aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/haproxy1_5/pkg/haproxy.inc208
-rw-r--r--config/haproxy1_5/pkg/haproxy_utils.inc44
-rw-r--r--config/haproxy1_5/pkg/haproxy_utils.inc.bak460
-rw-r--r--config/haproxy1_5/www/haproxy_listeners_edit.php11
-rw-r--r--config/haproxy1_5/www/haproxy_pool_edit.php2
5 files changed, 234 insertions, 491 deletions
diff --git a/config/haproxy1_5/pkg/haproxy.inc b/config/haproxy1_5/pkg/haproxy.inc
index 793c5c28..eceef783 100644
--- a/config/haproxy1_5/pkg/haproxy.inc
+++ b/config/haproxy1_5/pkg/haproxy.inc
@@ -345,10 +345,12 @@ function haproxy_custom_php_deinstall_command() {
update_output_window($static_output);
$static_output .= "HAProxy, deleting haproxy webgui\n";
update_output_window($static_output);
- exec("rm /usr/local/etc/rc.d/haproxy.sh");
+ unlink_if_exists("/usr/local/etc/rc.d/haproxy.sh");
+ unlink_if_exists("/etc/rc.haproxy_ocsp.sh");
$static_output .= "HAProxy, installing cron job if needed\n";
update_output_window($static_output);
haproxy_install_cron(false);
+ haproxy_install_cronjob(false, '/etc/rc.haproxy_ocsp.sh');
$static_output .= "HAProxy, running haproxy_custom_php_deinstall_command() DONE\n";
update_output_window($static_output);
}
@@ -362,6 +364,12 @@ function haproxy_custom_php_install_command() {
update_output_window($static_output);
conf_mount_rw();
+ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+ if ($pf_version == "2.1" || $pf_version == "2.2")
+ $haproxy_binary = "/usr/pbi/haproxy-devel-" . php_uname("m") . "/sbin/haproxy";
+ else
+ $haproxy_binary = "/usr/local/sbin/haproxy";
+
$static_output .= "HAProxy, create '/usr/local/etc/rc.d/haproxy.sh'\n";
update_output_window($static_output);
$haproxy = <<<EOD
@@ -375,7 +383,7 @@ function haproxy_custom_php_install_command() {
name="haproxy"
rcvar="\${name}_enable"
-command="/usr/pbi/haproxy-devel-`uname -m`/sbin/haproxy"
+command="{$haproxy_binary}"
haproxy_enable=\${haproxy-"YES"}
start_cmd="haproxy_start"
@@ -425,7 +433,32 @@ EOD;
$fd = fopen("/usr/local/etc/rc.d/haproxy.sh", "w");
fwrite($fd, $haproxy);
fclose($fd);
- exec("chmod a+rx /usr/local/etc/rc.d/haproxy.sh");
+ chmod("/usr/local/etc/rc.d/haproxy.sh", 0755);
+
+ $haproxy_ocsp = <<<EOD
+#!/usr/local/bin/php -f
+
+<?php
+
+/*
+ Updates haproxy OCSP responses.
+*/
+
+require_once("globals.inc");
+require_once("functions.inc");
+require_once("haproxy.inc");
+require_once("haproxy_socketinfo.inc");
+haproxy_updateocsp();
+
+?>
+
+EOD;
+ // removing the \r prevents the "No input file specified." error..
+ $haproxy_ocsp = str_replace("\r\n","\n", $haproxy_ocsp);
+ $fd = fopen("/etc/rc.haproxy_ocsp.sh", "w");
+ fwrite($fd, $haproxy_ocsp);
+ fclose($fd);
+ chmod("/etc/rc.haproxy_ocsp.sh", 0755);
$static_output .= "HAProxy, update configuration\n";
update_output_window($static_output);
@@ -447,6 +480,51 @@ EOD;
update_output_window($static_output);
}
+function haproxy_install_cronjob($should_install, $script, $interval = 60, $parameters = "") {
+ global $config, $g;
+ if($g['booting']==true)
+ return;
+ $is_installed = false;
+ if(!$config['cron']['item'])
+ return;
+ $x=0;
+ foreach($config['cron']['item'] as $item) {
+ if(strstr($item['command'], $script)) {
+ $is_installed = true;
+ break;
+ }
+ $x++;
+ }
+ switch($should_install) {
+ case true:
+ if(!$is_installed) {
+ $cron_item = array();
+ $cron_item['minute'] = "*/{$interval}";
+ $cron_item['hour'] = "*";
+ $cron_item['mday'] = "*";
+ $cron_item['month'] = "*";
+ $cron_item['wday'] = "*";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "$script $parameters";
+ $config['cron']['item'][] = $cron_item;
+ parse_config(true);
+ write_config("haproxy, install cron job");
+ configure_cron();
+ }
+ break;
+ case false:
+ if($is_installed == true) {
+ if($x > 0) {
+ unset($config['cron']['item'][$x]);
+ parse_config(true);
+ write_config("haproxy, remove cron job");
+ }
+ configure_cron();
+ }
+ break;
+ }
+}
+
function haproxy_install_cron($should_install) {
global $config, $g;
if($g['booting']==true)
@@ -879,24 +957,108 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) {
unset($crl);
}
-function haproxy_write_certificate_fullchain($filename, $certid, $append = false) {
+function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) {
$cert = haproxy_lookup_cert($certid);
$certcontent = base64_decode($cert['crt']);
if (isset($cert['prv']))
$certcontent .= "\r\n".base64_decode($cert['prv']);
+ $ca = $cert;
+ while(!empty($ca['caref'])) {
+ $ca = lookup_ca($ca['caref']);
+ if ($ca) {
+ if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt'])))
+ break;
+ $certcontent .= "\r\n" . base64_decode($ca['crt']);
+ } else
+ break;
+ }
+ $flags = $append ? FILE_APPEND : 0;
+ file_put_contents($filename, $certcontent, $flags);
+ unset($certcontent);
+ unset($cert);
+}
+
+function haproxy_write_certificate_issuer($filename, $certid) {
+ $cert = haproxy_lookup_cert($certid);
$certchaincontent = ca_chain($cert);
if ($certchaincontent != "") {
$certcontent .= "\r\n" . $certchaincontent;
}
unset($certchaincontent);
- $flags = $append ? FILE_APPEND : 0;
- file_put_contents($filename, $certcontent, $flags);
+ file_put_contents($filename, $certcontent, 0);
unset($certcontent);
unset($cert);
}
+function haproxy_uses_ocsp() {
+ global $config;
+ $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
+ if (!is_array($a_frontends))
+ return false;
+
+ $configpath = "{$g['varetc_path']}/haproxy";
+ foreach ($a_frontends as $frontend) {
+ if ($frontend['sslocsp'] == 'yes') {
+ return true;
+ }
+ }
+ return false;
+}
+
+function haproxy_getocspurl($filename) {
+ return exec("openssl x509 -noout -ocsp_uri -in $filename", $output, $err);
+}
+
+function haproxy_updateocsp_one($socketupdate, $filename, $name) {
+ if (file_exists("{$filename}.ocsp")) {
+ // If the .ocsp file exists we want to use ocsp
+ syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. ");
+ $ocsp_url = haproxy_getocspurl($filename);
+ $ocsp_host = parse_url($ocsp_url, PHP_URL_HOST);
+ if (empty($ocsp_url)) {
+ // If cert does not have a ocsp_uri, it cannot be updated..
+ syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri");
+ } else {
+ $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err);
+ if ($socketupdate) {
+ $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp"));
+ $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse");
+ if ($r[0] == "OCSP Response updated!\n")
+ syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval);
+ else {
+ syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}");
+ }
+ } else {
+ syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval);
+ }
+ }
+ }
+}
+
+function haproxy_updateocsp($socketupdate = true) {
+ global $config, $g;
+ $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
+ if (!is_array($a_frontends))
+ return true;
+
+ $configpath = "{$g['varetc_path']}/haproxy";
+ foreach ($a_frontends as $frontend) {
+ $filename = "$configpath/{$frontend['name']}.pem";
+ haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']);
+
+ $subfolder = "$configpath/{$frontend['name']}";
+ $certs = $frontend['ha_certificates']['item'];
+ if (is_array($certs)){
+ foreach($certs as $cert){
+ $filename = "$subfolder/{$cert['ssl_certificate']}.pem";
+ haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']);
+ }
+ }
+ }
+}
+
function haproxy_writeconf($configpath) {
global $config;
global $aliastable;
@@ -993,14 +1155,29 @@ function haproxy_writeconf($configpath) {
//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
$filename = "$configpath/{$frontend['name']}.pem";
$ssl_crt = " crt $filename";
+
haproxy_write_certificate_fullchain($filename, $frontend['ssloffloadcert']);
+ if ($frontend['sslocsp'] == 'yes') {
+ if (!empty(haproxy_getocspurl($filename))) {
+ haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']);
+ touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp
+ }
+ }
+
$subfolder = "$configpath/{$frontend['name']}";
$certs = $frontend['ha_certificates']['item'];
if (is_array($certs)){
if (count($certs) > 0){
@mkdir($subfolder, 0755, true);
foreach($certs as $cert){
- haproxy_write_certificate_fullchain("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']);
+ $filenamefoldercert = "$subfolder/{$cert['ssl_certificate']}.pem";
+ haproxy_write_certificate_fullchain($filenamefoldercert, $cert['ssl_certificate']);
+ if ($frontend['sslocsp'] == 'yes') {
+ if (!empty(haproxy_getocspurl($filenamefoldercert))) {
+ haproxy_write_certificate_issuer($filenamefoldercert . ".issuer", $cert['ssl_certificate']);
+ touch($filenamefoldercert . ".ocsp");
+ }
+ }
}
$ssl_crt .= " crt $subfolder";
}
@@ -1344,11 +1521,6 @@ function haproxy_writeconf($configpath) {
haproxy_do_xmlrpc_sync();
}
}
-
- if (isset($a_global['carpdev']))
- haproxy_install_cron(true);
- else
- haproxy_install_cron(false);
}
function haproxy_is_running() {
@@ -1560,8 +1732,18 @@ function haproxy_check_run($reload) {
$a_global = &$config['installedpackages']['haproxy'];
$configpath = "{$g['varetc_path']}/haproxy";
- if ($reload)
+ if ($reload) {
haproxy_writeconf($configpath);
+ haproxy_updateocsp(false);
+
+ if (isset($a_global['carpdev']))
+ haproxy_install_cron(true);
+ else
+ haproxy_install_cron(false);
+
+ $useocsp = haproxy_uses_ocsp();
+ haproxy_install_cronjob($useocsp, '/etc/rc.haproxy_ocsp.sh', 120);
+ }
if(isset($a_global['enable'])) {
if (isset($a_global['carpdev'])) {
diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc b/config/haproxy1_5/pkg/haproxy_utils.inc
index d8c4faf4..ec72b986 100644
--- a/config/haproxy1_5/pkg/haproxy_utils.inc
+++ b/config/haproxy1_5/pkg/haproxy_utils.inc
@@ -36,24 +36,38 @@ require_once("config.inc");
class haproxy_utils {
public static $pf_version;
- public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") {
+ public function query_dns($host, $querytype="A,AAAA") {
$result = array();
- $host = trim($host, " \t\n\r\0\x0B[];\"'");
- $host_esc = escapeshellarg($host);
$types = explode(',',$querytype);
+ $recordtype = 0;
foreach($types as $type){
- $resolved = gethostbyname($host);
- if($resolved) {
- $resolved = array();
- if (haproxy_utils::$pf_version < '2.2')
- exec("/usr/bin/dig {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
- else
- exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
- foreach($resolved as $item) {
- $newitem = array();
- $newitem["typeid"] = $type;
- $newitem["data"] = $item;
- $result[] = $newitem;
+ switch ($type) {
+ case 'A':
+ $recordtype = DNS_A;
+ break;
+ case 'AAAA':
+ $recordtype = DNS_AAAA;
+ break;
+ }
+ if ($recordtype != 0) {
+ //query one type at a time, querying multiple types in one call dns_get_record fails if one is not present..
+ $errreporting = error_reporting();
+ error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved..
+ $dnsresult = dns_get_record($host, $recordtype);
+ error_reporting($errreporting);
+ if (is_array($dnsresult)) {
+ foreach($dnsresult as $item) {
+ $newitem["typeid"] = $item['type'];
+ switch ($item['type']) {
+ case 'A':
+ $newitem["data"] = $item['ip'];
+ break;
+ case 'AAAA':
+ $newitem["data"] = $item['ipv6'];
+ break;
+ }
+ $result[] = $newitem;
+ }
}
}
}
diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc.bak b/config/haproxy1_5/pkg/haproxy_utils.inc.bak
deleted file mode 100644
index 26c77b45..00000000
--- a/config/haproxy1_5/pkg/haproxy_utils.inc.bak
+++ /dev/null
@@ -1,460 +0,0 @@
-<?php
-/*
- haproxy_utils.php
- part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2013-2015 PiBa-NL
- All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
-*/
-/*
- This file contains functions which are NOT specific to HAProxy and may/could/should
- be moved to the general pfSense php library for possible easy use by other parts of pfSense
-*/
-
-require_once("config.inc");
-
-class haproxy_utils {
- public static $pf_version;
-
- public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") {
- $result = array();
- $host = trim($host, " \t\n\r\0\x0B[];\"'");
- $host_esc = escapeshellarg($host);
- $types = explode(',',$querytype);
- foreach($types as $type){
- $resolved = gethostbyname($host);
- if($resolved) {
- $resolved = array();
- if (haproxy_utils::$pf_version < '2.2')
- exec("/usr/bin/dig {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
- else
- exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved);
- foreach($resolved as $item) {
- $newitem = array();
- $newitem["typeid"] = $type;
- $newitem["data"] = $item;
- $result[] = $newitem;
- }
- }
- }
- return $result;
- }
-}
-haproxy_utils::$pf_version = substr(trim(file_get_contents("/etc/version")),0,3);
-
-if(!function_exists('ifset')){
- function ifset(&$var, $default = ''){
- return isset($var) ? $var : $default;
- };
-}
-
-if(!function_exists('is_arrayset')){
- function is_arrayset(&$array, $items){
- if (!isset($array))
- return false;
- $item = $array;
- $arg = func_get_args();
- for($i = 1; $i < count($arg); $i++) {
-
- $itemindex = $arg[$i];
- if (!isset($item[$itemindex]) || !is_array($item[$itemindex]))
- return false;
- $item = $item[$itemindex];
-
- }
- return true;
- }
-}
-
-function haproxy_compareByName($a, $b) {
- return strcasecmp($a['name'], $b['name']);
-}
-
-function haproxy_interface_ip($interfacebindname,$userfriendly=false){
- $list = haproxy_get_bindable_interfaces();
- $item = $list[$interfacebindname];
- $result = $item['ip'];
- if ($userfriendly && !$result)
- $result = $item['name'];
- return $result;
-}
-
-function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,localhost,real,carp,ipalias"){
- // returns a list of ALL interface/IPs that can be used to bind a service to.
- // filtered by the conditions given in the two filter parameters.
- // result array includes:
- // $bindable[key] can be stored and compared with previous setings
- // $bindable[key]['ip'] the current IP (possibly changes for dhcp enabled interfaces..)
- // $bindable[key]['description'] can be shown to user in a selection box
-
- global $config;
- $ipverions = split(',',$ipv);
- $interfacetypes= split(',',$interfacetype);
-
- $bindable = array();
- if (in_array("ipv4",$ipverions)){
- if (in_array('any',$interfacetypes)){
- $item = array();
- $item[ip] = '0.0.0.0';
- $item[name] = 'any (IPv4)';
- $bindable['any_ipv4'] = $item;
- }
- if (in_array('localhost',$interfacetypes)){
- $item = array();
- $item[ip] = '127.0.0.1';
- $item[name] = 'localhost (IPv4)';
- $bindable['localhost_ipv4'] = $item;
- }
- if (in_array('real',$interfacetypes)){
- foreach($config['interfaces'] as $if => $ifdetail) {
- if (!isset($ifdetail['enable']))
- continue;
- if (!isset($ifdetail['ipaddr']))
- continue;
- $descr = $ifdetail['descr'];
- if (!$descr){
- if ($if == "wan" && !$ifdetail['descr'])
- $descr = "WAN";
- else if ($if == "lan" && !$ifdetail['descr'])
- $descr = "LAN";
- else
- $descr = $if;
- }
- $item = array();
- $item['ip'] = get_interface_ip($if);
- $item['name'] = "$descr address (IPv4)";
- $bindable[$if.'_ipv4'] = $item;
- }
- }
- if (in_array('carp',$interfacetypes)){
- $carplist = get_configured_carp_interface_list();
- foreach ($carplist as $carpif => $carpip){
- if (is_ipaddrv4($carpip)){
- $item = array();
- $item['ip'] = $carpip;
- $item['name'] = $carpip." (".get_vip_descr($carpip).")";
- $bindable[$carpip] = $item;
- }
- }
-
- }
- if (in_array('ipalias',$interfacetypes)){
- $aliaslist = get_configured_ip_aliases_list();
- foreach ($aliaslist as $aliasip => $aliasif){
- if (is_ipaddrv4($aliasip)){
- $item = array();
- $item['ip'] = $aliasip;
- $item['name'] = $aliasip." (".get_vip_descr($aliasip).")";
- $bindable[$aliasip.'_ipv4'] = $item;
- }
- }
- }
- }
- if (!isset($config['system']['ipv6allow']))
- return $bindable;// skip adding the IPv6 addresses if those are not 'allowed'
-
- if (in_array("ipv6",$ipverions)){
- if (in_array('any',$interfacetypes)){
- $item = array();
- $item[ip] = '::';
- $item[name] = 'any (IPv6)';
- $bindable['any_ipv6'] = $item;
- }
- if (in_array('localhost',$interfacetypes)){
- $item = array();
- $item[ip] = '::1';
- $item[name] = 'localhost (IPv6)';
- $bindable['localhost_ipv6'] = $item;
- }
- if (in_array('real',$interfacetypes)){
- foreach($config['interfaces'] as $if => $ifdetail) {
- if (!isset($ifdetail['enable']))
- continue;
- if (!isset($ifdetail['ipaddrv6']))
- continue;
- $descr = $ifdetail['descr'];
- if (!$descr){
- if ($if == "wan" && !$ifdetail['descr'])
- $descr = "WAN";
- else if ($if == "lan" && !$ifdetail['descr'])
- $descr = "LAN";
- else
- $descr = $if;
- }
- $item = array();
- $item['ip'] = get_interface_ipv6($if);
- $item['name'] = "$descr address (IPv6)";
- $bindable[$if.'_ipv6'] = $item;
- }
- }
- if (in_array('carp',$interfacetypes)){
- $carplist = get_configured_carp_interface_list();
- foreach ($carplist as $carpif => $carpip){
- if (is_ipaddrv6($carpip)){
- $item = array();
- $item['ip'] = $carpip;
- $item['name'] = $carpip." (".get_vip_descr($carpip).")";
- $bindable[$carpip] = $item;
- }
- }
-
- }
- if (in_array('ipalias',$interfacetypes)){
- $aliaslist = get_configured_ip_aliases_list();
- foreach ($aliaslist as $aliasip => $aliasif){
- if (is_ipaddrv6($aliasip)){
- $item = array();
- $item['ip'] = $aliasip;
- $item['name'] = $aliasip." (".get_vip_descr($aliasip).")";
- $bindable[$aliasip] = $item;
- }
- }
- }
- }
- return $bindable;
-}
-
-function haproxy_get_cert_extensions($crt){
- $cert = openssl_x509_parse(base64_decode($crt['crt']));
- return $cert['extensions'];
-}
-
-function haproxy_get_cert_authoritykeyidentifier($cert)
-{
- $certextension = haproxy_get_cert_extensions($cert);
- $lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']);
- return substr($lines[0],6);// cut off the starting string 'keyid:'
-}
-function haproxy_get_cert_subjectKeyIdentifier($cert)
-{
- $certextension = haproxy_get_cert_extensions($cert);
- $lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']);
- return $lines[0];
-}
-
-function haproxy_cert_signed_by($cert, $signedbycert) {
- // checks if $cert was signed by $signedbycert
- // this does NOT validate a proper signature but only checks if the extension properties match.
- $authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert);
- $subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert);
- return $authoritykeyid == $subjectid;
-}
-
-function haproxy_recalculate_certifcate_chain(){
- // and set "selfsigned" for certificates that where used to sign themselves
- // recalculate the "caref" for all certificates where it is currently unkown.
-
- $allcertificates = haproxy_get_certificates('ca,server,user',true);
- $items_recalculated = 0;
- foreach($allcertificates as &$cert){
- $recalculate=false;
- if (!isset($cert['selfsigned'])){
- if (!isset($cert['caref']))
- $recalculate=true;
- else {
- $ca = lookup_ca($cert['caref']);
- if (!$ca)
- $recalculate=true;
- }
- }
- if ($recalculate){
- foreach($allcertificates as &$signedbycert){
- if(haproxy_cert_signed_by($cert, $signedbycert)){
- if ($cert['refid'] == $signedbycert['refid']){
- $cert['selfsigned'] = true;
- } else {
- $cert['caref'] = $signedbycert['refid'];
- }
- $items_recalculated++;
- }
- }
- }
- }
- if ($items_recalculated > 0)
- write_config("Services: HAProxy: Recalculated $items_recalculated certificate chains.");
- return $items_recalculated;
-}
-
-function get_certificat_usage($refid) {
- $usage = array();
- $cert = lookup_cert($refid);
- if (is_cert_revoked($cert))
- $usage[] = "*Revoked";
- if (is_webgui_cert($refid))
- $usage[] = "webConfigurator";
- if (is_user_cert($refid))
- $usage[] = "User Cert";
- if (is_openvpn_server_cert($refid))
- $usage[] = "OpenVPN Server";
- if (is_openvpn_client_cert($refid))
- $usage[] = "OpenVPN Client";
- if (is_ipsec_cert($refid))
- $usage[] = "IPsec Tunnel";
- if (function_exists("is_captiveportal_cert"))
- if (is_captiveportal_cert($refid))
- $usage[] = "Captive Portal";
- return $usage;
-}
-
-function haproxy_get_certificate_descriptivename($cert) {
- $usage = get_certificat_usage($cert['crt']);
- foreach($usage as $use){
- $usagestr .= " " . $use;
- }
- if ($usagestr != "")
- $usagestr = " (".trim($usagestr).")";
-
- $purpose = cert_get_purpose($cert['crt']);
- $certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : "";
-
- $caname = "";
- $ca = lookup_ca($cert['caref']);
- if ($ca)
- $caname = " (CA: {$ca['descr']})";
-
- return $cert['descr'] . $caname . $certserverpurpose . $usagestr;
-}
-
-function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) {
- // $type one or multiple of these separated by a comma: ca,server,user
- // $get_includeWebCert if the webgui certificate may be included.
-
- // This function (is intended to) provide a uniform way to retrieve a list of server certificates
- global $config;
- $type = ",$type,";
- $certificates = array();
- if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) {
- if (is_array($config['cert'])) {
- $a_cert = &$config['cert'];
- foreach ($a_cert as $cert) {
- $purpose = cert_get_purpose($cert['crt']);
-
- $ok = false;
- $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes';
- $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes';
- if (!$ok)
- continue;
- //if ($get_includeWebCert == false && is_webgui_cert($cert['refid']))
- if ($get_includeWebCert == false && $cert['descr'] == "def web cert")
- continue;
- $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
- }
- }
- }
- if (strpos($type,',ca,') !== false) {
- if (is_array($config['ca'])) {
- $a_cert = &$config['ca'];
- foreach ($a_cert as $cert) {
- $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert);
- }
- }
- }
- uasort($certificates, haproxy_compareByName);
- return $certificates;
-}
-
-function haproxy_get_crls() {
- global $config;
- $certificates=array();
- if (is_array($config['crl'])) {
- foreach ($config['crl'] as $crl) {
- $caname = "";
- $ca = lookup_ca($crl['caref']);
- if ($ca)
- $caname = " (CA: {$ca['descr']})";
-
- $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname;
- }
- }
- uasort($certificates, haproxy_compareByName);
- return $certificates;
-}
-
-function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) {
- $offset = str_repeat(' ',$nestID);
- $itemName = "item$nestID";
- echo "{$offset}$nodeName = {};\n";
- if (is_array($items))
- foreach ($items as $key => $item)
- {
- if (in_array($path.'/'.$key, $includeitems))
- $subpath = $path.'/'.$key;
- else
- $subpath = $path.'/*';
- if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) {
- if (is_array($item)) {
- $subNodeName = "item$nestID";
- phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems);
- echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n";
- } else {
- $item = json_encode($item);
- echo "{$offset}{$nodeName}['$key'] = $item;\n";
- }
- }
- }
-}
-function phparray_to_javascriptarray($items, $javaMapName, $includeitems) {
- phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems);
-}
-
-function haproxy_html_select_options($keyvaluelist, $selected="") {
- $result = "";
- foreach($keyvaluelist as $key => $desc){
- $selectedhtml = $key == $selected ? "selected" : "";
- if ($desc['deprecated'] && $key != $selected){
- continue;
- }
- $name = htmlspecialchars($desc['name']);
- $result .= "<option value='{$key}' {$selectedhtml}>{$name}</option>";
- }
- return $result;
-}
-
-function haproxy_js_select_options($keyvaluelist, $selected="") {
- $result = "";
- foreach($keyvaluelist as $key => $desc){
- $selectedhtml = $key == $selected ? "selected" : "";
- if ($desc['deprecated'] && $key != $selected){
- continue;
- }
- $name = htmlspecialchars($desc['name']);
- $result .= "<option value='{$key}' {$selectedhtml}>{$name}<\/option>";
- }
- return $result;
-}
-
-function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="", $onchangeEvent="", $style="") {
- if (count($keyvaluelist)>0){
- if ($onchangeEvent != "")
- $onchangeEvent = " onchange='$onchangeEvent'";
- if ($style != "")
- $style = " style='$style'";
- echo "<select name=\"$name\" id=\"$name\" class=\"formselect\"$onchangeEvent$style>";
- echo haproxy_html_select_options($keyvaluelist, $selected);
- echo "</select>";
- } else {
- echo $listEmptyMessage;
- }
-}
-
-?> \ No newline at end of file
diff --git a/config/haproxy1_5/www/haproxy_listeners_edit.php b/config/haproxy1_5/www/haproxy_listeners_edit.php
index d8841c33..6998e099 100644
--- a/config/haproxy1_5/www/haproxy_listeners_edit.php
+++ b/config/haproxy1_5/www/haproxy_listeners_edit.php
@@ -71,7 +71,7 @@ uasort($a_pools, haproxy_compareByName);
global $simplefields;
$simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool',
'max_connections','client_timeout','port','advanced_bind',
- 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid',
+ 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid','sslocsp',
'socket-stats',
'dontlognull','dontlog-normal','log-separate-errors','log-detailed');
@@ -787,6 +787,12 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend);
<input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. (host header matches the 'CN' of the certificate)<br/>
</td>
</tr>
+ <tr class="haproxy_ssloffloading_enabled" align="left">
+ <td width="22%" valign="top" class="vncell">OCSP</td>
+ <td width="78%" class="vtable" colspan="2">
+ <input id="sslocsp" name="sslocsp" type="checkbox" value="yes" <?php if ($pconfig['sslocsp']=='yes') echo "checked";?> onclick="updatevisibility();" />Load certificate ocsp responses for easy certificate validation by the client.<br/>
+ </td>
+ </tr>
<tr class="haproxy_ssloffloading_enabled">
<td width="22%" valign="top" class="vncell">Additional certificates</td>
<td width="78%" class="vtable" colspan="2" valign="top">
@@ -805,7 +811,8 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend);
<input type='text' name='dcertadv' size="64" id='dcertadv' <?if(isset($pconfig['dcertadv'])) echo 'value="'.htmlspecialchars($pconfig['dcertadv']).'"';?> />
<br/>
NOTE: Paste additional ssl options(without commas) to include on ssl listening options.<br/>
- some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
+ some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets<br/>
+ Example: no-sslv3 ciphers EECDH+aRSA+AES:TLSv1+kRSA+AES:TLSv1+kRSA+3DES
</td>
</tr>
<tr class="haproxy_ssloffloading_enabled haproxy_primary">
diff --git a/config/haproxy1_5/www/haproxy_pool_edit.php b/config/haproxy1_5/www/haproxy_pool_edit.php
index 5e38b12d..0824e45c 100644
--- a/config/haproxy1_5/www/haproxy_pool_edit.php
+++ b/config/haproxy1_5/www/haproxy_pool_edit.php
@@ -961,7 +961,7 @@ set by the 'retries' parameter.</div>
<td colspan="2" valign="top" class="listtopic">Advanced</td>
</tr>
<tr class="" align="left" id='Strict-Transport-Security'>
- <td width="22%" valign="top" class="vncell">Strict-Transport-Security</td>
+ <td width="22%" valign="top" class="vncell">HSTS Strict-Transport-Security</td>
<td width="78%" class="vtable" colspan="2">
When configured enables "HTTP Strict Transport Security" leave empty to disable. (only used on 'http' frontends)<br/>
<b>WARNING! the domain will only work over https with a valid certificate!</b><br/>