backend($fd, $name, $pool, $frontend) { global $a_checktypes, $a_cookiemode; $a_servers = &$pool['ha_servers']['item']; - $frontendtype = strtolower($frontend['type']); - - unset($sslserverpresent); - if (is_array($a_servers)) - { - foreach($a_servers as $be) { - if (!$be['status'] == "inactive") - continue; - if ($be['ssl']) - $sslserverpresent = true; - } - } + $frontendtype = $frontend['type']; + $frontend_ip = haproxy_interface_ip($frontend['extaddr']); fwrite ($fd, "backend " . $name . "\n"); // https is an alias for tcp for clarity purposes - if(strtolower($frontend['type']) == "https") { - $backend_type = "tcp"; + if($frontendtype == "https") { + $backend_mode = "tcp"; } else { - $backend_type = $frontend['type']; + $backend_mode = $frontendtype; } - fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); + fwrite ($fd, "\tmode\t\t\t" . $backend_mode . "\n"); if ($frontendtype == "http") { if ($pool["persist_cookie_enabled"] == "yes") { @@ -620,7 +692,7 @@ function write_backend($fd, $name, $pool, $frontend) { $ssl = ""; if ($be['ssl'] == 'yes') { - $ssl = $backend_type == "http" ? ' ssl' : ' check-ssl'; + $ssl = $frontendtype == "http" ? ' ssl' : ' check-ssl'; } $weight = ""; if (is_numeric($be['weight'])){ @@ -635,13 +707,11 @@ function write_backend($fd, $name, $pool, $frontend) { function haproxy_configure() { global $g; // reload haproxy - haproxy_writeconf("{$g['varetc_path']}/haproxy"); return haproxy_check_run(1); } function haproxy_check_and_run(&$messages, $reload) { global $g; - $configpath = "{$g['varetc_path']}/haproxy"; $testpath = "{$g['varetc_path']}/haproxy_test"; haproxy_writeconf($testpath); $retval = exec("haproxy -c -V -f $testpath/haproxy.cfg 2>&1", $output, $err); @@ -659,7 +729,6 @@ function haproxy_check_and_run(&$messages, $reload) { $ok = strstr($retval, "Configuration file is valid"); if ($ok && $reload) { global $haproxy_run_message; - haproxy_writeconf($configpath); rmdir_recursive($testpath); $ok = haproxy_check_run(1) == 0; $messages = $haproxy_run_message; @@ -733,7 +802,8 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "\tbind 127.0.0.1:$localstatsport\n"); fwrite ($fd, "\tmode http\n"); fwrite ($fd, "\tstats enable\n"); - fwrite ($fd, "\tstats refresh 10\n"); + if (is_numeric($a_global['localstats_refreshtime'])) + fwrite ($fd, "\tstats refresh {$a_global['localstats_refreshtime']}\n"); fwrite ($fd, "\tstats admin if TRUE\n"); fwrite ($fd, "\tstats uri /haproxy_stats.php?haproxystats=1\n"); fwrite ($fd, "\ttimeout client 5000\n"); @@ -748,20 +818,14 @@ function haproxy_writeconf($configpath) { if(is_array($a_frontends)) { foreach ($a_frontends as $frontend) { if($frontend['status'] != 'active') - { - unlink_if_exists("var/etc/{$frontend['name']}.{$frontend['port']}.crt"); continue; - } if(!$frontend['backend_serverpool']) - { - unlink_if_exists("var/etc/{$frontend['name']}.{$frontend['port']}.crt"); continue; - } - + $primaryfrontend = get_primaryfrontend($frontend); $bname = get_frontend_ipport($frontend); //check ssl info - if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']){ + if (strtolower($primaryfrontend['type']) == "http" && $frontend['ssloffload']){ //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $filename = "$configpath/{$frontend['name']}.{$frontend['port']}.pem"; $ssl_crt = " crt $filename"; @@ -786,7 +850,6 @@ function haproxy_writeconf($configpath) { $a_bind[$bname] = array(); $a_bind[$bname]['config'] = array(); // Settings which are used only from the primary frontend - $primaryfrontend = get_primaryfrontend($frontend); $a_bind[$bname]['name'] = $primaryfrontend['name']; $a_bind[$bname]['extaddr'] = $primaryfrontend['extaddr']; $a_bind[$bname]['port'] = $primaryfrontend['port']; @@ -803,7 +866,7 @@ function haproxy_writeconf($configpath) { if (($frontend['secondary'] != 'yes') && ($frontend['name'] != $b['name'])) { // only 1 frontend can be the primary for a set of frontends that share 1 address:port. - $input_errors[] = "Multiple primary frondends for $bname"; + $input_errors[] = "Multiple primary frontends for $bname use the 'Shared Frontend' option instead"; } if ($ssl_crt != "") { @@ -832,17 +895,28 @@ function haproxy_writeconf($configpath) { // Prepare ports for processing by splitting $portss = "{$bind['port']},"; $ports = split(",", $portss); - $ssl_info = $bind['ssl_info']; - $advanced_bind = $bind['advanced_bind']; + + if($bind['type'] == "http") { + // ssl offloading is only possible in http mode. + $ssl_info = $bind['ssl_info']; + $advanced_bind = $bind['advanced_bind']; + } else { + $ssl_info = ""; + $advanced_bind = ""; + } // Initialize variable $listenip = ""; // Process and add bind directives for ports $ip = haproxy_interface_ip($bind['extaddr']); if ($ip){ - foreach($ports as $port) { - if($port) { - $listenip .= "\tbind\t\t\t$ip:{$port} {$ssl_info} {$advanced_bind}\n"; + foreach($ports as $alias_or_port) { + if($alias_or_port) { + $portsnumeric = group_ports(haproxy_portoralias_to_list($alias_or_port)); + foreach($portsnumeric as $portnumeric) { + $portnumeric = str_replace(":","-",$portnumeric); + $listenip .= "\tbind\t\t\t$ip:{$portnumeric} {$ssl_info} {$advanced_bind}\n"; + } } } } @@ -860,7 +934,7 @@ function haproxy_writeconf($configpath) { } } - // https is an alias for tcp for clarity purpouses + // https is an alias for tcp for clarity purposes if($bind['type'] == "https") { $backend_type = "tcp"; } else { @@ -898,45 +972,15 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $i = 0; foreach ($bind['config'] as $frontend) { - $a_acl=&$frontend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); - - $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); + $a_acl = get_frontend_acls($frontend); - // Create different pools if the svrport is set - if ($frontend['svrport'] > 0) - $poolname .= "_" . $frontend['svrport']; + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($bind['type']); if (!isset($a_pendingpl[$poolname])) { $a_pendingpl[$poolname] = array(); $a_pendingpl[$poolname]['name'] = $poolname; - $a_pendingpl[$poolname]['frontend'] = $frontend; - } - - if (strtolower($bind['type']) == "http" && $frontend['ssloffload']) { - $aclname = "SNI_" . $poolname; - if ($frontend['ssloffloadacl']){ - $cert = lookup_cert($frontend['ssloffloadcert']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - if ($frontend['ssloffloadacladditional']){ - $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ - if (count($certs) > 0){ - foreach($certs as $certref){ - $cert = lookup_cert($certref['ssl_certificate']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - } - } - } + $a_pendingpl[$poolname]['backend'] = $frontend['backend_serverpool']; + $a_pendingpl[$poolname]['frontend'] = $bind; } // Write this out once, and must be before any backend config text @@ -947,8 +991,8 @@ function haproxy_writeconf($configpath) { // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. $a_acl_combine = array(); foreach ($a_acl as $entry) { - $name = $entry['name']; - $a_acl_combine[$name][] = $entry; + $name = $entry['ref']['name']; + $a_acl_combine[$name][] = $entry['ref']; } foreach ($a_acl_combine as $a_usebackend) { @@ -987,7 +1031,7 @@ function haproxy_writeconf($configpath) { if (is_array($a_pendingpl) && is_array($a_backends)) { foreach ($a_pendingpl as $pending) { foreach ($a_backends as $pool) { - if ($pending['frontend']['backend_serverpool'] == $pool['name']) { + if ($pending['backend'] == $pool['name']) { write_backend($fd, $pending['name'], $pool, $pending['frontend']); } } @@ -1131,20 +1175,57 @@ function load_ipfw_rules() { mwexec("/sbin/ipfw -x $ipfw_zone_haproxy -q {$g['tmp_path']}/ipfw_{$ipfw_zone_haproxy}.haproxy.rules", true); } +function haproxy_plugin_carp($pluginparams) { + // called by pfSense when a CARP interface changes its state (called multiple times when multiple interfaces change state) + // $pluginparams['type'] always 'carp' + // $pluginparams['event'] either 'rc.carpmaster' or 'rc.carpbackup' + // $pluginparams['interface'] contains the affected interface + $type = $pluginparams['type']; + $event = $pluginparams['event']; + $interface = $pluginparams['interface']; + haproxy_check_run(0); +} + +function haproxy_plugin_certificates($pluginparams) { + global $config; + $result = array(); + if ($pluginparams['type'] == 'certificates' && $pluginparams['event'] == 'used_certificates') { + $result['pkgname'] = "HAProxy"; + $result['certificatelist'] = array(); + // return a array of used certificates. + foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) { + $mainfrontend = get_primaryfrontend($frontend); + if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) { + if ($frontend['ssloffloadacl']){ + $item = array(); + $cert = $frontend['ssloffloadcert']; + $item['usedby'] = $frontend['name']; + $result['certificatelist'][$cert][] = $item; + } + if ($frontend['ssloffloadacladditional']){ + foreach($frontend['ha_certificates']['item'] as $certref){ + $item = array(); + $cert = $certref['ssl_certificate']; + $item['usedby'] = $frontend['name']; + $result['certificatelist'][$cert][] = $item; + } + } + } + } + } + return $result; +} + function haproxy_check_run($reload) { global $config, $g, $haproxy_run_message; + $haproxylock = lock("haproxy", LOCK_EX); $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; - - exec("/usr/bin/limits -n 300014"); - - if(use_transparent_clientip_proxying()) { - filter_configure(); - load_ipfw_rules(); - } else - mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if ($reload) + haproxy_writeconf($configpath); + if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { $status = get_carp_interface_status($a_global['carpdev']); @@ -1154,15 +1235,25 @@ function haproxy_check_run($reload) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile haproxy_kill(); } + unlock($haproxylock); return (0); } else if (haproxy_is_running() && $reload == 0) { + unlock($haproxylock); return (0); } log_error("Starting haproxy on CARP master."); /* fallthrough */ - } else if ($reload == 0) + } else if ($reload == 0){ + unlock($haproxylock); return (0); + } + if(use_transparent_clientip_proxying()) { + filter_configure(); + load_ipfw_rules(); + } else + mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if (haproxy_is_running()) { if (isset($a_global['terminate_on_reload'])) $sf_st = "-st";//terminate old process as soon as the new process is listening @@ -1174,14 +1265,15 @@ function haproxy_check_run($reload) { } foreach($output as $line) $haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n"; - return ($errcode); } else { if ($reload && haproxy_is_running()) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile haproxy_kill(); } - return (0); + $errcode = 0; } + unlock($haproxylock); + return ($errcode); } function haproxy_kill($killimmediately = true) { @@ -1264,7 +1356,7 @@ function get_primaryfrontend($frontend) { function get_frontend_ipport($frontend,$userfriendly=false) { $mainfrontend = get_primaryfrontend($frontend); - $result = haproxy_interface_ip($mainfrontend['extaddr'],$userfriendly); + $result = haproxy_interface_ip($mainfrontend['extaddr'], $userfriendly); if ($userfriendly and is_ipaddrv6($result)) $result = "[{$result}]"; return $result . ":" . $mainfrontend['port']; @@ -1318,6 +1410,7 @@ function get_haproxy_frontends($excludeitem="") { } function get_frontend_acls($frontend) { + $mainfrontend = get_primaryfrontend($frontend); $result = array(); $a_acl = &$frontend['ha_acls']['item']; if (is_array($a_acl)) @@ -1328,7 +1421,7 @@ function get_frontend_acls($frontend) { continue; // Filter out acls for different modes - if ($acl['mode'] != '' && $acl['mode'] != strtolower($frontend['type'])) + if ($acl['mode'] != '' && $acl['mode'] != strtolower($mainfrontend['type'])) continue; $acl_item = array(); @@ -1338,17 +1431,52 @@ function get_frontend_acls($frontend) { $result[] = $acl_item; } } + + if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) { + $a_acl = &$frontend['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); + $aclname = "SNI_" . $poolname; + if ($frontend['ssloffloadacl']){ + $cert = lookup_cert($frontend['ssloffloadcert']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Certificate ACL ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + if ($frontend['ssloffloadacladditional']){ + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + foreach($certs as $certref){ + $cert = lookup_cert($certref['ssl_certificate']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Additional certificate ACLs: ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + } + } + } return $result; } function get_backend($name) { global $config; $a_backend = &$config['installedpackages']['haproxy']['ha_pools']['item']; - foreach($a_backend as $key => $backend) - { - if ($backend['name'] == $name) - return $backend; - } + if(is_array($a_backend)) + foreach($a_backend as $key => $backend) + { + if ($backend['name'] == $name) + return $backend; + } return null; } diff --git a/config/haproxy-devel/haproxy.widget.php b/config/haproxy-devel/haproxy.widget.php index 7954e404..5d664e81 100644 --- a/config/haproxy-devel/haproxy.widget.php +++ b/config/haproxy-devel/haproxy.widget.php @@ -3,7 +3,7 @@ Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.com) + Part of pfSense widgets (www.pfsense.org) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index bbc32575..acd934a7 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -58,76 +58,84 @@ <executable>haproxy</executable> <description>The Reliable, High Performance TCP/HTTP Load Balancer</description> </service> + <plugins> + <item> + <type>plugin_carp</type> + </item> + <item> + <type>plugin_certificates</type> + </item> + </plugins> <configpath>installedpackages->haproxy->config</configpath> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_listeners.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners_edit.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_listeners_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_global.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_global.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pools.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pools.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pool_edit.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pool_edit.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_stats.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_stats.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_socketinfo.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_socketinfo.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_htmllist.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_htmllist.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_utils.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_utils.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/widgets/widgets/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.widget.php</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.widget.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/shortcuts/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>077</chmod> - <item>http://www.pfsense.com/packages/config/haproxy-devel/pkg_haproxy_tabs.inc</item> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/pkg_haproxy_tabs.inc</item> </additional_files_needed> <custom_delete_php_command> </custom_delete_php_command> diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 8264558f..50472d9f 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool.php,v 1.5.2.6 2007/03/02 23:48:32 smos Exp $ */ /* haproxy_global.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -36,6 +36,8 @@ require_once("haproxy_utils.inc"); require_once("globals.inc"); require_once("pkg_haproxy_tabs.inc"); +$simplefields = array('localstats_refreshtime','localstats_sticktable_refreshtime'); + if (!is_array($config['installedpackages']['haproxy'])) $config['installedpackages']['haproxy'] = array(); @@ -68,7 +70,13 @@ if ($_POST) { $input_errors[] = "The maximum number of connections should be numeric."; if ($_POST['localstatsport'] && (!is_numeric($_POST['localstatsport']))) - $input_errors[] = "The local stats port should be numeric."; + $input_errors[] = "The local stats port should be numeric or empty."; + + if ($_POST['localstats_refreshtime'] && (!is_numeric($_POST['localstats_refreshtime']))) + $input_errors[] = "The local stats refresh time should be numeric or empty."; + + if ($_POST['localstats_sticktable_refreshtime'] && (!is_numeric($_POST['localstats_sticktable_refreshtime']))) + $input_errors[] = "The local stats sticktable refresh time should be numeric or empty."; /*if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) $input_errors[] = "Synchost1 needs to be an IPAddress."; @@ -93,6 +101,8 @@ if ($_POST) { $config['installedpackages']['haproxy']['localstatsport'] = $_POST['localstatsport'] ? $_POST['localstatsport'] : false; $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; + foreach($simplefields as $stat) + $config['installedpackages']['haproxy'][$stat] = $_POST[$stat]; touch($d_haproxyconfdirty_path); write_config(); } @@ -114,6 +124,8 @@ $pconfig['carpdev'] = $config['installedpackages']['haproxy']['carpdev']; $pconfig['localstatsport'] = $config['installedpackages']['haproxy']['localstatsport']; $pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); $pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; +foreach($simplefields as $stat) + $pconfig[$stat] = $config['installedpackages']['haproxy'][$stat]; // defaults if (!$pconfig['logfacility']) @@ -121,8 +133,8 @@ if (!$pconfig['logfacility']) if (!$pconfig['loglevel']) $pconfig['loglevel'] = 'info'; -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version < 2.0) $one_two = true; $pgtitle = "Services: HAProxy: Settings"; @@ -162,20 +174,6 @@ function enable_change(enable_change) { <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td colspan="2" valign="top" class="listtopic">Recalculate certificate chain.</td> - </tr> - <tr> - <td width="22%" valign="top" class="vncell"> </td> - <td width="78%" class="vtable"> - <input type="hidden" name="calculate_certificate_chain" id="calculate_certificate_chain" /> - <input type="button" class="formbtn" value="Recalculate certificate chains" onclick="$('calculate_certificate_chain').value='true';document.iform.submit();" /> - <br/> - This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not - always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. - </td> - </tr> - - <tr> <td colspan="2" valign="top" class="listtopic">General settings</td> </tr> <tr> @@ -199,11 +197,17 @@ function enable_change(enable_change) { </table> Sets the maximum per-process number of concurrent connections to X.<br/> <strong>NOTE:</strong> setting this value too high will result in HAProxy not being able to allocate enough memory.<br/> + <p> <?php $memusage = trim(`ps auxw | grep haproxy | grep -v grep | awk '{ print $5 }'`); if($memusage) - echo "<p>Current memory usage: {$memusage} K.</p>"; + echo "Current memory usage: <b>{$memusage} kB.</b><br/>"; ?> + Current <a href='/system_advanced_sysctl.php'>'System Tunables'</a> settings.<br/> + 'kern.maxfiles': <b><?=`sysctl kern.maxfiles | awk '{ print $2 }'`?></b><br/> + 'kern.maxfilesperproc': <b><?=`sysctl kern.maxfilesperproc | awk '{ print $2 }'`?></b><br/> + </p> + Full memory usage will only show after all connections have actually been used. </td><td> <table style="border: 1px solid #000;"> <tr> @@ -216,23 +220,29 @@ function enable_change(enable_change) { </td> </tr> <tr> - <td align="right"><font size=-1>999</font></td> - <td><font size=-1>1888K</font></td> + <td align="right"><font size=-1>1</font></td> + <td><font size=-1>50 kB</font></td> + </tr> + <tr> + <td align="right"><font size=-1>1.000</font></td> + <td><font size=-1>48 MB</font></td> </tr> <tr> - <td align="right"><font size=-1>99999</font></td> - <td><font size=-1>8032K</font></td> + <td align="right"><font size=-1>10.000</font></td> + <td><font size=-1>488 MB</font></td> </tr> <tr> - <td align="right"><font size=-1>999999</font></td> - <td><font size=-1>50016K</font></td> + <td align="right"><font size=-1>100.000</font></td> + <td><font size=-1>4,8 GB</font></td> </tr> <tr> - <td align="right"><font size=-1>9999999</font></td> - <td><font size=-1>467M</font></td> + <td colspan="2" style="white-space: nowrap"><font size=-2>Calculated for plain HTTP connections,<br/>using ssl offloading will increase this.</font></td> </tr> </table> </td></tr></table> + When setting a high amount of allowed simultaneous connections you will need to add and or increase the following two <b><a href='/system_advanced_sysctl.php'>'System Tunables'</a></b> kern.maxfiles and kern.maxfilesperproc. + For HAProxy alone set these to at least the number of allowed connections * 2 + 31. So for 100.000 connections these need to be 200.031 or more to avoid trouble, take into account that handles are also used by other processes when setting kern.maxfiles. + <br/> </td> </tr> <tr> @@ -352,12 +362,25 @@ function enable_change(enable_change) { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell">Internal stats refresh rate</td> + <td class="vtable"> + <input name="localstats_refreshtime" type="text" <?if(isset($pconfig['localstats_refreshtime'])) echo "value=\"{$pconfig['localstats_refreshtime']}\"";?> size="10" maxlength="5" /> Seconds, Leave this setting empty to not refresh the page automatically. EXAMPLE: 10 + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Sticktable page refresh rate</td> + <td class="vtable"> + <input name="localstats_sticktable_refreshtime" type="text" <?if(isset($pconfig['localstats_sticktable_refreshtime'])) echo "value=\"{$pconfig['localstats_sticktable_refreshtime']}\"";?> size="10" maxlength="5" /> Seconds, Leave this setting empty to not refresh the page automatically. EXAMPLE: 10 + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">Global Advanced pass thru</td> </tr> <tr> <td width="22%" valign="top" class="vncell"> </td> <td width="78%" class="vtable"> - <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> + <? $textrowcount = max(substr_count($pconfig['advanced'],"\n"), 2) + 2; ?> + <textarea name='advanced' rows="<?=$textrowcount;?>" cols="70" id='advanced'><?php echo $pconfig['advanced']; ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru in the global settings area. </td> @@ -368,6 +391,19 @@ function enable_change(enable_change) { </td> </tr> <tr> + <td colspan="2" valign="top" class="listtopic">Recalculate certificate chain.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> </td> + <td width="78%" class="vtable"> + <input type="hidden" name="calculate_certificate_chain" id="calculate_certificate_chain" /> + <input type="button" class="formbtn" value="Recalculate certificate chains" onclick="$('calculate_certificate_chain').value='true';document.iform.submit();" />(Other changes on this page will be lost) + <br/> + This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not + always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. + </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">Configuration synchronization</td> </tr> <tr> diff --git a/config/haproxy-devel/haproxy_htmllist.inc b/config/haproxy-devel/haproxy_htmllist.inc index 2e93ca2a..ae46ffd4 100644 --- a/config/haproxy-devel/haproxy_htmllist.inc +++ b/config/haproxy-devel/haproxy_htmllist.inc @@ -1,7 +1,7 @@ <?php /* haproxy_htmllist.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL All rights reserved. diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 2a1f12e6..7022ec34 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ /* haproxy_listeners.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -70,8 +70,8 @@ if ($_GET['act'] == "del") { } } -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version < 2.0) $one_two = true; $pgtitle = "Services: HAProxy: Frontends"; @@ -123,8 +123,10 @@ include("head.inc"); $a_frontend_grouped = array(); foreach($a_frontend as &$frontend2) { + $mainfrontend = get_primaryfrontend($frontend2); $ipport = get_frontend_ipport($frontend2, true); $frontend2['ipport'] = $ipport; + $frontend2['type'] = $mainfrontend['type']; $a_frontend_grouped[$ipport][] = $frontend2; } ksort($a_frontend_grouped); @@ -167,29 +169,27 @@ include("head.inc"); $acls = get_frontend_acls($frontend); $isaclset = ""; foreach ($acls as $acl) { - $isaclset .= " " . $acl['descr']; + $isaclset .= " " . htmlspecialchars($acl['descr']); } - if ($frontend['ssloffloadacl']) - $isaclset .= " " . "Certificate ACL"; - if ($frontend['ssloffloadacladditional']) - $isaclset .= " " . "Additional certificate ACLs"; if ($isaclset) echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\" />"; $isadvset = ""; - if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; + if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: ".htmlspecialchars($frontend['advanced_bind'])."\r\n"; if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) echo "<img src=\"$img_adv\" title=\"" . gettext("Advanced settings set") . ": {$isadvset}\" border=\"0\" />"; $backend_serverpool = $frontend['backend_serverpool']; $backend = get_backend($backend_serverpool ); - $servers = $backend['ha_servers']['item']; - $backend_serverpool_hint = gettext("Servers in pool:"); - if (is_array($servers)){ - foreach($servers as $server){ - $backend_serverpool_hint .= "\n".$server['address'].":".$server['port']; + if ($backend && is_array($backend['ha_servers']['item'])){ + $servers = $backend['ha_servers']['item']; + $backend_serverpool_hint = gettext("Servers in pool:"); + if (is_array($servers)){ + foreach($servers as $server){ + $backend_serverpool_hint .= "\n".$server['address'].":".$server['port']; + } } } ?> diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index bd0f93d5..6731731d 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ /* haproxy_listeners_edit.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> Copyright (C) 2013 PiBa-NL merging (some of the) "haproxy-devel" changes from: Marcello Coutinho <marcellocoutinho@gmail.com> @@ -57,8 +57,6 @@ function haproxy_js_acl_select($mode) { return $seltext; } -$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; - if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); } @@ -80,6 +78,12 @@ if (isset($_GET['dup'])) $id = get_frontend_id($id); +if (!is_numeric($id)) +{ + //default value for new items. + $pconfig['ssloffloadacl'] = "yes"; +} + $servercerts = get_certificates_server(); $fields_sslCertificates=array(); @@ -151,8 +155,8 @@ if ($_POST) { $ports = split(",", $_POST['port'] . ","); foreach($ports as $port) - if ($port && !is_numeric($port)) - $input_errors[] = "The field 'Port' value is not a number."; + if ($port && !is_numeric($port) && !is_portoralias($port)) + $input_errors[] = "The field 'Port' value '".htmlspecialchars($port)."' is not a number or alias thereof."; if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) $input_errors[] = "The field 'Client timeout' value is not a number."; @@ -223,21 +227,17 @@ if ($_POST) { } } -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version < 2.0) $one_two = true; -if (!$id) -{ - //default value for new items. - $pconfig['ssloffloadacl'] = "yes"; -} - $closehead = false; $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); -$primaryfrontends = get_haproxy_frontends($pconfig['name']); +if (!isset($_GET['dup'])) + $excludefrontend = $pconfig['name']; +$primaryfrontends = get_haproxy_frontends($excludefrontend); $interfaces = haproxy_get_bindable_interfaces(); ?> @@ -247,6 +247,8 @@ $interfaces = haproxy_get_bindable_interfaces(); .haproxy_primary{} .haproxy_secondary{display:none;} </style> + <script type="text/javascript" src="/javascript/suggestions.js"></script> + <script type="text/javascript" src="/javascript/autosuggest.js"></script> </head> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> @@ -255,12 +257,18 @@ $interfaces = haproxy_get_bindable_interfaces(); <script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> <?php endif; ?> - <script type="text/javascript"> function htmllist_get_select_options(tableId) { var seltext; seltext = ""; - var type = d.getElementById("type").value; + var type; + var secondary = d.getElementById("secondary"); + var primary_frontend = d.getElementById("primary_frontend"); + if ((secondary !== null) && (secondary.checked)) + type = primaryfrontends[primary_frontend.value]['ref']['type']; + else + type = d.getElementById("type").value; + if (tableId == 'tableA_acltable'){ if (type == 'health') seltext = "<?php echo haproxy_js_acl_select('health');?>"; @@ -296,10 +304,10 @@ $interfaces = haproxy_get_bindable_interfaces(); function updatevisibility() { d = document; ssloffload = d.getElementById("ssloffload"); - type = d.getElementById("type"); - secondary = d.getElementById("secondary"); - primary_frontend = d.getElementById("primary_frontend"); + var type; + var secondary = d.getElementById("secondary"); + var primary_frontend = d.getElementById("primary_frontend"); if ((secondary !== null) && (secondary.checked)) type = primaryfrontends[primary_frontend.value]['ref']['type']; else @@ -444,8 +452,8 @@ $interfaces = haproxy_get_bindable_interfaces(); <tr class="haproxy_primary" align="left"> <td width="22%" valign="top" class="vncellreq">External port</td> <td width="78%" class="vtable" colspan="2"> - <input name="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="500" /> - <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443</div> + <input name="port" id="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="500" /> + <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,8000</div> </td> </tr> <tr class="haproxy_primary" align="left"> @@ -546,7 +554,8 @@ $interfaces = haproxy_get_bindable_interfaces(); <tr align="left"> <td width="22%" valign="top" class="vncell">Advanced pass thru</td> <td width="78%" class="vtable" colspan="2"> - <textarea name='advanced' rows="4" cols="70" id='advanced'><?php echo htmlspecialchars($pconfig['advanced']); ?></textarea> + <? $textrowcount = max(substr_count($pconfig['advanced'],"\n"), 2) + 2; ?> + <textarea name='advanced' rows="<?=$textrowcount;?>" cols="70" id='advanced'><?php echo htmlspecialchars($pconfig['advanced']); ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru. </td> @@ -597,7 +606,7 @@ $interfaces = haproxy_get_bindable_interfaces(); <tr class="haproxy_ssloffloading_enabled haproxy_primary" align="left"> <td width="22%" valign="top" class="vncell">Advanced ssl options</td> <td width="78%" class="vtable" colspan="2"> - <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo "value=\"{$pconfig['dcertadv']}\"";?> maxlength="64" /> + <input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> /> <br/> NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/> some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets @@ -638,6 +647,9 @@ $interfaces = haproxy_get_bindable_interfaces(); <script type="text/javascript"> totalrows = <?php echo $counter; ?>; updatevisibility(); + + var customarray = <?= json_encode(get_alias_list(array("port", "url_ports", "urltable_ports"))) ?>; + var oTextbox1 = new AutoSuggestControl(document.getElementById("port"), new StateSuggestions(customarray)); </script> <?php haproxy_htmllist_js(); diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 9b64df87..49eb4271 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ /* haproxy_pool_edit.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -221,12 +221,8 @@ if ($_POST) { $pool['ha_servers']['item']=$a_servers; - update_if_changed("name", $pool['name'], $_POST['name']); - update_if_changed("cookie", $pool['cookie'], $_POST['cookie']); update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); update_if_changed("advanced_backend", $pool['advanced_backend'], base64_encode($_POST['advanced_backend'])); - update_if_changed("checkinter", $pool['checkinter'], $_POST['checkinter']); - update_if_changed("monitor_uri", $pool['monitor_uri'], $_POST['monitor_uri']); global $simplefields; foreach($simplefields as $stat) @@ -254,8 +250,8 @@ if ($_POST) { $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; } -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version < 2.0) $one_two = true; $closehead = false; @@ -308,6 +304,18 @@ foreach($simplefields as $field){ } } } + function toggleCSSdisplay(cssID) + { + var ss = document.styleSheets; + for (var i=0; i<ss.length; i++) { + var rules = ss[i].cssRules || ss[i].rules; + for (var j=0; j<rules.length; j++) { + if (rules[j].selectorText === cssID) { + rules[j].style.display = rules[j].style.display == "none" ? "" : "none"; + } + } + } + } function updatevisibility() { @@ -383,11 +391,36 @@ foreach($simplefields as $field){ </tr> <tr align="left"> <td class="vncell" colspan="3"><strong>Server list</strong> + <span style="float:right;"> + Toggle serverlist help. <a onclick="toggleCSSdisplay('.haproxy_help_serverlist');" title="<?php echo gettext("Help"); ?>"><img style="vertical-align:middle" src="/themes/<?php echo $g['theme']; ?>/images/icons/icon_help.gif" border="0" alt="help" /></a> + </span> <? $counter=0; $a_servers = $pconfig['a_servers']; haproxy_htmllist("tableA_servers", $a_servers, $fields_servers); ?> + <table class="haproxy_help_serverlist" style="border:1px dashed green" cellspacing="0"> + <tr><td class="vncell"> + Mode: </td><td class="vncell">Active: server will be used normally<br/> + Backup: server is only used in load balancing when all other non-backup servers are unavailable<br/> + Disabled: server is marked down in maintenance mode<br/> + Inactive: server will not be available for use + </td></tr><tr><td class="vncell"> + Name: </td><td class="vncell">Used to as a name for the server in for example the stats<br/>EXAMPLE: MyWebServer + </td></tr><tr><td class="vncell"> + Address: </td><td class="vncell">IP or hostname(only resolved on start-up.)<br/>EXAMPLE: 192.168.1.22 , fe80::1000:2000:3000:4000%em0 , WebServer1.localdomain + </td></tr><tr><td class="vncell"> + Port: </td><td class="vncell">The port of the backend.<br/>EXAMPLE: 80 or 443<br/> + </td></tr><tr><td class="vncell"> + SSL: </td><td class="vncell">Is the backend using SSL (commonly with port 443)<br/> + </td></tr><tr><td class="vncell"> + Weight: </td><td class="vncell">A weight between 0 and 256, this setting can be used when multiple servers on different hardware need to be balanced with with a different part the traffic. A server with weight 0 wont get new traffic. Default if empty: 1 + </td></tr><tr><td class="vncell"> + Cookie: </td><td class="vncell">the value of the cookie used to identify a server (only when cookie-persistence is enabled below) + </td></tr><tr><td class="vncell"> + Advanced: </td><td class="vncell">More advanced settings like rise,fall,error-limit,send-proxy and others can be configured here.<br/>For a full list of options see the <a target="_blank" href="http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2">HAProxy manual: Server and default-server options</a> + </td></tr> + </table> </td> </tr> <tr align="left"> @@ -459,6 +492,7 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncell">Transparent ClientIP</td> <td width="78%" class="vtable" colspan="2"> + WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.<br/> <input id="transparent_clientip" name="transparent_clientip" type="checkbox" value="yes" <?php if ($pconfig['transparent_clientip']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> Use Client-IP to connect to backend servers. <div class="haproxy_transparent_clientip"> @@ -479,13 +513,13 @@ foreach($simplefields as $field){ For proper workings this requires the reply's traffic to pass through pfSense by means of correct routing. (uses the option "source 0.0.0.0 usesrc clientip") <br/><br/> - Note : When this is enabled for a single backend HAProxy will run as 'root', which reduces security. + Note : When this is enabled for a single backend HAProxy will run as 'root' instead of chrooting to a lower privileged user, this reduces security in case of a a bit. </td> </tr> <tr align="left"> <td width="22%" valign="top" class="vncell">Per server pass thru</td> <td width="78%" class="vtable" colspan="2"> - <input type="text" name='advanced' id='advanced' value='<?php echo $pconfig['advanced']; ?>' size="64" /> + <input type="text" name='advanced' id='advanced' value='<?php echo htmlspecialchars($pconfig['advanced']); ?>' size="64" /> <br/> NOTE: paste text into this box that you would like to pass thru. Applied to each 'server' line. </td> @@ -494,7 +528,8 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncell">Backend pass thru</td> <td width="78%" class="vtable" colspan="2"> - <textarea rows="4" cols="70" name='advanced_backend' id='advanced_backend'><?php echo $pconfig['advanced_backend']; ?></textarea> + <? $textrowcount = max(substr_count($pconfig['advanced_backend'],"\n"), 2) + 2; ?> + <textarea rows="<?=$textrowcount;?>" cols="70" name='advanced_backend' id='advanced_backend'><?php echo htmlspecialchars($pconfig['advanced_backend']); ?></textarea> <br/> NOTE: paste text into this box that you would like to pass thru. Applied to the backend section. </td> @@ -629,10 +664,10 @@ set by the 'retries' parameter.</div> </td> </tr> <tr><td> </td></tr> - <tr> + <tr> <td colspan="2" valign="top" class="listtopic">Cookie persistence</td> - </tr> - <tr align="left"> + </tr> + <tr align="left"> <td width="22%" valign="top" class="vncell">Cookie Enabled</td> <td width="78%" class="vtable" colspan="2"> <input id="persist_cookie_enabled" name="persist_cookie_enabled" type="checkbox" value="yes" <?php if ($pconfig['persist_cookie_enabled']=='yes') echo "checked"; ?> onclick='updatevisibility();' /> @@ -664,7 +699,7 @@ set by the 'retries' parameter.</div> <br/> <textarea readonly="yes" cols="60" rows="2" id="persist_cookie_mode_description" name="persist_cookie_mode_description" style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea> </td> - </tr> + </tr> <tr class="haproxy_cookie_visible" align="left"> <td width="22%" valign="top" class="vncell">Cookie Cachable</td> <td width="78%" class="vtable" colspan="2"> @@ -673,11 +708,11 @@ set by the 'retries' parameter.</div> </td> </tr> <tr><td> </td></tr> - <tr> + <tr> <td colspan="2" valign="top" class="listtopic">Stick-table persistence</td> - </tr> + </tr> <tr><td class="vncell"></td><td class="vncell">These options are used to make sure seperate requests from a single client go to the same backend. This can be required for servers that keep track of for example a shopping cart.</td></tr> - <tr align="left"> + <tr align="left"> <td width="22%" valign="top" class="vncell">Stick tables</td> <td width="78%" class="vtable" colspan="2"> <? diff --git a/config/haproxy-devel/haproxy_pools.php b/config/haproxy-devel/haproxy_pools.php index 01655006..92235933 100644 --- a/config/haproxy-devel/haproxy_pools.php +++ b/config/haproxy-devel/haproxy_pools.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ /* haproxy_pools.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> Copyright (C) 2008 Remco Hoef <remcoverhoef@pfsense.com> @@ -65,8 +65,8 @@ if ($_GET['act'] == "del") { exit; } -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version < 2.0) $one_two = true; $pgtitle = "Services: HAProxy: Backend server pools"; diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc index 5c6e847d..6beb17c5 100644 --- a/config/haproxy-devel/haproxy_socketinfo.inc +++ b/config/haproxy-devel/haproxy_socketinfo.inc @@ -3,7 +3,7 @@ Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.com) + Part of pfSense widgets (www.pfsense.org) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/config/haproxy-devel/haproxy_stats.php b/config/haproxy-devel/haproxy_stats.php index 8ad04c92..10dd136a 100644 --- a/config/haproxy-devel/haproxy_stats.php +++ b/config/haproxy-devel/haproxy_stats.php @@ -1,7 +1,7 @@ <?php /* haproxy_stats.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL All rights reserved. @@ -65,7 +65,8 @@ if (isset($_GET['haproxystats']) || isset($_GET['scope']) || (isset($_POST) && i } require_once("guiconfig.inc"); if (isset($_GET['showsticktablecontent'])){ - header("Refresh: 2"); + if (is_numeric($pconfig['localstats_sticktable_refreshtime'])) + header("Refresh: {$pconfig['localstats_sticktable_refreshtime']}"); } $shortcut_section = "haproxy"; require_once("haproxy.inc"); @@ -128,8 +129,8 @@ if ($_POST) { } } -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version < 2.0) $one_two = true; $pgtitle = "Services: HAProxy: Stats"; @@ -163,7 +164,7 @@ include("head.inc"); if (isset($_GET['showsticktablecontent'])){ $sticktablename = $_GET['showsticktablecontent']; echo "<td colspan='2'>"; - echo "TESTJe<br/>"; + echo "Contents of the sticktable: $sticktablename<br/>"; $res = haproxy_socket_command("show table $sticktablename"); foreach($res as $line){ echo "<br/>".print_r($line,true); diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc index 058efc98..03bd434f 100644 --- a/config/haproxy-devel/haproxy_utils.inc +++ b/config/haproxy-devel/haproxy_utils.inc @@ -1,7 +1,7 @@ <?php /* haproxy_utils.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL All rights reserved. |