diff options
Diffstat (limited to 'config')
102 files changed, 5950 insertions, 3129 deletions
diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index ed5596d6..4ec13bd0 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -1,19 +1,20 @@ <?php /* apache_mod_security.inc - part of apache_mod_security package (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2009, 2010 Scott Ullrich Copyright (C) 2012-2013 Marcello Coutinho Copyright (C) 2013 Stephane Lapie <stephane.lapie@asahinet.com> + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright + 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. @@ -28,7 +29,6 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - require_once("service-utils.inc"); $shortcut_section = "apache"; @@ -157,27 +157,38 @@ function apache_mod_security_resync() { if (is_array($config['installedpackages']['apachesync']['config'])){ $apache_sync = $config['installedpackages']['apachesync']['config'][0]; $synconchanges = $apache_sync['synconchanges']; - $synctimeout = $apache_sync['synctimeout']; - switch ($synconchanges){ + $synctimeout = $apache_sync['synctimeout'] ?: '250'; + switch ($synconchanges) { case "manual": - if (is_array($apache_sync[row])){ - $rs = $apache_sync[row]; + if (is_array($apache_sync['row'])) { + $rs = $apache_sync['row']; } else { - log_error("apache_mod_security_package: XMLRPC sync is enabled, but there is no local host to push on apache config."); + log_error("apache_mod_security_package: XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ // pfSense 2.0.x - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; - $rs[0]['username'] = $system_carp['username']; - $rs[0]['password'] = $system_carp['password']; - } else if (is_array($config['hasync'])) { // pfSense 2.1 + if (is_array($config['hasync'])) { $system_carp = $config['hasync']; $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; $rs[0]['username'] = $system_carp['username']; $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("apache_mod_security_package: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } } else { log_error("apache_mod_security_package: XMLRPC sync is enabled, but there is no global backup host to push apache config."); return; @@ -185,55 +196,63 @@ function apache_mod_security_resync() { break; default: return; - break; + break; } - } - if (is_array($rs)){ - foreach($rs as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($sh['username']) - $username = $sh['username']; - else - $username = 'admin'; - if ($password && $sync_to_ip) - apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + if (is_array($rs)) { + log_error("apache_mod_security_package: XMLRPC sync is starting."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + apache_mod_security_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("apache_mod_security_package: XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } + } + log_error("apache_mod_security_package: XMLRPC sync completed."); } } } // Do the actual XMLRPC Sync -function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { +function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if(!$username) - return; - - if(!$password) - return; - - if(!$sync_to_ip) + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("apache_mod_security_package: A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; - - if(!$synctimeout) - $synctimeout=25; - - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") - $port = "80"; - else - $port = "443"; + + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - $synchronizetoip .= $sync_to_ip; - /* xml will hold the sections to sync */ + $url = "{$protocol}://{$sync_to_ip}"; + + /* XML will hold the sections to sync. */ $xml = array(); $xml['apachesettings'] = $config['installedpackages']['apachesettings']; $xml['apachemodsecurity'] = $config['installedpackages']['apachemodsecurity']; @@ -243,67 +262,58 @@ function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $ $xml['apachevirtualhost'] = $config['installedpackages']['apachevirtualhost']; $xml['apachelisten'] = $config['installedpackages']['apachelisten']; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("apache_mod_security_package: Beginning apache_mod_security XMLRPC sync to {$url}:{$port}."); + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - if($g['debug']) + if ($g['debug']) { $cli->setDebug(1); - /* send our XMLRPC message and timeout after defined sync timeout value*/ + } + /* Send our XMLRPC message and timeout after defined sync timeout value */ $resp = $cli->send($msg, $synctimeout); - if(!$resp) { - $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port}."; - log_error($error); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("apache_mod_security_package: {$error}"); file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("apache_mod_security_package: {$error}"); file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); } else { log_error("apache_mod_security_package: XMLRPC sync successfully completed with {$url}:{$port}."); } - /* tell apache_mod_security to reload our settings on the destination sync host. */ + /* Tell apache_mod_security to reload our settings on the destination sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/apache_mod_security.inc');\n"; $execcmd .= "apache_mod_security_resync();"; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("apache_mod_security_package: XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { - $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("apache_mod_security_package: {$error}"); file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("apache_mod_security_package: {$error}"); file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); } else { - log_error("apache_mod_security XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("apache_mod_security_package: XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } - } function apache_mod_security_checkconfig() { diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml index 7ecfb68e..425069b6 100755 --- a/config/apache_mod_security-dev/apache_mod_security_sync.xml +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -1,46 +1,46 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - apache_sync.xml - part of the sarg package for pfSense - Copyright (C) 2012 Marcello Coutinho - All rights reserved. - */ -/* ========================================================================== */ + apache_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> <name>apachesync</name> <version>1.0</version> <title>Proxy server: XMLRPC Sync</title> @@ -66,9 +66,15 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync apache configuration changes</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Select a sync method for Apache + ModSecurity.</description> + <description> + <![CDATA[ + Select a sync method for Apache + ModSecurity.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> <default_value>auto</default_value> @@ -79,39 +85,70 @@ </options> </field> <field> - <fielddescr>Sync timeout</fielddescr> + <fielddescr>Sync Timeout</fielddescr> <fieldname>synctimeout</fieldname> - <description>Select sync max wait time</description> + <description>XMLRPC timeout in seconds.</description> <type>select</type> <required/> <default_value>250</default_value> <options> - <option><name>30 seconds(Default)</name><value>30</value></option> - <option><name>60 seconds</name><value>60</value></option> - <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds (Default)</name><value>250</value></option> <option><name>120 seconds</name><value>120</value></option> - <option><name>250 seconds</name><value>250</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> </options> </field> <field> - <fielddescr>Remote Server</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> - <type>input</type> - <size>20</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>20</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> + <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> + <type>input</type> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Username (admin)</fielddescr> + <fieldname>username</fieldname> + <description><![CDATA[Enter the username account for administration.]]></description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> + <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> </rowhelper> </field> </fields> diff --git a/config/apcupsd/apcupsd.priv.inc b/config/apcupsd/apcupsd.priv.inc new file mode 100644 index 00000000..5526b99f --- /dev/null +++ b/config/apcupsd/apcupsd.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + apcupsd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-apcupsd'] = array(); +$priv_list['page-services-apcupsd']['name'] = "WebCfg - Services: apcupsd"; +$priv_list['page-services-apcupsd']['descr'] = "Allow access to apcupsd package GUI"; +$priv_list['page-services-apcupsd']['match'] = array(); +$priv_list['page-services-apcupsd']['match'][] = "pkg_edit.php?xml=apcupsd.xml*"; +$priv_list['page-services-apcupsd']['match'][] = "apcupsd_status.php*"; + +?> diff --git a/config/apcupsd/apcupsd.xml b/config/apcupsd/apcupsd.xml index 38c84e81..cb33b8ef 100644 --- a/config/apcupsd/apcupsd.xml +++ b/config/apcupsd/apcupsd.xml @@ -41,17 +41,20 @@ </copyright> <name>Apcupsd</name> <title>Services: Apcupsd (General)</title> - <category>Monitoring</category> - <version>0.3.7</version> + <version>0.3.9</version> <include_file>/usr/local/pkg/apcupsd.inc</include_file> - <addedit_string>Apcupsd has been created/modified.</addedit_string> - <delete_string>Apcupsd has been deleted.</delete_string> + <addedit_string>Apcupsd configuration has been created/modified.</addedit_string> + <delete_string>Apcupsd configuration has been deleted.</delete_string> <restart_command>/usr/local/etc/rc.d/apcupsd.sh restart</restart_command> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/apcupsd/apcupsd.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/apcupsd/apcupsd.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/apcupsd/apcupsd_status.php</item> <prefix>/usr/local/www/</prefix> </additional_files_needed> @@ -67,18 +70,18 @@ <name>Apcupsd</name> <tooltiptext>Setup Apcupsd specific settings</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=apcupsd.xml&id=0</url> + <url>/pkg_edit.php?xml=apcupsd.xml</url> </menu> <service> <name>apcupsd</name> <rcfile>apcupsd.sh</rcfile> <executable>apcupsd</executable> - <description>Apcupsd a daemon for controlling APC UPSes</description> + <description>APC UPS Daemon</description> </service> <tabs> <tab> <text>General</text> - <url>/pkg_edit.php?xml=apcupsd.xml&id=0</url> + <url>/pkg_edit.php?xml=apcupsd.xml</url> <active/> </tab> <tab> @@ -88,19 +91,19 @@ </tabs> <fields> <field> - <name>General configuration parameters</name> + <name>General Configuration Parameters</name> <type>listtopic</type> </field> <field> <fielddescr>Enable</fielddescr> <fieldname>apcupsdenabled</fieldname> - <description>Enable APC UPS Daemon service</description> + <description>Enable APC UPS Daemon service.</description> <type>checkbox</type> </field> <field> <fielddescr>UPS Name</fielddescr> <fieldname>upsname</fieldname> - <description>Use this to give your UPS a name in log files and such</description> + <description>Use this to give your UPS a name in log files and such.</description> <type>input</type> <size>60</size> <required>true</required> @@ -199,7 +202,7 @@ <field> <fielddescr>Kill on Power Fail</fielddescr> <fieldname>killonpowerfail</fieldname> - <description>Hibernate UPS on powerfail</description> + <description>Hibernate UPS on powerfail.</description> <type>checkbox</type> </field> <field> @@ -322,7 +325,7 @@ <default_value>3551</default_value> </field> <field> - <name>Configuration statements used if sharing</name> + <name>UPS Sharing Configuration</name> <type>listtopic</type> </field> <field> diff --git a/config/autoconfigbackup/autoconfigbackup.php b/config/autoconfigbackup/autoconfigbackup.php index 5bf40736..9a7d67a1 100644 --- a/config/autoconfigbackup/autoconfigbackup.php +++ b/config/autoconfigbackup/autoconfigbackup.php @@ -82,6 +82,10 @@ if ($_REQUEST['download']) { $pgtitle = "Diagnostics: Auto Configuration Backup"; } +/* Set up time zones for conversion. See #5250 */ +$acbtz = new DateTimeZone('America/Chicago'); +$mytz = new DateTimeZone(date_default_timezone_get()); + include("head.inc"); function get_hostnames() { @@ -193,7 +197,9 @@ function get_hostnames() { $savemsg = "An error occurred while trying to remove the item from portal.pfsense.org."; } else { curl_close($curl_session); - $savemsg = "Backup revision {$_REQUEST['rmver']} has been removed."; + $budate = new DateTime($_REQUEST['rmver'], $acbtz); + $budate->setTimezone($mytz); + $savemsg = "Backup revision " . htmlspecialchars($budate->format(DATE_RFC2822)) . " has been removed."; } print_info_box($savemsg); } @@ -350,12 +356,19 @@ EOF; // Loop through and create new confvers $data_split = split("\n", $data); $confvers = array(); + foreach ($data_split as $ds) { $ds_split = split($oper_sep, $ds); $tmp_array = array(); $tmp_array['username'] = $ds_split[0]; $tmp_array['reason'] = $ds_split[1]; $tmp_array['time'] = $ds_split[2]; + + /* Convert the time from server time to local. See #5250 */ + $budate = new DateTime($tmp_array['time'], $acbtz); + $budate->setTimezone($mytz); + $tmp_array['localtime'] = $budate->format(DATE_RFC2822); + if ($ds_split[2] && $ds_split[0]) { $confvers[] = $tmp_array; } @@ -398,16 +411,16 @@ EOF; foreach ($confvers as $cv): ?> <tr valign="top"> - <td class="listlr"> <?= $cv['time']; ?></td> + <td class="listlr"> <?= $cv['localtime']; ?></td> <td class="listbg"> <?= $cv['reason']; ?></td> <td colspan="2" valign="middle" class="list" nowrap="nowrap"> - <a title="Restore this revision" onclick="return confirm('Are you sure you want to restore <?= $cv['time']; ?>?')" href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&newver=<?=urlencode($cv['time']);?>"> + <a title="Restore this revision" onclick="return confirm('Are you sure you want to restore <?= $cv['localtime']; ?>?')" href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&newver=<?=urlencode($cv['time']);?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" alt="" /> </a> <a title="Show info" href="autoconfigbackup.php?download=<?=urlencode($cv['time']);?>&hostname=<?=urlencode($hostname)?>&reason=<?php echo urlencode($cv['reason']);?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_down.gif" width="17" height="17" border="0" alt="" /> </a> - <a title="Delete" onclick="return confirm('Are you sure you want to delete <?= $cv['time']; ?>?')"href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&rmver=<?=urlencode($cv['time']);?>"> + <a title="Delete" onclick="return confirm('Are you sure you want to delete <?= $cv['localtime']; ?>?')"href="autoconfigbackup.php?hostname=<?=urlencode($hostname)?>&rmver=<?=urlencode($cv['time']);?>"> <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="" /> </a> </td> diff --git a/config/autoconfigbackup/autoconfigbackup.xml b/config/autoconfigbackup/autoconfigbackup.xml index dd83a9c7..f2fd8785 100644 --- a/config/autoconfigbackup/autoconfigbackup.xml +++ b/config/autoconfigbackup/autoconfigbackup.xml @@ -43,7 +43,7 @@ <description>Automatically backs up your pfSense configuration. All contents are encrypted before being sent to the server. Requires Gold Subscription from https://portal.pfsense.org</description> <requirements>pfSense Portal subscription</requirements> <name>AutoConfigBackup</name> - <version>1.29</version> + <version>1.32</version> <title>Diagnostics: Auto Configuration Backup</title> <savetext>Change</savetext> <include_file>/usr/local/pkg/autoconfigbackup.inc</include_file> diff --git a/config/filer/filer.inc b/config/filer/filer.inc index 7b795acb..63cdb302 100644 --- a/config/filer/filer.inc +++ b/config/filer/filer.inc @@ -103,75 +103,113 @@ function filer_validate_input($post, &$input_errors) { /* Uses XMLRPC to synchronize the changes to a remote node. */ function filer_sync_on_changes() { - global $config, $g; + global $config; - log_error("[filer] filer_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['filersync']['config'][0]['synconchanges']; - if (!$synconchanges) { - return; - } - foreach ($config['installedpackages']['filersync']['config'] as $rs) { - foreach ($rs['row'] as $sh) { - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($sh['username']) { - $username = $sh['username']; - } else { - $username = 'admin'; - } - if ($password && $sync_to_ip) { - filer_do_xmlrpc_sync($sync_to_ip, $username, $password); + if (is_array($config['installedpackages']['filersync']['config'])) { + $filer_sync = $config['installedpackages']['filersync']['config'][0]; + $synconchanges = $filer_sync['synconchanges']; + $synctimeout = $filer_sync['synctimeout'] ?: '250'; + switch ($synconchanges) { + case "manual": + if (is_array($filer_sync['row'])) { + $rs = $filer_sync['row']; + } else { + log_error("[filer] XMLRPC sync is enabled but there are no hosts configured as replication targets."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[filer] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } + } else { + log_error("[filer] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)) { + log_error("[filer] XMLRPC sync is starting."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + filer_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[filer] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } } + log_error("[filer] XMLRPC sync completed."); } - } - log_error("[filer] filer_xmlrpc_sync.php is ending."); + } } /* Do the actual XMLRPC sync. */ -function filer_do_xmlrpc_sync($sync_to_ip, $username, $password) { +function filer_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if (!$username) { + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[filer] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - if (!$password) { - return; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - if (!$sync_to_ip) { - return; - } + $url = "{$protocol}://{$sync_to_ip}"; - $xmlrpc_sync_neighbor = $sync_to_ip; - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* If port is empty, let's rely on the protocol selection. */ - if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $synchronizetoip .= $sync_to_ip; - - /* xml will hold the sections to sync. */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['filer'] = $config['installedpackages']['filer']; - /* Assemble XMLRPC payload. */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* Set a few variables needed for sync; code borrowed from filter.inc. */ - $url = $synchronizetoip; - log_error("Beginning Filer XMLRPC sync to {$url}:{$port}."); + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -180,19 +218,19 @@ function filer_do_xmlrpc_sync($sync_to_ip, $username, $password) { $cli->setDebug(1); } /* Send our XMLRPC message and timeout after 250 seconds. */ - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting filer XMLRPC sync with {$url}:{$port}."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[filer] {$error}"); file_notice("sync_settings", $error, "filer Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting filer XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[filer] {$error}"); file_notice("sync_settings", $error, "filer Settings Sync", ""); } else { - log_error("filer XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[filer] XMLRPC sync successfully completed with {$url}:{$port}."); } /* Tell filer to reload our settings on the destination sync host. */ @@ -200,28 +238,25 @@ function filer_do_xmlrpc_sync($sync_to_ip, $username, $password) { $execcmd = "require_once('/usr/local/pkg/filer.inc');\n"; $execcmd .= "sync_package_filer();"; /* Assemble XMLRPC payload. */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("filer XMLRPC reload data {$url}:{$port}."); + log_error("[filer] XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting filer XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[filer] {$error}"); file_notice("sync_settings", $error, "filer Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting filer XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[filer] {$error}"); file_notice("sync_settings", $error, "filer Settings Sync", ""); } else { - log_error("filer XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[filer] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/filer/filer_sync.xml b/config/filer/filer_sync.xml index 0b4124ce..1e3614d0 100644 --- a/config/filer/filer_sync.xml +++ b/config/filer/filer_sync.xml @@ -44,7 +44,7 @@ ]]> </copyright> <name>filersync</name> - <version>1.2</version> + <version>0.60.6</version> <title>Filer: Sync</title> <include_file>/usr/local/pkg/filer.inc</include_file> <tabs> @@ -61,50 +61,96 @@ <fields> <field> <type>listtopic</type> - <fieldname>temp</fieldname> - <name>Enable Filer configuration sync</name> + <name>XMLRPC Sync</name> </field> <field> - <fielddescr>Automatically sync Filer configuration changes.</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below. (Leave blank to use 'admin'.)</description> - <type>checkbox</type> + <description> + <![CDATA[ + Select a sync method for Filer.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> + <type>select</type> + <required/> + <default_value>disabled</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> </field> <field> - <fielddescr>Remote Servers</fielddescr> + <fielddescr>Sync Timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>XMLRPC timeout in seconds.</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds (Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> + </field> + <field> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server.</description> - <type>input</type> - <size>20</size> - <required/> - </rowhelperfield> - <rowhelperfield> - <fielddescr>User Name</fielddescr> - <fieldname>username</fieldname> - <description>user name of remote server.</description> - <type>input</type> - <size>20</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>20</size> - <required/> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> + <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> + <type>input</type> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Username (admin)</fielddescr> + <fieldname>username</fieldname> + <description><![CDATA[Enter the username account for administration.]]></description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> + <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> </rowhelper> </field> </fields> <custom_php_resync_config_command> filer_sync_on_changes(); </custom_php_resync_config_command> - <custom_php_command_before_form> - unset($_POST['temp']); - </custom_php_command_before_form> </packagegui> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index 6d626e3a..005a193a 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -1,19 +1,12 @@ <?php -/* copyright */ -/* ========================================================================== */ /* freeradius.inc - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2013 Marcello Coutinho + Copyright (C) 2015 ESF, LLC All rights reserved. - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -34,9 +27,7 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - +*/ require_once('config.inc'); require_once('service-utils.inc'); require_once("util.inc"); @@ -630,7 +621,7 @@ if (is_array($arrusers) && !empty($arrusers)) { // If an octet limit is NOT set we delete the files for the limit and the counter. else { if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/max-octets-$varusersusername"); } - if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername"); } + if (file_exists("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername")) { unlink("/var/log/radacct/datacounter/$varusersmaxtotaloctetstimerange/used-octets-$varusersusername*"); } } if ($varusersadditionaloptionsreplyitems != '') { if ($varusersreplyitem != '') { $varusersreplyitem .=","; } @@ -824,7 +815,7 @@ if (is_array($arrmacs) && !empty($arrmacs)) { // If an octet limit is NOT set we delete the files for the limit and the counter. else { if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/max-octets-$varmacsaddress"); } - if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress"); } + if (file_exists("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress")) { unlink("/var/log/radacct/datacounter/$varmacsmaxtotaloctetstimerange/used-octets-$varmacsaddress*"); } } if ($varmacsadditionaloptionsreplyitems != '') { if ($varmacsreplyitem != '') { $varmacsreplyitem .=","; } @@ -2571,163 +2562,181 @@ conf_mount_ro(); /* Uses XMLRPC to synchronize the changes to a remote node */ function freeradius_sync_on_changes() { - global $config, $g; - if (is_array($config['installedpackages']['freeradiussync'])){ + global $config; + + if (is_array($config['installedpackages']['freeradiussync'])) { $synconchanges = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; - $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; - } - else - { + $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'] ?: '150'; + } else { return; } // if checkbox is NOT checked do nothing - switch ($synconchanges){ + switch ($synconchanges) { case "manual": - if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])){ - $rs=$config['installedpackages']['freeradiussync']['config'][0]['row']; - } - else{ - log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no hosts to push on FreeRADIUS config."); + if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])) { + $rs = $config['installedpackages']['freeradiussync']['config'][0]['row']; + } else { + log_error("[FreeRADIUS]: XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; - } + } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['varsyncdestinenable']="on"; - $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); - $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; - $rs[0]['varsyncpassword']=$system_carp['password']; - $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); - if (! is_ipaddr($system_carp['synchronizetoip'])){ - log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config."); - return; - } + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['varsyncusername'] = $system_carp['username']; + $rs[0]['varsyncpassword'] = $system_carp['password']; + $rs[0]['varsyncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['varsyncprotocol'] = "http"; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['varsyncprotocol'] = "https"; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443'; } - else{ - log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config."); + if ($system_carp['synchronizetoip'] == "") { + log_error("[FreeRADIUS]: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['varsyncdestinenable'] = TRUE; } + } else { + log_error("[FreeRADIUS]: XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } break; default: return; - break; - } - if (is_array($rs)){ - log_error("[FreeRADIUS]: xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); - foreach($rs as $sh){ - if($sh['varsyncdestinenable']){ - $varsyncprotocol = $sh['varsyncprotocol']; - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $varsyncport = $sh['varsyncport']; - if($password && $sync_to_ip) - freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); - else - log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + break; + } + if (is_array($rs)) { + log_error("[FreeRADIUS]: XMLRPC sync is starting with timeout {$varsynctimeout} seconds."); + foreach ($rs as $sh) { + if ($sh['varsyncdestinenable']) { + $sync_to_ip = $sh['varsyncipaddress']; + $varsyncport = $sh['varsyncport']; + $varsyncprotocol = $sh['varsyncprotocol']; + $username = $sh['varsyncusername'] ?: 'admin'; + $password = $sh['varsyncpassword']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; } - else { - log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; } + if (!is_port($varsyncport)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + freeradius_do_xmlrpc_sync($sync_to_ip, $username, $password, $varsyncport, $varsyncprotocol, $varsynctimeout); + } else { + log_error("[FreeRADIUS]: XMLRPC Sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } else { + log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); } - log_error("[FreeRADIUS]: xmlrpc sync is ending."); - } + } + log_error("[FreeRADIUS]: XMLRPC sync is ending."); + } } /* Do the actual XMLRPC sync */ -function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { +function freeradius_do_xmlrpc_sync($sync_to_ip, $username, $password, $varsyncport, $varsyncprotocol, $varsynctimeout) { global $config, $g; - if($varsynctimeout == '' || $varsynctimeout == 0) - $varsynctimeout = 150; - - if(!$password) + /* Detect boot process, do nothing during boot. */ + if (function_exists("platform_booting")) { + if (platform_booting()) { + return; + } + } elseif ($g['booting']) { return; + } - if(!$sync_to_ip) - return; - - if(!$varsyncport) + if ($username == "" || $password == "" || $sync_to_ip == "" || $varsyncport == "" || $varsyncprotocol == "") { + log_error("[FreeRADIUS]: A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; + } - if(!$varsyncprotocol) - return; - - // Check and choose correct protocol type, port number and IP address - $synchronizetoip .= "$varsyncprotocol" . '://'; - $port = "$varsyncport"; + /* Take care of IPv6 literal address */ + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } - $synchronizetoip .= $sync_to_ip; + $url = "{$varsyncprotocol}://{$sync_to_ip}"; + $port = $varsyncport; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['freeradius'] = $config['installedpackages']['freeradius']; $xml['freeradiusauthorizedmacs'] = $config['installedpackages']['freeradiusauthorizedmacs']; $xml['freeradiusclients'] = $config['installedpackages']['freeradiusclients']; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; + /* Set a few variables needed for sync code */ log_error("[FreeRADIUS]: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after $varsynctimeout seconds */ + $cli->setCredentials($username, $password); + if ($g['debug']) { + $cli->setDebug(1); + } + /* Send our XMLRPC message and timeout after defined sync timeout value */ + $resp = $cli->send($msg, $varsynctimeout); + if (!$resp) { + $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}."; + log_error("[FreeRADIUS]: {$error}"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); - if(!$resp) { - $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}."; - log_error("[FreeRADIUS]: $error"); - file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $varsynctimeout); - $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error("[FreeRADIUS]: $error"); - file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); - } else { - log_error("[FreeRADIUS]: XMLRPC has synced data successfully with {$url}:{$port}."); - } + $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[FreeRADIUS]: {$error}"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); + } else { + log_error("[FreeRADIUS]: XMLRPC has synced data successfully with {$url}:{$port}."); + } - /* tell FreeRADIUS to reload our settings on the destionation sync host. */ + /* Tell FreeRADIUS to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/freeradius.inc');\n"; - // pfblocker just needed one fuction to reload after XMLRPC. FreeRADIUS needs more so we point to a fuction below which contains all fuctions + /* pfblocker just needed one fuction to reload after XMLRPC. FreeRADIUS needs more so we point to a fuction below which contains all fuctions */ $execcmd .= "freeradius_all_after_XMLRPC_resync();"; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); log_error("[FreeRADIUS]: XMLRPC is reloading data on {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $varsynctimeout); + if (!$resp) { + $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error("[FreeRADIUS]: {$error}"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); - if(!$resp) { - $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; - log_error($error); - file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $varsynctimeout); - $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); - } else { - log_error("[FreeRADIUS]: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); - } - + $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[FreeRADIUS]: {$error}"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); + } else { + log_error("[FreeRADIUS]: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + } } // This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files (clients.conf, users) @@ -2738,7 +2747,7 @@ function freeradius_all_after_XMLRPC_resync() { freeradius_authorizedmacs_resync(); freeradius_clients_resync(); - log_error("FreeRADIUS: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); + log_error("[FreeRADIUS]: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); exec(FREERADIUS_ETC . "/rc.d/radiusd onerestart"); } @@ -4123,20 +4132,20 @@ function freeradius_modulesdatacounter_resync() { $conf .= <<<EOD exec datacounterdaily { wait = yes - program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets} %{request:Acct-Status-Type} %{request:Acct-Session-Id}" } exec datacounterweekly { wait = yes - program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets} %{request:Acct-Status-Type} %{request:Acct-Session-Id}" } exec datacountermonthly { wait = yes - program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" + program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets} %{request:Acct-Status-Type} %{request:Acct-Session-Id}" } exec datacounterforever { wait = yes - program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" - } + program = "/bin/sh {$varFREERADIUS_ETC}/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets} %{request:Acct-Status-Type} %{request:Acct-Session-Id}" + } EOD; $filename = FREERADIUS_ETC . '/raddb/modules/datacounter_acct'; @@ -4162,18 +4171,19 @@ TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' ` ### This is to make sure there is a used-octets file after the cronjob resetted the counter if [ -e "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME" ] && [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" ]; then echo 0 > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" + rm "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME-"* fi ### The next two lines are just for getting values for logging output -MAXOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"`/1024/1024)) -USEDOCTETSUSERNAMEMB=$((`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"`/1024/1024)) - +MAXOCTETSUSERNAMEMB=$((`/bin/cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"`/1024/1024)) +USEDOCTETSUSERNAMEMB=`/bin/cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\${USERNAME}"* | /usr/bin/awk '{ SUM += \$1; } END { print int(SUM/1024/1024); }'` + ### We check if MAX-OCTETS-USERNAME is greater than USED-OCTETS-USERNAME and accept or reject the user -if [ `cat "/var/log/radacct/datacounter/\$TIMERANGE/max-octets-\$USERNAME"` -gt `cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"` ]; then - logger -f /var/log/system.log "FreeRADIUS: Used amount of \$TIMERANGE traffic by \$USERNAME is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was accepted!!!" +if [ \$MAXOCTETSUSERNAMEMB -gt \$USEDOCTETSUSERNAMEMB ]; then + logger -f /var/log/system.log "FreeRADIUS: User \$USERNAME has used \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB \$TIMERANGE allotted traffic. The login request was accepted." exit 0 else - logger -f /var/log/system.log "FreeRADIUS: Credentials are probably correct but the user \$USERNAME has reached the \$TIMERANGE Amount of Upload and Download Traffic which is \$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB! The user was rejected!!!" + logger -f /var/log/system.log "FreeRADIUS: User \$USERNAME has reached the \$TIMERANGE amount of upload and download traffic (\$USEDOCTETSUSERNAMEMB MB of \$MAXOCTETSUSERNAMEMB MB). The login request was denied." exit 99 fi EOD; @@ -4198,6 +4208,8 @@ USERNAME=`echo -n "\\$1" | sed 's/[^0-9a-zA-Z.:_-]/X/g' ` TIMERANGE=`echo -n "\\$2" | sed 's/[^a-z]//g' ` ACCTINPUTOCTETS=`echo -n "\\$3" | sed 's/[^0-9]/0/g' ` ACCTOUTPUTOCTETS=`echo -n "\\$4" | sed 's/[^0-9]/0/g' ` +UPDATETYPE=\$5 +SESSIONID=\$6 ### If we do not get Octets we set some default values if [ ! \$ACCTINPUTOCTETS ]; then @@ -4216,11 +4228,23 @@ else if [ ! -e "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" ]; then echo 0 > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" fi -### The following two lines (chose the one or the other) are a bad workaround to make accounting accurate with stop/start accounting on pfsense 2.0.1 - it only works if the session will not be interrupted (host disconnects) -### USEDOCTETS=\$((\$ACCTINPUTOCTETS+\$ACCTOUTPUTOCTETS)) - USEDOCTETS=\$((\$ACCTINPUTOCTETS+\$ACCTOUTPUTOCTETS+`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"`)) - - echo "\$USEDOCTETS" > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" + + USEDOCTETS=\$((\$ACCTINPUTOCTETS+\$ACCTOUTPUTOCTETS)) + + # If this is an interim update, track it in a separate session file + # since the incoming data is a gauge not a counter. + if [ \$UPDATETYPE = "Interim-Update" ]; then + echo \$USEDOCTETS > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME-\$SESSIONID" + else + USEDOCTETS=\$((\$USEDOCTETS+`cat "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME"`)) + + # If there was a session file for this session (from interim updates) clear it since the equivalent + # value was just added to the total. + if [ -e "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME-\$SESSIONID" ]; then + rm "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME-\$SESSIONID" + fi + echo "\$USEDOCTETS" > "/var/log/radacct/datacounter/\$TIMERANGE/used-octets-\$USERNAME" + fi exit 0 fi diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index 4563ef62..eab6b09a 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradius</name> - <version>1.6.13</version> + <version>1.6.17</version> <title>FreeRADIUS: Users</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 61c7eecb..d36c8b3f 100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -1,51 +1,47 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> -<![CDATA[ + <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -freeradiussync.xml -part of pfSense (http://www.pfSense.com) -Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> -Copyright (C) 2013 Marcello Coutinho <marcellocoutinho@gmail.com> -based on pfblocker_sync.xml -All rights reserved. - -Based on m0n0wall (http://m0n0.ch/wall) -Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. -All rights reserved. + freeradiussync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho <marcellocoutinho@gmail.com> + Copyright (C) 2015 ESF, LLC + All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. -1. Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ -]]></copyright> - <description><![CDATA[Describe your package here]]></description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> +/* ====================================================================================== */ + ]]> + </copyright> <name>freeradiussync</name> <version>2.2.0</version> <title>FreeRADIUS: XMLRPC Sync</title> @@ -111,8 +107,13 @@ POSSIBILITY OF SUCH DAMAGE. <field> <fielddescr>Enable Sync</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> - <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <description> + <![CDATA[ + Select a sync method for FreeRADIUS.<br /> + <b>Important:</b> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> <default_value>auto</default_value> @@ -127,7 +128,7 @@ POSSIBILITY OF SUCH DAMAGE. <fieldname>varsynctimeout</fieldname> <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> <type>input</type> - <default_value>150</default_value> + <default_value>150</default_value> <size>5</size> </field> @@ -144,7 +145,7 @@ POSSIBILITY OF SUCH DAMAGE. <rowhelperfield> <fielddescr>GUI Protocol</fielddescr> <fieldname>varsyncprotocol</fieldname> - <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> + <description><![CDATA[Choose the protocol of the destination host (HTTP or HTTPS).]]></description> <type>select</type> <default_value>HTTP</default_value> <options> @@ -153,9 +154,9 @@ POSSIBILITY OF SUCH DAMAGE. </options> </rowhelperfield> <rowhelperfield> - <fielddescr>GUI IP-Address</fielddescr> + <fielddescr>GUI IP Address/Hostname</fielddescr> <fieldname>varsyncipaddress</fieldname> - <description><![CDATA[IP Address of the destination host.]]></description> + <description><![CDATA[IP Address or hostname of the destination host.]]></description> <type>input</type> <size>15</size> </rowhelperfield> @@ -178,7 +179,7 @@ POSSIBILITY OF SUCH DAMAGE. </fields> <custom_delete_php_command> freeradius_sync_on_changes(); - </custom_delete_php_command> + </custom_delete_php_command> <custom_php_resync_config_command> freeradius_sync_on_changes(); </custom_php_resync_config_command> diff --git a/config/haproxy-devel/haproxy.priv.inc b/config/haproxy-devel/haproxy.priv.inc new file mode 100644 index 00000000..e4914db8 --- /dev/null +++ b/config/haproxy-devel/haproxy.priv.inc @@ -0,0 +1,50 @@ +<?php +/* + haproxy.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-service-haproxy'] = array(); +$priv_list['page-service-haproxy']['name'] = "WebCfg - Services: HAProxy package"; +$priv_list['page-service-haproxy']['descr'] = "Allow access to HAProxy package GUI"; +$priv_list['page-service-haproxy']['match'] = array(); + +$priv_list['page-service-haproxy']['match'][] = "haproxy_files.php*"; +$priv_list['page-service-haproxy']['match'][] = "haproxy_global.php*"; +$priv_list['page-service-haproxy']['match'][] = "haproxy_listeners.php*"; +$priv_list['page-service-haproxy']['match'][] = "haproxy_listeners_edit.php*"; +$priv_list['page-service-haproxy']['match'][] = "haproxy_pool_edit.php*"; +$priv_list['page-service-haproxy']['match'][] = "haproxy_pools.php*"; +$priv_list['page-service-haproxy']['match'][] = "haproxy_templates.php*"; + +$priv_list['page-service-haproxy-stats'] = array(); +$priv_list['page-service-haproxy-stats']['name'] = "WebCfg - Services: HAProxy package stats"; +$priv_list['page-service-haproxy-stats']['descr'] = "Allow access to HAProxy package GUI stats"; +$priv_list['page-service-haproxy-stats']['match'] = array(); +$priv_list['page-service-haproxy-stats']['match'][] = "haproxy_stats.php*"; + +?>
\ No newline at end of file diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index 429b6c9f..19b6b577 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>haproxy</name> - <version>0.29</version> + <version>0.33</version> <title>HAProxy</title> <aftersaveredirect>/pkg_edit.php?xml=haproxy_pools.php</aftersaveredirect> <include_file>/usr/local/pkg/haproxy.inc</include_file> @@ -146,6 +146,10 @@ <prefix>/usr/local/www/javascript/</prefix> <item>https://packages.pfsense.org/packages/config/haproxy-devel/www/javascript/haproxy_geturl.js</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.priv.inc</item> + </additional_files_needed> <custom_php_install_command> haproxy_custom_php_install_command(); </custom_php_install_command> diff --git a/config/haproxy-devel/pkg/haproxy.inc b/config/haproxy-devel/pkg/haproxy.inc index 1bc62cb9..3d614fe0 100644 --- a/config/haproxy-devel/pkg/haproxy.inc +++ b/config/haproxy-devel/pkg/haproxy.inc @@ -37,7 +37,7 @@ require_once("haproxy_utils.inc"); require_once("haproxy_xmlrpcsyncclient.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; - +#region Global haproxy array item definitions.. global $a_frontendmode; $a_frontendmode = array(); $a_frontendmode['http'] = array('name' => "http / https(offloading)", 'shortname' => "http/https"); @@ -66,7 +66,12 @@ $a_acltypes["path_matches"] = array('name' => 'Path matches:', $a_acltypes["path_regex"] = array('name' => 'Path regex:', 'mode' => 'http', 'syntax' => 'path_reg -i %1$s'); $a_acltypes["path_contains"] = array('name' => 'Path contains:', - 'mode' => 'http', 'syntax' => 'path_dir -i %1$s'); + 'mode' => 'http', 'syntax' => 'path_sub -i %1$s'); +$a_acltypes["url_parameter"] = array('name' => 'Url parameter contains:', + 'mode' => 'http', 'syntax' => 'url_param({parameter}) -i %1$s', + 'fields' => array( + array('name'=>"parameter",'columnheader'=>"Parameter name",'type'=>"textbox",'size'=>"50",'mask'=>'urlparameter') + )); $a_acltypes["ssl_c_verify_code"] = array('name' => 'SSL Client certificate verify error result:', 'mode' => 'http', 'syntax' => 'ssl_c_verify %1$s', 'require_client_cert' => '1'); // ssl_c_verify result codes: https://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS @@ -77,7 +82,10 @@ $a_acltypes["ssl_c_ca_commonname"] = array('name' => 'SSL Client issued by CA co $a_acltypes["source_ip"] = array('name' => 'Source IP matches IP or Alias:', 'mode' => '', 'syntax' => 'src %1$s'); $a_acltypes["backendservercount"] = array('name' => 'Minimum count usable servers:', - 'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname'); + 'mode' => '', 'syntax' => 'nbsrv({backend}) ge %1$d', 'parameters' => 'value,backendname', + 'fields' => array( + 'backend' => array('name'=>"backend",'columnheader'=>"Backend",'type'=>"select",'size'=>"50",'mask'=>'backend') + )); $a_acltypes["traffic_is_http"] = array('name' => 'Traffic is http (no value needed):', 'inspect-delay' => '5', 'mode' => 'tcp', 'syntax' => 'req.proto_http', 'advancedoptions' => "tcp-request content accept if { req.proto_http }"); $a_acltypes["traffic_is_ssl"] = array('name' => 'Traffic is ssl (no value needed):', 'inspect-delay' => '5', @@ -224,7 +232,144 @@ $a_sysloglevel['notice'] = array('name' => "Notice"); $a_sysloglevel['info'] = array('name' => "Informational"); $a_sysloglevel['debug'] = array('name' => "Debugging"); -if(!function_exists('group_ports')){ +global $a_filestype; +$a_filestype = array(); +$a_filestype[''] = array('name' => "Errorfile"); +$a_filestype['luascript'] = array('name' => "Lua script"); +$a_filestype['writetodisk'] = array('name' => "Write to disk"); + +global $a_action; +$a_action = array(); +// +$a_action["use_backend"] = array('name' => "Use Backend", 'mode' => '', 'syntax' => 'use_backend {backend}', 'usage' => 'frontend', + 'fields' => array( + 'backend' => array('name'=>"backend",'columnheader'=>"Backend",'type'=>"select",'size'=>"50",'mask'=>'backend') + )); +$a_action["use_server"] = array('name' => "Use Server", 'mode' => '', 'syntax' => 'use-server {server}', 'usage' => 'backend', + 'fields' => array( + 'server' => array('name'=>"server",'columnheader'=>"Server",'type'=>"select",'size'=>"50",'mask'=>'server') + )); +// +$a_action["custom"] = array('name' => "Custom", 'mode' => '', + 'fields' => array( + array('name'=>"customaction",'columnheader'=>"Custom action",'type'=>"textbox",'size'=>"50",'mask'=>'freetext') + )); +// +$a_action["http-request_allow"] = array('name' => "http-request allow", 'mode'=> 'http', 'syntax' => 'http-request allow'); +$a_action["http-request_deny"] = array('name' => "http-request deny", 'mode'=> 'http', 'syntax' => 'http-request deny'); +$a_action["http-request_tarpit"] = array('name' => "http-request tarpit", 'mode'=> 'http', 'syntax' => 'http-request tarpit'); +$a_action["http-request_auth"] = array('name' => "http-request auth", 'mode'=> 'http', 'syntax' => 'http-request auth {realm}', + 'fields' => array( + array('name'=>"realm",'columnheader'=>"Realm",'type'=>"textbox",'size'=>"50",'mask'=>'freetext') + ) +); +$a_action["http-request_redirect"] = array('name' => "http-request redirect", 'mode'=> 'http', 'syntax' => 'http-request redirect {rule}', + 'fields' => array( + array('name'=>"rule",'columnheader'=>"Rule",'type'=>"textbox",'size'=>"50",'mask'=>'logformat') + ) +); +if (haproxy_version() >= '1.6') { + $a_action["http-request_lua"] = array('name' => "http-request lua action", 'mode'=> 'http', 'syntax' => 'http-request lua.{lua-function}', + 'fields' => array( + 'lua-function' => array('name'=>"lua-function",'columnheader'=>"lua function",'type'=>"textbox",'size'=>"50",'mask'=>'lua-function') + )); + $a_action["http-request_use-service"] = array('name' => "http-request lua service", 'mode'=> 'http', 'syntax' => 'http-request use-service lua.{lua-function}', + 'fields' => array( + 'lua-function' => array('name'=>"lua-function",'columnheader'=>"lua function",'type'=>"textbox",'size'=>"50",'mask'=>'lua-function') + )); +} +$a_action["http-request_add-header"] = array('name' => "http-request header add", 'mode'=> 'http', 'syntax' => 'http-request add-header {name} {fmt}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"fmt",'columnheader'=>"New logformat value",'type'=>"textbox",'size'=>"50",'mask'=>'logformat') + )); +$a_action["http-request_set-header"] = array('name' => "http-request header set", 'mode'=> 'http', 'syntax' => 'http-request set-header {name} {fmt}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"fmt",'columnheader'=>"New logformat value",'type'=>"textbox",'size'=>"50",'mask'=>'logformat') + )); +$a_action["http-request_del-header"] = array('name' => "http-request header delete", 'mode'=> 'http', 'syntax' => 'http-request del-header {name}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername') + )); +$a_action["http-request_replace-header"] = array('name' => "http-request header replace", 'mode'=> 'http', 'syntax' => 'http-request replace-header {name} {find} {replace}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"find",'columnheader'=>"Find regex",'type'=>"textbox",'size'=>"50",'mask'=>'match-regex'), + array('name'=>"replace",'columnheader'=>"Replace by",'type'=>"textbox",'size'=>"50",'mask'=>'replace-fmt') + )); +$a_action["http-request_replace-value"] = array('name' => "http-request header replace value", 'mode'=> 'http', 'syntax' => 'http-request replace-value {name} {find} {replace}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"find",'columnheader'=>"Find regex",'type'=>"textbox",'size'=>"50",'mask'=>'match-regex'), + array('name'=>"replace",'columnheader'=>"Replace by",'type'=>"textbox",'size'=>"50",'mask'=>'replace-fmt') + )); +// +$a_action["http-response_allow"] = array('name' => "http-response allow", 'mode'=> 'http', 'syntax' => 'http-response allow'); +$a_action["http-response_deny"] = array('name' => "http-response deny", 'mode'=> 'http', 'syntax' => 'http-response deny'); +if (haproxy_version() >= '1.6') { + $a_action["http-response_lua"] = array('name' => "http-response lua script", 'mode'=> 'http', 'syntax' => 'http-response lua.{lua-function}', + 'fields' => array( + 'lua-function' => array('name'=>"lua-function",'columnheader'=>"lua function",'type'=>"textbox",'size'=>"50",'mask'=>'lua-function') + )); +} +$a_action["http-response_add-header"] = array('name' => "http-response header add", 'mode'=> 'http', 'syntax' => 'http-response add-header {name} {fmt}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"fmt",'columnheader'=>"New logformat value",'type'=>"textbox",'size'=>"50",'mask'=>'logformat') + )); +$a_action["http-response_set-header"] = array('name' => "http-response header set", 'mode'=> 'http', 'syntax' => 'http-response set-header {name} {fmt}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"fmt",'columnheader'=>"New logformat value",'type'=>"textbox",'size'=>"50",'mask'=>'logformat') + )); +$a_action["http-response_del-header"] = array('name' => "http-response header delete", 'mode'=> 'http', 'syntax' => 'http-response del-header {name}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername') + )); +$a_action["http-response_replace-header"] = array('name' => "http-response header replace", 'mode'=> 'http', 'syntax' => 'http-response replace-header {name} {find} {replace}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"find",'columnheader'=>"Find regex",'type'=>"textbox",'size'=>"50",'mask'=>'match-regex'), + array('name'=>"replace",'columnheader'=>"Replace by",'type'=>"textbox",'size'=>"50",'mask'=>'replace-fmt') + )); +$a_action["http-response_replace-value"] = array('name' => "http-response header replace value", 'mode'=> 'http', 'syntax' => 'http-response replace-value {name} {find} {replace}', + 'fields' => array( + array('name'=>"name",'columnheader'=>"Headername",'type'=>"textbox",'size'=>"50",'mask'=>'headername'), + array('name'=>"find",'columnheader'=>"Find regex",'type'=>"textbox",'size'=>"50",'mask'=>'match-regex'), + array('name'=>"replace",'columnheader'=>"Replace by",'type'=>"textbox",'size'=>"50",'mask'=>'replace-fmt') + )); +// +$a_action["tcp-request_connection_accept"] = array('name' => "tcp-request connection accept", 'mode'=> '', 'syntax' => 'tcp-request connection accept'); +$a_action["tcp-request_connection_reject"] = array('name' => "tcp-request connection reject", 'mode'=> '', 'syntax' => 'tcp-request connection reject'); +// +$a_action["tcp-request_content_accept"] = array('name' => "tcp-request content accept", 'mode'=> '', 'syntax' => 'tcp-request content accept'); +$a_action["tcp-request_content_reject"] = array('name' => "tcp-request content reject", 'mode'=> '', 'syntax' => 'tcp-request content reject'); +if (haproxy_version() >= '1.6') { + $a_action["tcp-request_content_lua"] = array('name' => "tcp-request content lua script", 'mode'=> '', 'syntax' => 'tcp-request content lua.{lua-function}', + 'fields' => array( + 'lua-function' => array('name'=>"lua-function",'columnheader'=>"lua function",'type'=>"textbox",'size'=>"50",'mask'=>'lua-function') + )); + $a_action["tcp-request_content_use-service"] = array('name' => "tcp-request content use-service", 'mode'=> '', 'syntax' => 'tcp-request content use-service lua.{lua-function}', + 'fields' => array( + 'lua-function' => array('name'=>"lua-function",'columnheader'=>"lua function",'type'=>"textbox",'size'=>"50",'mask'=>'lua-function') + )); +} +// +$a_action["tcp-response_content_accept"] = array('name' => "tcp-response content accept", 'mode'=> '', 'syntax' => 'tcp-response content accept'); +$a_action["tcp-response_content_close"] = array('name' => "tcp-response content close", 'mode'=> '', 'syntax' => 'tcp-response content close'); +$a_action["tcp-response_content_reject"] = array('name' => "tcp-response content reject", 'mode'=> '', 'syntax' => 'tcp-response content reject'); +if (haproxy_version() >= '1.6') { + $a_action["tcp-response_content_lua"] = array('name' => "tcp-response content lua script", 'mode'=> '', 'syntax' => 'tcp-response content lua.{lua-function}', 'usage' => 'backend', + 'fields' => array( + 'lua-function' => array('name'=>"lua-function",'columnheader'=>"lua function",'type'=>"textbox",'size'=>"50",'mask'=>'lua-function') + )); +} + +#end + + +if (!function_exists('group_ports')) { // function group_ports() is present in pfSense 2.2 in util.inc /* create ranges of sequential port numbers (200:215) and remove duplicates */ function group_ports($ports) { @@ -243,7 +388,7 @@ function group_ports($ports) { for ($i = $begin; $i <= $end; $i++) if (!in_array($i, $uniq)) $uniq[] = $i; - } else if (is_port($port)) { + } elseif (is_port($port)) { if (!in_array($port, $uniq)) $uniq[] = $port; } @@ -276,7 +421,7 @@ function group_ports($ports) { } global $haproxy_version; -function haproxy_verion() { +function haproxy_version() { global $haproxy_version; if (empty($haproxy_version)) { $haproxy_version = shell_exec("haproxy -v | head -n 1 | awk '{ print $3 }'"); @@ -284,6 +429,89 @@ function haproxy_verion() { return $haproxy_version; } +function haproxy_css() { + if (!file_exists("/usr/local/www/bootstrap")) + return; + // quick fix to look a bit decent on bootstrapped pfSense.. + echo <<<EOD +<style type="text/css"> +.listtopic { + border-right: 1px solid #999999; + font-size: 11px; + background-color: #990000; + padding-right: 16px; + padding-left: 6px; + color: #FFFFFF; + font-weight: bold; + padding-top: 5px; + padding-bottom: 5px; +} +.tabcont { + background-color: #DDDDDD; + padding-right: 12px; + padding-left: 12px; + padding-top: 12px; + padding-bottom: 12px; +} +.vtable { + border-bottom: 1px solid #999999; +} +.vncell { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + border-bottom: 1px solid #999999; +} +.vncellreq { + background-color: #DDDDDD; + padding-right: 20px; + padding-left: 8px; + font-weight: bold; + border-bottom: 1px solid #999999; +} +.listhdrr { + background-color: #BBBBBB; + padding-right: 6px; + padding-left: 6px; + font-weight: bold; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-top: 5px; + padding-bottom: 5px; +} +.listr { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + font-size: 11px; + padding-right: 6px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.listlr { + background-color: #FFFFFF; + border-right: 1px solid #999999; + border-bottom: 1px solid #999999; + border-left: 1px solid #999999; + font-size: 11px; + padding-right: 6px; + padding-left: 6px; + padding-top: 4px; + padding-bottom: 4px; +} +.tabcont { + background-color: #DDDDDD; + padding-right: 12px; + padding-left: 12px; + padding-top: 12px; + padding-bottom: 12px; +} +</style> +EOD; +} + function haproxy_portoralias_to_list($port_or_alias) { // input: a port or aliasname: 80 https MyPortAlias // returns: a array of ports and portranges 80 443 8000:8010 @@ -298,7 +526,7 @@ function haproxy_portoralias_to_list($port_or_alias) { $portresult = array_merge($portresult, $portresults); } return $portresult; - } else if (is_portrange($port_or_alias)) { + } elseif (is_portrange($port_or_alias)) { return (array)$port_or_alias; } else { $ports = explode(",", $port_or_alias); @@ -420,7 +648,7 @@ haproxy_start () { require_once("haproxy.inc"); haproxy_configure(); ?> -ENDOFF +ENDOFF } haproxy_check () { @@ -504,10 +732,11 @@ function haproxy_find_backend($backendname) { function haproxy_find_acl($name) { global $a_acltypes; - if($a_acltypes) { + if ($a_acltypes) { foreach ($a_acltypes as $key => $acl) { - if ($key == $name) + if ($key == $name) { return $acl; + } } } } @@ -517,25 +746,30 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { $frontend = $backendsettings['frontend']; $ipversion = $backendsettings['ipversion']; $a_global = &$config['installedpackages']['haproxy']; - $a_mailers = &$config['installedpackages']['haproxy']['email_mailers']['items']; + $a_mailers = &$config['installedpackages']['haproxy']['email_mailers']['item']; + $a_resolvers = $config['installedpackages']['haproxy']['dns_resolvers']['item']; - if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') + if (!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') { return; + } global $a_checktypes, $a_cookiemode, $a_files_cache, $a_error; - + + $server_options = ""; $a_servers = &$pool['ha_servers']['item']; $frontendtype = $frontend['type']; fwrite ($fd, "backend " . $name . "\n"); // https is an alias for tcp for clarity purposes - if($frontendtype == "https") { + if ($frontendtype == "https") { $backend_mode = "tcp"; } else { $backend_mode = $frontendtype; } fwrite ($fd, "\tmode\t\t\t" . $backend_mode . "\n"); - - if (haproxy_verion() >= '1.6') { + fwrite ($fd, "\tlog\t\t\tglobal\n"); + + $use_haproxyresolvers = false; + if (haproxy_version() >= '1.6') { $use_mailers = is_array($a_mailers) && count($a_mailers) > 0; if ($use_mailers) { fwrite ($fd, "\t# use mailers\n"); @@ -562,6 +796,14 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { } } } + + $use_resolvers = is_array($a_resolvers) && count($a_resolvers) > 0; + if ($use_resolvers) { + $use_haproxyresolvers = true; + //server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6 + $resolverprefer = ($ipversion == "ipv4" || $ipversion == "ipv6") ? $resolverprefer = " resolve-prefer {$ipversion}" : ""; + $server_options .= " resolvers globalresolvers" . $resolverprefer; + } } if ($pool['log-health-checks'] == 'yes') @@ -586,39 +828,46 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { fwrite ($fd, "\trspirep ^(Set-Cookie:((?!;\\ secure).)*)$ \\1;\ secure if { ssl_fc }\n"); } - if($pool['stats_enabled']=='yes') { + if ($pool['stats_enabled'] == 'yes') { fwrite ($fd, "\tstats\t\t\tenable\n"); - if($pool['stats_uri']) + if ($pool['stats_uri']) { fwrite ($fd, "\tstats\t\t\turi ".$pool['stats_uri']."\n"); - if($pool['stats_realm']) + } + if ($pool['stats_realm']) { fwrite ($fd, "\tstats\t\t\trealm " . haproxy_escapestring($pool['stats_realm']) . "\n"); - else + } else { fwrite ($fd, "\tstats\t\t\trealm .\n"); + } - if ($pool['stats_username'] && $pool['stats_password']) + if ($pool['stats_username'] && $pool['stats_password']) { fwrite ($fd, "\tstats\t\t\tauth " . haproxy_escapestring($pool['stats_username']).":". haproxy_escapestring($pool['stats_password'])."\n"); - - if($pool['stats_admin']=='yes') + } + if ($pool['stats_admin'] == 'yes') { fwrite ($fd, "\tstats\t\t\tadmin if TRUE" . "\n"); - - if($pool['stats_node']) + } + if ($pool['stats_node']) { fwrite ($fd, "\tstats\t\t\tshow-node " . $pool['stats_node'] . "\n"); - if($pool['stats_desc']) + } + if ($pool['stats_desc']) { fwrite ($fd, "\tstats\t\t\tshow-desc " . haproxy_escapestring($pool['stats_desc']) . "\n"); - if($pool['stats_refresh']) + } + if ($pool['stats_refresh']) { fwrite ($fd, "\tstats\t\t\trefresh " . $pool['stats_refresh'] . "\n"); + } if ($pool['stats_scope']) { $scope_items = explode(",", $pool['stats_scope']); - foreach($scope_items as $scope_item) + foreach($scope_items as $scope_item) { fwrite ($fd, "\tstats\t\t\tscope " . $scope_item . "\n"); + } } } if (is_arrayset($pool,'errorfiles','item')) { foreach($pool['errorfiles']['item'] as $errorfile) { - if (!is_array($a_files_cache))// load only once + if (!is_array($a_files_cache)) {// load only once $a_files_cache = haproxy_get_fileslist(); + } $file = $errorfile['errorfile']; $errorcodes = explode(",",$errorfile['errorcode']); foreach($errorcodes as $errorcode) { @@ -688,19 +937,35 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { } } - if($pool['balance']) - fwrite ($fd, "\tbalance\t\t\t" . $pool['balance'] . "\n"); - - if(!$pool['connection_timeout']) + if ($pool['balance']) { + $parameters = ""; + if ($pool['balance'] == 'uri') { + if (!empty($pool['balance_urilen'])) { + $parameters .= " len {$pool['balance_urilen']}"; + } + if (!empty($pool['balance_uridepth'])) { + $parameters .= " depth {$pool['balance_uridepth']}"; + } + if ($pool['balance_uriwhole'] == 'yes') { + $parameters .= " whole"; + } + + } + fwrite ($fd, "\tbalance\t\t\t{$pool['balance']}{$parameters}\n"); + } + if (!$pool['connection_timeout']) { $pool['connection_timeout'] = 30000; + } fwrite ($fd, "\ttimeout connect\t\t" . $pool['connection_timeout'] . "\n"); - if(!$pool['server_timeout']) + if (!$pool['server_timeout']) { $pool['server_timeout'] = 30000; + } fwrite ($fd, "\ttimeout server\t\t" . $pool['server_timeout'] . "\n"); - if(!$pool['retries']) + if (!$pool['retries']) { $pool['retries'] = 3; + } fwrite ($fd, "\tretries\t\t\t" . $pool['retries'] . "\n"); $addrprefix = ""; @@ -718,13 +983,15 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { } $uri = $pool['monitor_uri']; - if ($pool['monitor_uri']) + if ($pool['monitor_uri']) { $uri = $pool['monitor_uri']; - else + } else { $uri = "/"; - - if ($optioncheck) + } + + if ($optioncheck) { fwrite ($fd, "\toption\t\t\t{$optioncheck}\n"); + } if ($pool['advanced_backend']) { $adv_be = explode("\n", base64_decode($pool['advanced_backend'])); @@ -735,7 +1002,143 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { } } - if($pool['advanced']) { + global $a_action; + $config_acls = array(); + + $cert_acls = ""; + $aclcrt_name = ""; + $a_acl = get_backend_acls($pool, $frontendtype); + if (!is_array($a_acl)) { + $a_acl = array(); + } + // ACL's + foreach ($a_acl as $entry) { + $aclitem = $entry['ref']; + $expression = $aclitem['expression']; + + $aclname = $aclitem['name']; + $acltype = haproxy_find_acl($expression); + if (!isset($acltype)) + continue; + + // Filter out acls for different modes + if ($acltype['mode'] != '' && $acltype['mode'] != strtolower($frontendtype)) { + continue; + } + if ($acltype['inspect-delay'] != '') { + $inspectdelay = $acltype['inspect-delay']; + } + if ($acltype['advancedoptions'] != '') { + $advancedextra[$acltype['syntax']] = $acltype['advancedoptions']."\n"; + } + if ($acltype['require_client_cert']) { + $needs_clientcert[$aclname] = true; + } + if ($aclitem['certacl']) { + $aclname = "aclcrt_{$frontend['name']}"; + $aclcrt_name = $aclname; + } + + if (($expression == "source_ip") && is_alias($aclitem['value'])) { + $filename = "$configpath/ipalias_{$aclitem['value']}.lst"; + $listitems = haproxy_hostoralias_to_list($aclitem['value']); + $fd_alias = fopen("$filename", "w"); + foreach($listitems as $item) { + fwrite($fd_alias, $item."\r\n"); + } + fclose($fd_alias); + $expr = "src -f $filename"; + } else { + $expr = sprintf($acltype['syntax'], $aclitem['value']); + if (is_array($acltype['fields'])) { + foreach ($acltype['fields'] as $field) { + $fieldname = $field['name']; + $parameter = $aclitem[$expression . $fieldname]; + if ($fieldname == "backend") { + $backendname = $parameter . "_" . strtolower($bind['type'])."_".$ipversion; + $parameter = $backendname; + } + $expr = str_replace("{{$fieldname}}", $parameter, $expr); + } + } + } + $config_acls ["\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"] = 1; + } + // Write acl's first, so they may be used by advanced text options written by user. + foreach($config_acls as $acl => $dummy) { + fwrite ($fd, $acl); + } + + $a_actionitems = $pool['a_actionitems']['item']; + if (!is_array($a_actionitems)) { + $a_actionitems = array(); + } + foreach ($a_actionitems as $actionitem) { + $actionid = $actionitem['action']; + $action = $a_action[$actionid]; + + $action_cfg = $action['syntax']; + + if (is_array($action['fields'])) { + foreach ($action['fields'] as $field) { + $fieldname = $field['name']; + $parameter = $actionitem[$actionid . $field['name']]; + + if ($fieldname == "backend") { + $backend = $parameter; + $backendname = $parameter . "_" . strtolower($bind['type'])."_".$ipversion; + if (!isset($a_pendingpl[$backendname])) { + $a_pendingpl[$backendname] = array(); + $a_pendingpl[$backendname]['name'] = $backendname; + $a_pendingpl[$backendname]['backend'] = $backend; + $a_pendingpl[$backendname]['frontend'] = $bind; + $a_pendingpl[$backendname]['ipversion'] = $ipversion; + } + $parameter = $backendname; + } + $action_cfg = str_replace("{{$fieldname}}", $parameter, $action_cfg); + } + } + $condition = ""; + if (!empty($actionitem['acl']) || !empty($systemacl)) { + $useclientcert = ""; + $useracls = ""; + $aclnames = explode(' ', $actionitem['acl']); + foreach($aclnames as $aclname) { + if ($needs_clientcert[$aclname]) { + $useclientcert = " aclsystem_ssl_c_used"; + } + $not = ""; + foreach ($a_acl as $entry) { + if ($entry['ref']['name'] == $aclname && $entry['ref']['not'] == 'yes') { + $not = "!"; + } + } + $useracls .= " {$not}{$aclname}"; + } + $condition = " if {$useracls}{$useclientcert} {$systemacl}"; + } + + $action = "\t{$action_cfg} {$condition}\n"; + + if ($actionid == "use_backend") { + if (empty($condition)) { + $config_usedefaultbackends .= "\tdefault_backend {$parameter}{$condition}\n"; + } else { + if (!empty($actionitem['acl'])){ + $config_usebackends .= $action; + } else { + // add use_backend if ipv4/6 before default_backend if any exists.. + $config_usedefaultbackends .= $action; + } + } + } else { + $config_actions .= $action; + } + } + fwrite ($fd, $config_actions); + + if ($pool['advanced']) { $advanced = base64_decode($pool['advanced']); $advanced_txt = " " . $advanced; } else { @@ -743,28 +1146,33 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { } if ($check_type != 'none') { - if($pool['checkinter']) + if ($pool['checkinter']) { $checkinter = " check inter {$pool['checkinter']}"; - else + } else { $checkinter = " check inter 1000"; + } } //agent-check requires at least haproxy v1.5dev20 - if ($pool['agent_check']) + if ($pool['agent_check']) { $agentcheck = " agent-check agent-inter {$pool['agent_inter']} agent-port {$pool['agent_port']}"; + } if (is_array($a_servers)) { foreach($a_servers as $be) { - if ($be['status'] == "inactive") + if ($be['status'] == "inactive") { continue; - if($be['cookie'] && $frontendtype == "http") + } + if ($be['cookie'] && $frontendtype == "http") { $cookie = " cookie {$be['cookie']}"; - else + } else { $cookie = ""; + } - if (!$be['name']) + if (!$be['name']) { $be['name'] = $be['address']; - if(!$be['status'] || $be['status'] != 'active') { + } + if (!$be['status'] || $be['status'] != 'active') { $isbackup = $be['status']; } else { $isbackup = ""; @@ -775,8 +1183,7 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { $crtfile = ""; $verifynone = ""; $verifyhost = ""; - if ($be['ssl'] == 'yes') - { + if ($be['ssl'] == 'yes') { $ssl = $frontendtype == "http" ? ' ssl' : ' check-ssl'; if ($be['sslserververify'] != 'yes') { @@ -803,24 +1210,25 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { haproxy_write_certificate_crt($filename, $server_clientcert, true); $crtfile = " crt $filename"; } - } $weight = ""; - if (is_numeric($be['weight'])){ + if (is_numeric($be['weight'])) { $weight = " weight " . $be['weight']; } $maxconn = ""; - if (is_numeric($be['maxconn'])){ + if (is_numeric($be['maxconn'])) { $maxconn = " maxconn " . $be['maxconn']; } + $unix_socket = false; $servers = array(); if ($be['forwardto'] && $be['forwardto'] != "") { + $unix_socket = true; $servers[] = "/{$be['forwardto']}.socket send-proxy-v2-ssl-cn"; } else { - if (is_ipaddr($be['address'])) { + if (is_ipaddr($be['address']) || $use_haproxyresolvers) { $servers[] = $be['address']; - } else if (is_hostname($be['address'])) { + } elseif (is_hostname($be['address'])) { $dnsresult_servers = haproxy_utils::query_dns($be['address'], $dnsquerytype); foreach($dnsresult_servers as $dnsresult_server){ $servers[] = $dnsresult_server['data']; @@ -831,18 +1239,26 @@ function write_backend($configpath, $fd, $name, $pool, $backendsettings) { foreach($servers as $server) { if (is_ipaddr($server)) { // skip ipv4 servers when using transparent client ip with ipv6 backend servers, and vice versa - if ($ipversion == "ipv4" && !is_ipaddrv4($server)) + if ($ipversion == "ipv4" && !is_ipaddrv4($server)) { continue; - if ($ipversion == "ipv6" && !is_ipaddrv6($server)) + } + if ($ipversion == "ipv6" && !is_ipaddrv6($server)) { continue; - if (isset($be['port'])) - $server = $server . ":" . $be['port']; + } + } else { + if (!$unix_socket) { + // place the ipv4@ or ipv6@ before the address, but not when using a unix socket + $server = $addrprefix . $server; + } + } + if (!empty($be['port'])) { + $server = $server . ":" . $be['port']; } $servername = $be['name']; if (count($servers) > 1) { $servername .= "_" . $counter; } - fwrite ($fd, "\tserver\t\t\t" . $servername . " " . $server . "$ssl$cookie$checkinter$checkport$agentcheck $isbackup$weight$maxconn$cafile$crlfile$verifynone$verifyhost$crtfile{$advanced_txt} {$be['advanced']}\n"); + fwrite ($fd, "\tserver\t\t\t" . $servername . " " . $server . "$ssl$cookie$checkinter$checkport$agentcheck $isbackup$weight$maxconn$cafile$crlfile$verifynone$verifyhost$crtfile$server_options{$advanced_txt} {$be['advanced']}\n"); $counter++; } } @@ -862,15 +1278,20 @@ function haproxy_check_and_run(&$messages, $reload) { haproxy_writeconf($testpath); $retval = exec("haproxy -c -V -f $testpath/haproxy.cfg 2>&1", $output, $err); $messages = ""; - if ($err > 1) + if ($err > 1) { $messages = "<h2><strong>FATAL ERROR CODE: $err while starting haproxy</strong></h2>"; - elseif ($err == 1) + } elseif ($err == 1) { $messages = "Errors found while starting haproxy"; + } if ((count($output) > 1) && $output[0] != "Configuration file is valid") { - foreach($output as $line) + $syslogmessage = ""; + foreach($output as $line) { $messages .= "<br/>" . htmlspecialchars($line) . "\n"; + $syslogmessage .= str_replace("\n"," ", $line) . " "; + } + syslog(LOG_NOTICE, "haproxy: check error output: {$syslogmessage}"); } $ok = strstr($retval, "Configuration file is valid"); if ($ok && $reload) { @@ -884,16 +1305,18 @@ function haproxy_check_and_run(&$messages, $reload) { function haproxy_lookup_cert($certid) { $res = lookup_ca($certid); - if (!$res) + if (!$res) { $res = lookup_cert($certid); + } return $res; } function haproxy_write_certificate_crt($filename, $certid, $include_psk = false, $append = false) { $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); - if ($include_psk && isset($cert['prv'])) + if ($include_psk && isset($cert['prv'])) { $certcontent .= "\r\n".base64_decode($cert['prv']); + } $flags = $append ? FILE_APPEND : 0; file_put_contents($filename, $certcontent, $flags); unset($certcontent); @@ -902,6 +1325,7 @@ function haproxy_write_certificate_crt($filename, $certid, $include_psk = false, function haproxy_write_certificate_crl($filename, $crlid, $append = false) { $crl = lookup_crl($crlid); + crl_update($crl); $content = base64_decode($crl['text']); $flags = $append ? FILE_APPEND : 0; file_put_contents($filename, $content, $flags); @@ -913,18 +1337,21 @@ function haproxy_write_certificate_fullchain($filename, $certid, $append = false $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); - if (isset($cert['prv'])) + if (isset($cert['prv'])) { $certcontent .= "\r\n".base64_decode($cert['prv']); + } $ca = $cert; while(!empty($ca['caref'])) { $ca = lookup_ca($ca['caref']); if ($ca) { - if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) + if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) { break; + } $certcontent .= "\r\n" . base64_decode($ca['crt']); - } else + } else { break; + } } $flags = $append ? FILE_APPEND : 0; file_put_contents($filename, $certcontent, $flags); @@ -947,8 +1374,9 @@ function haproxy_write_certificate_issuer($filename, $certid) { function haproxy_uses_ocsp() { global $config; $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; - if (!is_array($a_frontends)) + if (!is_array($a_frontends)) { return false; + } $configpath = "{$g['varetc_path']}/haproxy"; foreach ($a_frontends as $frontend) { @@ -977,9 +1405,9 @@ function haproxy_updateocsp_one($socketupdate, $filename, $name) { if ($socketupdate) { $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp")); $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse"); - if ($r[0] == "OCSP Response updated!\n") + if ($r[0] == "OCSP Response updated!\n") { syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval); - else { + } else { syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}"); } } else { @@ -992,8 +1420,9 @@ function haproxy_updateocsp_one($socketupdate, $filename, $name) { function haproxy_updateocsp($socketupdate = true) { global $config, $g; $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; - if (!is_array($a_frontends)) + if (!is_array($a_frontends)) { return true; + } $configpath = "{$g['varetc_path']}/haproxy"; foreach ($a_frontends as $frontend) { @@ -1012,10 +1441,12 @@ function haproxy_updateocsp($socketupdate = true) { } function haproxy_writeconf($configpath) { - global $config; + global $config, $a_files_cache; global $aliastable; - if (!isset($aliastable)) + global $a_action; + if (!isset($aliastable)) { alias_make_table($config); + } $chroot_dir = "/tmp/haproxy_chroot"; // can contain socket to forward connection from backend to frontend. "/var/empty" @mkdir($chroot_dir, 0755, true); @@ -1027,38 +1458,64 @@ function haproxy_writeconf($configpath) { $a_global = &$config['installedpackages']['haproxy']; $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; - $a_mailers = &$config['installedpackages']['haproxy']['email_mailers']['items']; + $a_mailers = &$config['installedpackages']['haproxy']['email_mailers']['item']; + $a_resolvers = &$config['installedpackages']['haproxy']['dns_resolvers']['item']; + $a_files = &$config['installedpackages']['haproxy']['files']['item']; + if (!is_array($a_frontends)) { + $a_frontends = array(); + } + if (!is_array($a_backends)) { + $a_backends = array(); + } + if (!is_array($a_mailers)) { + $a_mailers = array(); + } + if (!is_array($a_resolvers)) { + $a_resolvers = array(); + } $fd = fopen($configfile, "w"); - if(is_array($a_global)) { + if (is_array($a_global)) { fwrite ($fd, "global\n"); - if ($a_global['maxconn']) + if ($a_global['maxconn']) { fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); - if($a_global['remotesyslog']) + } + if ($a_global['remotesyslog']) { fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); + } fwrite ($fd, "\tstats socket /tmp/haproxy.socket level admin\n"); - if(!use_transparent_clientip_proxying()) + if(!use_transparent_clientip_proxying()) { fwrite ($fd, "\tuid\t\t\t80\n"); - + } + fwrite ($fd, "\tgid\t\t\t80\n"); // Set numprocs if defined or use system default (#cores) - if($a_global['nbproc']) - $numprocs = $a_global['nbproc']; - else - $numprocs ="1"; + $numprocs = $a_global['nbproc'] ? $a_global['nbproc'] : "1"; fwrite ($fd, "\tnbproc\t\t\t$numprocs\n"); fwrite ($fd, "\tchroot\t\t\t$chroot_dir\n"); fwrite ($fd, "\tdaemon\n"); - //fwrite ($fd, "\tssl-server-verify none\n"); - if($a_global['ssldefaultdhparam']) + if ($a_global['ssldefaultdhparam']) { fwrite ($fd, "\ttune.ssl.default-dh-param\t{$a_global['ssldefaultdhparam']}\n"); - if($a_global['log-send-hostname']) + } + if ($a_global['log-send-hostname']) { fwrite ($fd, "\tlog-send-hostname\t\t{$a_global['log-send-hostname']}\n"); + } + + // lua-load + if (is_array($a_files)) { + foreach($a_files as $file) { + if ($file['type'] == "luascript") { + $luafile = $configpath . "/luascript_" . $file['name']; + file_put_contents($luafile, base64_decode($file['content']), 0); + fwrite ($fd, "\tlua-load\t\t{$luafile}\n"); + } + } + } // Keep the advanced options on the bottom of the global settings, to allow additional sections to be easely added - if($a_global['advanced']) { + if ($a_global['advanced']) { $adv = explode("\n", base64_decode($a_global['advanced'])); foreach($adv as $adv_line) { fwrite($fd, "\t" . str_replace("\r", "", $adv_line) . "\n"); @@ -1073,8 +1530,9 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "\tbind 127.0.0.1:$localstatsport name localstats\n"); fwrite ($fd, "\tmode http\n"); fwrite ($fd, "\tstats enable\n"); - if (is_numeric($a_global['localstats_refreshtime'])) + if (is_numeric($a_global['localstats_refreshtime'])) { fwrite ($fd, "\tstats refresh {$a_global['localstats_refreshtime']}\n"); + } fwrite ($fd, "\tstats admin if TRUE\n"); fwrite ($fd, "\tstats uri /haproxy_stats.php?haproxystats=1\n"); fwrite ($fd, "\ttimeout client 5000\n"); @@ -1084,7 +1542,7 @@ function haproxy_writeconf($configpath) { } } - if (haproxy_verion() >= '1.6') { + if (haproxy_version() >= '1.6') { $use_mailers = is_array($a_mailers) && count($a_mailers) > 0; if ($use_mailers) { fwrite ($fd, "mailers globalmailers\n"); @@ -1093,16 +1551,26 @@ function haproxy_writeconf($configpath) { } fwrite ($fd, "\n"); } + $use_resolvers = is_array($a_resolvers) && count($a_resolvers) > 0; + if ($use_resolvers) { + fwrite ($fd, "resolvers globalresolvers\n"); + foreach($a_resolvers as $resolver) { + fwrite ($fd, "\tnameserver {$resolver['name']} {$resolver['server']}:{$resolver['port']}\n"); + } + fwrite ($fd, "\tresolve_retries {$a_global['resolver_retries']}\n"); + fwrite ($fd, "\ttimeout retry {$a_global['resolver_timeoutretry']}\n"); + fwrite ($fd, "\thold valid {$a_global['resolver_holdvalid']}\n"); + fwrite ($fd, "\n"); + } } // Try and get a unique array for address:port as frontends can duplicate $a_bind = array(); - if(is_array($a_frontends)) { + if (is_array($a_frontends)) { foreach ($a_frontends as $frontend) { - if($frontend['status'] != 'active') - continue; - if(!$frontend['backend_serverpool']) + if ($frontend['status'] != 'active') { continue; + } $primaryfrontend = get_primaryfrontend($frontend); $bname = $primaryfrontend['name']; @@ -1131,8 +1599,8 @@ function haproxy_writeconf($configpath) { $subfolder = "$configpath/{$frontend['name']}"; $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ - if (count($certs) > 0){ + if (is_array($certs)) { + if (count($certs) > 0) { @mkdir($subfolder, 0755, true); foreach($certs as $cert){ $filenamefoldercert = "$subfolder/{$cert['ssl_certificate']}.pem"; @@ -1148,7 +1616,7 @@ function haproxy_writeconf($configpath) { $ssl_crt .= " crt $subfolder"; } } - }else{ + } else { $ssl_crt=""; unlink_if_exists("var/etc/{$frontend['name']}.{$frontend['port']}.crt");//cleanup for possible old haproxy package version } @@ -1161,8 +1629,9 @@ function haproxy_writeconf($configpath) { } if ($ssl_crt != "") { - if ($b['ssl_info'] == "") + if ($b['ssl_info'] == "") { $b['ssl_info'] = "ssl {$frontend['dcertadv']}"; + } $b['ssl_info'] .= $ssl_crt; } @@ -1170,26 +1639,26 @@ function haproxy_writeconf($configpath) { $b['config'][] = $frontend; } } - $a_pendingpl = array(); // Construct and write out configuration for each "frontend" - if(is_array($a_bind)) { + if (is_array($a_bind)) { foreach ($a_bind as $bind) { - if (count($bind['config']) > 1) + if (count($bind['config']) > 1) { $frontendinfo = "frontend {$bind['name']}-merged\n"; - else + } else { $frontendinfo = "frontend {$bind['name']}\n"; + } fwrite ($fd, "{$frontendinfo}"); $advancedextra = array(); $ca_file = ""; $first = true; - if (is_array($bind['clientcert_ca']['item'])){ + if (is_array($bind['clientcert_ca']['item'])) { $filename = "$configpath/clientca_{$bind['name']}.pem"; - foreach($bind['clientcert_ca']['item'] as $ca){ - if (!empty($ca['cert_ca'])){ + foreach($bind['clientcert_ca']['item'] as $ca) { + if (!empty($ca['cert_ca'])) { haproxy_write_certificate_crt($filename, $ca['cert_ca'], false, !$first); $first = false; } @@ -1199,9 +1668,9 @@ function haproxy_writeconf($configpath) { } $crl_file = ""; $first = true; - if (is_array($bind['clientcert_crl']['item'])){ + if (is_array($bind['clientcert_crl']['item'])) { $filename = "$configpath/clientcrl_{$bind['name']}.pem"; - foreach($bind['clientcert_crl']['item'] as $ca){ + foreach($bind['clientcert_crl']['item'] as $ca) { haproxy_write_certificate_crl($filename, $ca['cert_crl'], !$first); $first = false; } @@ -1210,8 +1679,9 @@ function haproxy_writeconf($configpath) { $advanced_bind = $bind['advanced_bind']; $ssl_info = $bind['ssl_info']; $ssl_info .= $ca_file . $crl_file; - if ($bind['sslclientcert-invalid']) + if ($bind['sslclientcert-invalid']) { $ssl_info .= " crt-ignore-err all"; + } $useipv4 = false; $useipv6 = false; @@ -1226,12 +1696,12 @@ function haproxy_writeconf($configpath) { } fwrite ($fd, "{$listenip}"); - if (use_frontend_as_unixsocket($bind['name'])){ + if (use_frontend_as_unixsocket($bind['name'])) { fwrite ($fd, "\tbind /tmp/haproxy_chroot/{$bind['name']}.socket name unixsocket accept-proxy {$ssl_info} {$advanced_bind}\n"); } // https is an alias for tcp for clarity purposes - if($bind['type'] == "https") { + if ($bind['type'] == "https") { $backend_type = "tcp"; } else { $backend_type = $bind['type']; @@ -1240,26 +1710,32 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "\tmode\t\t\t" . $backend_type . "\n"); fwrite ($fd, "\tlog\t\t\tglobal\n"); - if ($bind['socket-stats'] == 'yes') + if ($bind['socket-stats'] == 'yes') { fwrite ($fd, "\toption\t\t\tsocket-stats\n"); - if ($bind['dontlognull'] == 'yes') + } + if ($bind['dontlognull'] == 'yes') { fwrite ($fd, "\toption\t\t\tdontlognull\n"); - if ($bind['dontlog-normal'] == 'yes') + } + if ($bind['dontlog-normal'] == 'yes') { fwrite ($fd, "\toption\t\t\tdontlog-normal\n"); - if ($bind['log-separate-errors'] == 'yes') + } + if ($bind['log-separate-errors'] == 'yes') { fwrite ($fd, "\toption\t\t\tlog-separate-errors\n"); - if ($bind['log-detailed'] == 'yes'){ - if ($backend_type == 'http') + } + if ($bind['log-detailed'] == 'yes') { + if ($backend_type == 'http') { fwrite ($fd, "\toption\t\t\thttplog\n"); - else + } else { fwrite ($fd, "\toption\t\t\ttcplog\n"); + } } if ($backend_type == 'http') { - if($bind['httpclose'] && $bind['httpclose'] != "none" ) + if ($bind['httpclose'] && $bind['httpclose'] != "none") { fwrite ($fd, "\toption\t\t\t{$bind['httpclose']}\n"); + } - if($bind['forwardfor']) { + if ($bind['forwardfor']) { fwrite ($fd, "\toption\t\t\tforwardfor\n"); fwrite ($fd, "\tacl https ssl_fc\n"); fwrite ($fd, "\treqadd X-Forwarded-Proto:\ http if !https\n"); @@ -1267,19 +1743,38 @@ function haproxy_writeconf($configpath) { } } - if($bind['max_connections']) - fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); + if ($bind['max_connections']) { + fwrite ($fd, "\tmaxconn\t\t\t{$bind['max_connections']}\n"); + } - if(!$bind['client_timeout']) + if (!$bind['client_timeout']) { $bind['client_timeout'] = 30000; + } - fwrite ($fd, "\ttimeout client\t\t" . $bind['client_timeout'] . "\n"); + fwrite ($fd, "\ttimeout client\t\t{$bind['client_timeout']}\n"); + + if (is_arrayset($bind,'a_errorfiles','item')) { + foreach($bind['a_errorfiles']['item'] as $errorfile) { + if (!is_array($a_files_cache)) {// load only once + $a_files_cache = haproxy_get_fileslist(); + } + $file = $errorfile['errorfile']; + $errorcodes = explode(",",$errorfile['errorcode']); + foreach($errorcodes as $errorcode) { + $filename = "$configpath/errorfile_{$name}_{$errorcode}_{$file}"; + $content = base64_decode($a_files_cache[$file]['content']); + $content = str_replace('{errormsg}', $a_error[$errorcode]['descr'], $content); + $content = str_replace('{errorcode}', $errorcode, $content); + file_put_contents($filename, $content); + fwrite ($fd, "\terrorfile\t\t\t" . $errorcode ." " . $filename . "\n"); + } + } + } - // Advanced pass thru - if($bind['advanced']) { - $advanced = explode("\n", base64_decode($bind['advanced'])); - foreach($advanced as $adv_line) { + if ($bind['advanced']) { + $advanced = explode("\n", base64_decode($bind['advanced'])); + foreach ($advanced as $adv_line) { if ($adv_line != "") { fwrite($fd, "\t" . str_replace("\r", "", $adv_line) . "\n"); } @@ -1288,176 +1783,220 @@ function haproxy_writeconf($configpath) { // Combine the rest of the frontend configs $default_backend = ""; - $config_acls = ""; + $config_acls = array(); + $config_actions = ""; $config_usebackends = ""; $config_usedefaultbackends = ""; $transparent_clientip = false; foreach ($bind['config'] as $frontend) { - $backend = haproxy_find_backend($frontend['backend_serverpool']); - if ($backend["transparent_clientip"] == 'yes') { + //todo: check also use_backend actions + if (frontend_usetransparentbackend($frontend)) { $transparent_clientip = true; break; } } if ($transparent_clientip && $useipv4 && $useipv6) { // set the src_is_ipv4 acl if needed. - $config_acls .= "\tacl\t\t\tsrc_is_ipv4\tsrc 0.0.0.0/0\n"; + $acl = "\tacl\t\t\tsrc_is_ipv4\tsrc 0.0.0.0/0\n"; + $config_acls[$acl] = 1; } $inspectdelay = 0; $i = 0; $acllist = array(); + $needs_clientcert = array(); $acl_newid = 0; foreach ($bind['config'] as $frontend) { + // loop through 'shared frontends' within one primary. + $a_acl = get_frontend_acls($frontend); - - $backend = haproxy_find_backend($frontend['backend_serverpool']); - $transparent_clientip = $backend["transparent_clientip"] == 'yes'; + + $a_actionitems = $frontend['a_actionitems']['item']; + if (!is_array($a_actionitems)) { + $a_actionitems = array(); + } + if (!empty($frontend['backend_serverpool'])) { + // insert extra use_backend action without a user-condition + $item = array(); + $item['action'] = "use_backend"; + $item['use_backendbackend'] = $frontend['backend_serverpool']; + $a_actionitems[] = $item; + } + $transparent_clientip = frontend_usetransparentbackend($frontend); $allowfordefaultbackend = true; $ipv = array(); if ($transparent_clientip) { if ($useipv4 && $useipv6) { $ipv["ipv4"]['acl'] = " src_is_ipv4 "; + $ipv["ipv4"]['aclnameadd'] = "_ipv4"; $ipv["ipv6"]['acl'] = " !src_is_ipv4 "; + $ipv["ipv6"]['aclnameadd'] = "_ipv6"; $allowfordefaultbackend = false; // transparent backend must always match client-ip which is ipv4 v.s. ipv6 specific so there cannot be a default. - } else if ($useipv6) + } elseif ($useipv6) { $ipv["ipv6"]['acl'] = " "; - else + $ipv["ipv6"]['aclnameadd'] = ""; + } else { $ipv["ipv4"]['acl'] = " "; - } else - $ipv["ipvANY"]['acl'] = " "; - - // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. - $a_acl_combine = array(); - foreach ($a_acl as $entry) { - $name = $entry['ref']['name']; - - $acl = array(); - $acl['ref'] = $entry['ref']; - $acltype = haproxy_find_acl($entry['ref']['expression']); - $acl['acltype'] = $acltype; - if (!isset($acltype)) - continue; - $a_acl_combine[$name][] = $acl; - - if (isset($acltype['require_client_cert'])){ - $acl = array(); - $acl['ref']['expression'] = "ssl_c_used"; - $acl['acltype']['syntax'] = "ssl_c_used"; - $acl['acltype']['novalue'] = 1; - $a_acl_combine[$name][] = $acl; + $ipv["ipv4"]['aclnameadd'] = ""; } + } else { + $ipv["ipvANY"]['acl'] = " "; + $ipv["ipvANY"]['aclnameadd'] = ""; } - + $certacl = ""; $y = 0; foreach($ipv as $ipversion => $ipversionoptions) { - $useracls = array(); - $poolname = $frontend['backend_serverpool'] . "_" . strtolower($bind['type'])."_".$ipversion; - if (!isset($a_pendingpl[$poolname])) { - $a_pendingpl[$poolname] = array(); - $a_pendingpl[$poolname]['name'] = $poolname; - $a_pendingpl[$poolname]['backend'] = $frontend['backend_serverpool']; - $a_pendingpl[$poolname]['frontend'] = $bind; - $a_pendingpl[$poolname]['ipversion'] = $ipversion; - } - $canbedefaultbackend = false; - // Write this out once, and must be before any backend config text - if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { - $canbedefaultbackend = true; - if ($allowfordefaultbackend) - $default_backend = $poolname; + $cert_acls = ""; + $aclcrt_name = ""; + + // ACL's + foreach ($a_acl as $entry) { + $aclitem = $entry['ref']; + $expression = $aclitem['expression']; + + $aclname = $aclitem['name']; + $acltype = haproxy_find_acl($expression); + if (!isset($acltype)) + continue; + + // Filter out acls for different modes + if ($acltype['mode'] != '' && $acltype['mode'] != strtolower($bind['type'])) { + continue; + } + if ($acltype['inspect-delay'] != '') { + $inspectdelay = $acltype['inspect-delay']; + } + if ($acltype['advancedoptions'] != '') { + $advancedextra[$acltype['syntax']] = $acltype['advancedoptions']."\n"; + } + if ($acltype['require_client_cert']) { + $needs_clientcert[$aclname] = true; + } + if ($aclitem['certacl']) { + $aclname = "aclcrt_{$frontend['name']}"; + $aclcrt_name = $aclname; + } + + if (($expression == "source_ip") && is_alias($aclitem['value'])) { + $filename = "$configpath/ipalias_{$aclitem['value']}.lst"; + $listitems = haproxy_hostoralias_to_list($aclitem['value']); + $fd_alias = fopen("$filename", "w"); + foreach($listitems as $item) { + fwrite($fd_alias, $item."\r\n"); + } + fclose($fd_alias); + $expr = "src -f $filename"; + } else { + $expr = sprintf($acltype['syntax'], $aclitem['value']); + if (is_array($acltype['fields'])) { + foreach ($acltype['fields'] as $field) { + $fieldname = $field['name']; + $parameter = $aclitem[$expression . $fieldname]; + if ($fieldname == "backend") { + $backendname = $parameter . "_" . strtolower($bind['type'])."_".$ipversion; + $parameter = $backendname; + } + $expr = str_replace("{{$fieldname}}", $parameter, $expr); + } + } + } + $config_acls ["\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"] = 1; } - - foreach ($a_acl_combine as $a_usebackend) { - $aclnames = ""; - foreach ($a_usebackend as $entry2) { - $entry = $entry2['ref']; - $acl = $entry2['acltype']; - - // Filter out acls for different modes - if ($acl['mode'] != '' && $acl['mode'] != strtolower($bind['type'])) - continue; - if (($entry['expression'] == "source_ip") && is_alias($entry['value'])) { - $filename = "$configpath/ipalias_{$entry['value']}.lst"; - $listitems = haproxy_hostoralias_to_list($entry['value']); - $fd_alias = fopen("$filename", "w"); - foreach($listitems as $item) - fwrite($fd_alias, $item."\r\n"); - fclose($fd_alias); - $expr = "src -f $filename"; - } else - $expr = sprintf($acl['syntax'],$entry['value'],$poolname); - - $not = $entry['not'] == "yes" ? "!" : ""; - - unset($aclkey); - foreach($acllist as $aclid => $aclitem) { - if ($aclitem['expr'] == $expr) { - $aclkey = $aclid; + + $systemacl = trim("{$aclcrt_name}{$ipversionoptions['acl']}"); + + foreach ($a_actionitems as $actionitem) { + $actionid = $actionitem['action']; + $action = $a_action[$actionid]; + + $action_cfg = $action['syntax']; + + if (is_array($action['fields'])) { + foreach ($action['fields'] as $field) { + $fieldname = $field['name']; + $parameter = $actionitem[$actionid . $field['name']]; + + if ($fieldname == "backend") { + $backend = $parameter; + $backendname = $parameter . "_" . strtolower($bind['type'])."_".$ipversion; + if (!isset($a_pendingpl[$backendname])) { + $a_pendingpl[$backendname] = array(); + $a_pendingpl[$backendname]['name'] = $backendname; + $a_pendingpl[$backendname]['backend'] = $backend; + $a_pendingpl[$backendname]['frontend'] = $bind; + $a_pendingpl[$backendname]['ipversion'] = $ipversion; + } + $parameter = $backendname; + } + $action_cfg = str_replace("{{$fieldname}}", $parameter, $action_cfg); + } + } + $condition = ""; + if (!empty($actionitem['acl']) || !empty($systemacl)) { + $useclientcert = ""; + $useracls = ""; + $aclnames = explode(' ', $actionitem['acl']); + foreach($aclnames as $aclname) { + if ($needs_clientcert[$aclname]) { + $useclientcert = " aclsystem_ssl_c_used"; } + $not = ""; + foreach ($a_acl as $entry) { + if ($entry['ref']['name'] == $aclname && $entry['ref']['not'] == 'yes') { + $not = "!"; + } + } + $useracls .= " {$not}{$aclname}"; } - if (isset($aclkey)) { - $aclname = $acllist[$aclkey]['aclname']; + $condition = " if {$useracls}{$useclientcert} {$systemacl}"; + } + + $action = "\t{$action_cfg} {$condition}\n"; + + if ($actionid == "use_backend") { + if (empty($condition)) { + $config_usedefaultbackends .= "\tdefault_backend {$parameter}{$condition}\n"; } else { - $aclkey = $acl_newid++; - if ($entry['certacl']) { - $aclname = "aclcrt_".$frontend['name']; - $certacl = $aclname; + if (!empty($actionitem['acl'])){ + $config_usebackends .= $action; } else { - $aclname = "aclusr_{$entry['expression']}"; - if (!isset($acl['novalue'])) - $aclname .= "_{$entry['value']}"; - $aclname = haproxy_escape_acl_name($aclname); - $i++; + // add use_backend if ipv4/6 before default_backend if any exists.. + $config_usedefaultbackends .= $action; } - $acllist[$aclkey]['aclname'] = $aclname; - $acllist[$aclkey]['expr'] = $expr; - $config_acls .= "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"; } - if (!isset($entry['certacl'])) - $useracls[$y] .= $not . $aclname . " "; - - if ($acl['inspect-delay'] != '') - $inspectdelay = $acl['inspect-delay']; - - if ($acl['advancedoptions'] != '') - $advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n"; + } else { + $config_actions .= $action; } - $y++; - } - - $systemacl = trim("{$certacl}{$ipversionoptions['acl']}"); - if (!empty($systemacl) && count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once when a system acl is pressent. - foreach($useracls as $useracl) { - $backendacl = ""; - $backendacl .= "|| {$useracl}{$systemacl}"; - $backendacl = substr($backendacl, 3); - if ($canbedefaultbackend) { - // makes sure these come last even though systemacl's might have been added. - $config_usedefaultbackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; - } else - $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; } } } - if ($inspectdelay > 0) + if ($inspectdelay > 0) { fwrite ($fd, "\ttcp-request inspect-delay\t" . $inspectdelay . "s\n"); + } + if (count($needs_clientcert) > 0) { + fwrite ($fd, "\tacl\t\t\taclsystem_ssl_c_used\tssl_c_used\n"); + } // Write acl's first, so they may be used by advanced text options written by user. - fwrite ($fd, $config_acls); + foreach($config_acls as $acl => $dummy) { + fwrite ($fd, $acl); + } - foreach($advancedextra as $extra) + foreach($advancedextra as $extra) { fwrite ($fd, "\t".$extra."\n"); + } + fwrite ($fd, $config_actions); // Write backends after advanced options so custom use_backend rules can be applied first. fwrite ($fd, $config_usebackends); fwrite ($fd, $config_usedefaultbackends); - if ($default_backend) + if ($default_backend) { fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n"); + } fwrite ($fd, "\n"); } @@ -1477,21 +2016,20 @@ function haproxy_writeconf($configpath) { // close config file fclose($fd); - if ($input_errors) - { + if ($input_errors) { require_once("guiconfig.inc"); print_input_errors($input_errors); } else { // Only sync to xmlrpc backup machine if no errors are found in config - if(isset($config['installedpackages']['haproxy']['enablesync'])) { + if (isset($config['installedpackages']['haproxy']['enablesync'])) { haproxy_do_xmlrpc_sync(); } } } function haproxy_is_running() { - $running = (shell_exec("/bin/pgrep -x haproxy") != ''); - return $running; + $running = (shell_exec("/bin/pgrep -x haproxy") != ''); + return $running; } function haproxy_load_modules() { @@ -1513,6 +2051,24 @@ function haproxy_load_modules() { unmute_kernel_msgs(); } +function frontend_usetransparentbackend($frontend) { + $backend = haproxy_find_backend($frontend['backend_serverpool']); + if ($backend["transparent_clientip"] == 'yes') { + return true; + } + if (is_array($frontend['a_actionitems']['item'])) { + foreach($frontend['a_actionitems']['item'] as $action) { + if ($action['action'] == "use_backend") { + $backend = haproxy_find_backend($action['use_backendbackend']); + if ($backend["transparent_clientip"] == 'yes') { + return true; + } + } + } + } + return false; +} + function use_transparent_clientip_proxying() { global $config; $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; @@ -1531,17 +2087,20 @@ function haproxy_get_transparent_backends(){ global $config; $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; $transparent_backends = array(); + if (!is_array($a_backends)) { + return $transparent_backends; + } foreach ($a_backends as $backend) { - if ($backend["transparent_clientip"] != 'yes') + if ($backend["transparent_clientip"] != 'yes') { continue; + } $real_if = get_real_interface($backend["transparent_interface"]); $a_servers = &$backend['ha_servers']['item']; if (is_array($a_servers)) { foreach($a_servers as $be) { - if (!$be['status'] == "inactive") - continue; - if (!is_ipaddr($be['address'])) + if (!$be['status'] == "inactive" || !is_ipaddr($be['address'])){ continue; + } $item = array(); $item['name'] = $be['name']; $item['interface'] = $real_if; @@ -1618,9 +2177,9 @@ function load_ipfw_rules() { $rulenum = 64000; // why that high? captiveportal.inc also does it... $rules = "flush\n"; foreach($transparent_backends as $transparent_be) { - if (is_ipaddrv4($transparent_be["address"])) + if (is_ipaddrv4($transparent_be["address"])) { $rules .= "add $rulenum fwd localhost tcp from {$transparent_be["address"]} {$transparent_be["port"]} to any in recv {$transparent_be["interface"]}\n"; - else if (is_ipaddrv6($transparent_be["address"])) { + } elseif (is_ipaddrv6($transparent_be["address"])) { list ($addr, $scope) = explode("%", $transparent_be['address']); $rules .= "add $rulenum fwd ::1 tcp from {$addr} {$transparent_be["port"]} to any in recv {$transparent_be["interface"]}\n"; } @@ -1715,7 +2274,7 @@ function haproxy_check_run($reload) { } } - if(isset($a_global['enable'])) { + if (isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { $status = haproxy_carpipismaster($a_global['carpdev']); if (!$status) { @@ -1726,18 +2285,18 @@ function haproxy_check_run($reload) { } unlock($haproxylock); return (0); - } else if (haproxy_is_running() && $reload == 0) { + } elseif (haproxy_is_running() && $reload == 0) { unlock($haproxylock); return (0); } log_error("Starting haproxy on CARP master."); /* fallthrough */ - } else if ($reload == 0){ + } elseif ($reload == 0) { unlock($haproxylock); return (0); } - if(use_transparent_clientip_proxying()) { + if (use_transparent_clientip_proxying()) { filter_configure(); load_ipfw_rules(); } else { @@ -1751,14 +2310,16 @@ function haproxy_check_run($reload) { if (file_exists('/var/run/haproxy.pid')){ $old_pid = file_get_contents('/var/run/haproxy.pid'); - } else + } else { $old_pid = 'none'; + } if (haproxy_is_running()) { - if (isset($a_global['terminate_on_reload'])) + if (isset($a_global['terminate_on_reload'])) { $sf_st = "-st";//terminate old process as soon as the new process is listening - else + } else { $sf_st = "-sf";//finish serving existing connections exit when done, and the new process is listening + } syslog(LOG_NOTICE, "haproxy: reload old pid:$old_pid"); exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode); @@ -1768,12 +2329,20 @@ function haproxy_check_run($reload) { } if (file_exists('/var/run/haproxy.pid')){ $new_pid = file_get_contents('/var/run/haproxy.pid'); - } else + } else { $new_pid = 'none'; + } syslog(LOG_NOTICE, "haproxy: started new pid:$new_pid"); - foreach($output as $line) + $syslogmessage = ""; + foreach($output as $line) { $haproxy_run_message .= "<br/>" . htmlspecialchars($line) . "\n"; + $syslogmessage .= str_replace("\n"," ",$line); + } + if (!empty($syslogmessage)) { + syslog(LOG_NOTICE, "haproxy: startup error output!: {$syslogmessage}"); + } + } else { if ($reload && haproxy_is_running()) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile @@ -1786,10 +2355,11 @@ function haproxy_check_run($reload) { } function haproxy_kill($killimmediately = true) { - if ($killimmediately) + if ($killimmediately) { $signal = "KILL"; // stop now - else + } else { $signal = "USR1"; // stop when all connections are closed + } killprocesses("haproxy", "/var/run/haproxy.pid", $signal); } @@ -1838,7 +2408,7 @@ function haproxy_xmlrpc_sync_configure() { haproxy_configure(); // Configure HAProxy config files to use the new configuration. // sync 2nd and further nodes in the chain if applicable. - if(isset($config['installedpackages']['haproxy']['enablesync'])) { + if (isset($config['installedpackages']['haproxy']['enablesync'])) { haproxy_do_xmlrpc_sync(); } } @@ -1857,34 +2427,38 @@ function get_frontend_id($name) { } function haproxy_is_frontendname($name) { - if ($name[0] == '!') + if ($name[0] == '!') { $name = substr($name, 1); + } return get_frontend_id($name) != null; } function get_primaryfrontend($frontend) { global $config; $a_frontend = &$config['installedpackages']['haproxy']['ha_backends']['item']; - if ($frontend['secondary'] == 'yes') + if ($frontend['secondary'] == 'yes') { $mainfrontend = $a_frontend[get_frontend_id($frontend['primary_frontend'])]; - else + } else { $mainfrontend = $frontend; + } return $mainfrontend; } function get_frontend_ipport($frontend, $userfriendly=false) { $mainfrontend = get_primaryfrontend($frontend); $result = array(); - if (!is_arrayset($mainfrontend,"a_extaddr","item")) + if (!is_arrayset($mainfrontend,"a_extaddr","item")) { return $result; + } foreach($mainfrontend['a_extaddr']['item'] as $extaddr) { if ($extaddr['extaddr'] == 'custom'){ $addr = $extaddr['extaddr_custom']; } else { $addr = haproxy_interface_ip($extaddr['extaddr'], $userfriendly); } - if ($userfriendly and is_ipaddrv6($addr)) + if ($userfriendly and is_ipaddrv6($addr)) { $addr = "[{$addr}]"; + } $port = $extaddr['extaddr_port']; $newitem = array(); @@ -1910,10 +2484,11 @@ function get_frontend_bindips($frontend) { $iporalias = $extaddr['extaddr_custom']; $a_ip = haproxy_addressoralias_to_list($iporalias); } - if ($extaddr['extaddr_ssl'] == 'yes') + if ($extaddr['extaddr_ssl'] == 'yes') { $ssl = $ssl_info; - else + } else { $ssl = ""; + } foreach($a_ip as $ip) { $portsnumeric = group_ports(haproxy_portoralias_to_list($extaddr['extaddr_port'])); @@ -1940,46 +2515,66 @@ function haproxy_check_config() { $activefrontends = array(); $issues = array(); - foreach($a_backends as $frontend) { - if (($frontend['status'] != 'active') || ($frontend['secondary'] == 'yes')) + foreach ($a_backends as $frontend) { + if (($frontend['status'] != 'active') || ($frontend['secondary'] == 'yes')) { continue; + } $ipports = get_frontend_ipport($frontend); foreach($ipports as $ipport) { $id = "{$ipport['addr']}:{$ipport['port']}"; - if (isset($activefrontends[$id])) - $issues['P_'.$id] = "Multiple primary frontends with IP:Port \"$id\", use Shared-Frontends instead."; - else - $activefrontends[$id] = true; + if (isset($activefrontends[$id])) { + $activefrontends[$id] = $activefrontends[$id].", ".$frontend['name']; + $issues['P_'.$id] = "Multiple primary frontends ({$activefrontends[$id]}) with IP:Port \"$id\", use Shared-Frontends instead."; + } else { + $activefrontends[$id] = $frontend['name']; + } } } - foreach($a_backends as $frontend) { - if (($frontend['status'] != 'active') || ($frontend['secondary'] != 'yes')) + foreach ($a_backends as $frontend) { + if (($frontend['status'] != 'active') || ($frontend['secondary'] != 'yes')) { continue; + } $mainfrontend = get_primaryfrontend($frontend); - if (!isset($mainfrontend)) + if (!isset($mainfrontend)) { $issues['S_'.$frontend['name']] = "Secondary frontend \"{$frontend['name']}\" without active primary frontend."; + } } - foreach ($issues as $item) + foreach ($issues as $item) { $result .= ($result == false ? "" : "<br/>") . $item; + } return $result; } -function get_haproxy_frontends($excludeitem="") { +function get_haproxy_backends() { + global $config; + $a_backend = &$config['installedpackages']['haproxy']['ha_pools']['item']; + $result = array(); + if (!is_array($a_backend)) { + return $result; + } + foreach ($a_backend as &$backend) { + $result[$backend['name']]['name'] = "{$backend['name']}"; + $result[$backend['name']]['ref'] = &$backend; + } + uasort($result, haproxy_compareByName); + return $result; +} + +function get_haproxy_frontends($excludeitem = "") { global $config; $a_frontend = &$config['installedpackages']['haproxy']['ha_backends']['item']; $result = array(); - if(!is_array($a_frontend)) + if (!is_array($a_frontend)) { return $result; - foreach($a_frontend as &$frontend) - { - if ($frontend['secondary']) - continue; - if ($frontend['name'] == $excludeitem) + } + foreach ($a_frontend as &$frontend) { + if ($frontend['secondary'] || $frontend['name'] == $excludeitem) { continue; + } $serveraddress = get_frontend_ipport($frontend, true); $serveradresstext = null; - foreach($serveraddress as $addr) { + foreach ($serveraddress as $addr) { $serveradresstext .=($serveradresstext == null ? "" : ", ") . "{$addr['addr']}:{$addr['port']}"; } $result[$frontend['name']]['name'] = "{$frontend['name']} - {$frontend['type']} ({$serveradresstext})"; @@ -2009,30 +2604,44 @@ function get_frontend_uses_ssl_only($frontend) { $mainfrontend = get_primaryfrontend($frontend); if (is_arrayset($mainfrontend,'a_extaddr','item')) { foreach($mainfrontend['a_extaddr']['item'] as $extaddr) { - if ($extaddr['extaddr_ssl'] != 'yes') + if ($extaddr['extaddr_ssl'] != 'yes') { return false; + } } } return true; } -function haproxy_get_cert_acl($cert) { - $acl_item = array(); +function haproxy_get_cert_acls($cert, $usealternativenames = false) { + $result = array(); - $cert_cn = cert_get_cn($cert['crt']); + if (!$usealternativenames) { + $cert_cns = array(); + $cert_cns[] = cert_get_cn($cert['crt']); + } else { + $cert_cns = haproxy_get_certificate_subjectAltNames($cert['crt']); + } $descr = haproxy_escape_acl_name($cert['descr']); unset($cert); - $is_wildcard = substr($cert_cn, 0, 2) == "*."; - $cert_cn_regex = str_replace(".", "\.", $cert_cn); // escape '.' in regex. - $wild_regex = ""; - if ($is_wildcard) { - $cert_cn_regex = "([^\.]*)" . substr($cert_cn_regex, 1);// match only subdomains directly under the wildcard + //$i = 1; + foreach ($cert_cns as $cert_cn) { + $acl_item = array(); + $is_wildcard = substr($cert_cn, 0, 2) == "*."; + $cert_cn_regex = str_replace(".", "\.", $cert_cn); // escape '.' in regex. + $wild_regex = ""; + if ($is_wildcard) { + $cert_cn_regex = "([^\.]*)" . substr($cert_cn_regex, 1);// match only subdomains directly under the wildcard + } + $cert_cn_regex = "^{$cert_cn_regex}(:([0-9]){1,5})?$";// match both with and without port. + + $acl_item['descr'] = "Certificate ACL matches: {$cert_cn}"; + //$aclname_add = $usealternativenames ? "_{$i}" : ""; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}{$aclname_add}",'expression' => 'host_regex', 'value' => $cert_cn_regex, 'certacl' => true); + + //$i++; + $result[] = $acl_item; } - $cert_cn_regex = "^{$cert_cn_regex}(:([0-9]){1,5})?$";// match both with and without port. - - $acl_item['descr'] = "Certificate ACL matches: {$cert_cn}"; - $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => $cert_cn_regex, 'certacl' => true); - return $acl_item; + return $result; } function get_frontend_acls($frontend) { @@ -2043,12 +2652,14 @@ function get_frontend_acls($frontend) { { foreach ($a_acl as $entry) { $acl = haproxy_find_acl($entry['expression']); - if (!$acl) + if (!$acl) { continue; + } // Filter out acls for different modes - if ($acl['mode'] != '' && $acl['mode'] != strtolower($mainfrontend['type'])) + if ($acl['mode'] != '' && $acl['mode'] != strtolower($mainfrontend['type'])) { continue; + } $not = $entry['not'] == "yes" ? "not: " : ""; $acl_item = array(); $acl_item['descr'] = $acl['name'] . " " . (isset($acl['novalue']) ? "" : $not . $entry['value']); @@ -2060,22 +2671,36 @@ function get_frontend_acls($frontend) { if (get_frontend_uses_ssl($frontend)) { $a_acl = &$frontend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); + if (!is_array($a_acl)) { + $a_acl = array(); + } - $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); - $aclname = "SNI_" . $poolname; + //$poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); + //$aclname = "SNI_" . $poolname; - if (ifset($frontend['ssloffloadacl']) == 'yes' || ifset($frontend['ssloffloadaclnondefault']) == 'yes') { + if (ifset($frontend['ssloffloadacl']) == 'yes') { + $cert = lookup_cert($frontend['ssloffloadcert']); + $result = array_merge($result, haproxy_get_cert_acls($cert)); + } + if (ifset($frontend['ssloffloadacl_an']) == 'yes') { $cert = lookup_cert($frontend['ssloffloadcert']); - $result[] = haproxy_get_cert_acl($cert); + $result = array_merge($result, haproxy_get_cert_acls($cert, true)); } if (ifset($frontend['ssloffloadacladditional']) == 'yes') { $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ - foreach($certs as $certref){ + if (is_array($certs)) { + foreach ($certs as $certref) { + $cert = lookup_cert($certref['ssl_certificate']); + $result = array_merge($result, haproxy_get_cert_acls($cert)); + } + } + } + if (ifset($frontend['ssloffloadacladditional_an']) == 'yes') { + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)) { + foreach ($certs as $certref) { $cert = lookup_cert($certref['ssl_certificate']); - $result[] = haproxy_get_cert_acl($cert); + $result = array_merge($result, haproxy_get_cert_acls($cert, true)); } } } @@ -2083,16 +2708,44 @@ function get_frontend_acls($frontend) { return $result; } +function get_backend_acls($backend, $type) { + $result = array(); + $a_acl = &$backend['a_acl']['item']; + if (is_array($a_acl)) + { + foreach ($a_acl as $entry) { + $acl = haproxy_find_acl($entry['expression']); + if (!$acl) { + continue; + } + + // Filter out acls for different modes + if ($acl['mode'] != '' && $acl['mode'] != $type) { + continue; + } + $not = $entry['not'] == "yes" ? "not: " : ""; + $acl_item = array(); + $acl_item['descr'] = $acl['name'] . " " . (isset($acl['novalue']) ? "" : $not . $entry['value']); + $acl_item['ref'] = $entry; + + $result[] = $acl_item; + } + } + return $result; +} + function get_backend_id($name) { global $config; $a_backend = &$config['installedpackages']['haproxy']['ha_pools']['item']; $i = 0; - if(is_array($a_backend)) - foreach($a_backend as $key => $backend) { - if ($backend['name'] == $name) + if (is_array($a_backend)) { + foreach ($a_backend as $key => $backend) { + if ($backend['name'] == $name) { return $i; + } $i++; } + } return null; } @@ -2100,8 +2753,9 @@ function get_backend($name) { global $config; $a_backend = &$config['installedpackages']['haproxy']['ha_pools']['item']; $id = get_backend_id($name); - if (is_numeric($id)) + if (is_numeric($id)) { return $a_backend[$id]; + } return null; } @@ -2112,8 +2766,9 @@ function use_frontend_as_unixsocket($name) { $a_servers = &$backend['ha_servers']['item']; if (is_array($a_servers)) { foreach($a_servers as $server) { - if ($server['forwardto'] && $server['forwardto'] == $name) + if ($server['forwardto'] && $server['forwardto'] == $name) { return true; + } } } } @@ -2133,8 +2788,9 @@ function haproxy_escape_acl_name($aclname) { function haproxy_find_create_certificate($certificatename) { global $g; $cert = lookup_cert_by_name($certificatename); - if (is_array($cert)) + if (is_array($cert)) { return $cert; + } global $config; $a_cert =& $config['cert']; $cert = array(); diff --git a/config/haproxy-devel/pkg/haproxy_htmllist.inc b/config/haproxy-devel/pkg/haproxy_htmllist.inc index 394f3ff6..7eaad023 100644 --- a/config/haproxy-devel/pkg/haproxy_htmllist.inc +++ b/config/haproxy-devel/pkg/haproxy_htmllist.inc @@ -48,100 +48,129 @@ class HaproxyHtmlList public $fields_details = null; public $keyfield = ""; - public function HaproxyHtmlList($tablename, $fields){ + public function HaproxyHtmlList($tablename, $fields) { $this->tablename = $tablename; $this->fields = $fields; } - public function Draw($data){ + public function Draw($data) { $this->haproxy_htmllist($data, $this->fields, $this->editmode, $this->fields_details); } - function haproxy_htmllist_get_values(){ + public function outputjavascript() { + $table_def = array(); + $table_def['keyfield'] = $this->keyfield; + phparray_to_javascriptarray($table_def, "tabledefinition_".$this->tablename,Array('/*','/*/*')); + phparray_to_javascriptarray($this->fields, "fields_".$this->tablename,Array('/*','/*/name','/*/type','/*/text','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); + if (count($this->fields_details) != 0) { + phparray_to_javascriptarray($this->fields_details,"fields_details_".$this->tablename,Array('/*','/*/name','/*/columnheader','/*/description','/*/type','/*/text','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name','/*/items/*/*/name')); + } + } + + // function retrieves all posted values and returns an array + public function haproxy_htmllist_get_values() { $values = array(); - for($x=0; $x<99; $x++) { + for($x = 0; $x < 99; $x ++) { $value = array(); $add_item = false; - foreach($this->fields as $item){ + if (is_array($this->fields_details)) { + $fields = array_merge($this->fields, $this->fields_details); + } else { + $fields = $this->fields; + } + foreach($fields as $item) { $itemname = $item['name']; - $value[$itemname] = $_POST[$itemname.$x]; - if ($item['type'] == 'textarea') + $value[$itemname] = $_POST[$this->tablename.$itemname.$x]; + if ($item['type'] == 'textarea') { $value[$itemname] = base64_encode($value[$itemname]); - $add_item |= isset($_POST[$itemname.$x]); + } + $add_item |= isset($_POST[$this->tablename.$itemname.$x]); } if ($add_item) { if ($this->keyfield != "") { - if (isset($_POST[$this->tablename."_key".$x])) + if (isset($_POST[$this->tablename."_key".$x])) { $key = $_POST[$this->tablename."_key".$x]; - else - $key = $_POST[$this->keyfield.$x]; - - } else + } else { + $key = $_POST[$this->tablename.$this->keyfield.$x]; + } + } else { $key = ""; - - if (isset($values[$key])) + } + $index = $_POST[$this->tablename."_rowindex".$x]; + $value['_index'] = $index; + if (isset($values[$key])) { $values[] = $value; - else + } else { $values[$key] = $value; + } } } + usort($values, 'sort_index'); + return $values; } - - private function haproxy_htmllist_drawcell($item, $itemvalue, $editable, $itemname, $counter) { - $itemnamenr = $itemname . $counter; + + function haproxy_htmllist_drawcell($item, $itemvalue, $editable, $itemname, $counter) { + $itemnamenr = $this->tablename . $itemname . $counter; $itemtype = $item['type']; if ($editable) { $itemtype = $item['type']; - if ($itemtype == "select"){ - echo_html_select($itemnamenr, $item['items'], $itemvalue,"","html_listitem_change(\"{$this->tablename}\",\"{$itemname}\",\"{$counter}\",this);", "width:{$item['size']}"); - } else - if ($itemtype == "checkbox"){ + if ($itemtype == "select") { + echo_html_select($itemnamenr, $item['items'], $itemvalue,"-none available-","html_listitem_change(\"{$this->tablename}\",\"{$itemname}\",\"{$counter}\",this);", "width:{$item['size']}"); + } elseif ($itemtype == "checkbox") { $checked = $itemvalue=='yes' ? " checked" : ""; echo "<input onclick='html_listitem_change(\"{$this->tablename}\",\"{$itemname}\",\"{$counter}\",this);' name='$itemnamenr' id='$itemnamenr' type='checkbox'$checked value='yes' size='{$item['size']}' />"; - } else - if ($itemtype == "textarea"){ + } elseif ($itemtype == "textarea") { echo "<textarea name='$itemnamenr' id='$itemnamenr' type='text' cols='{$item['size']}' rows='10'>"; echo htmlspecialchars(base64_decode($itemvalue)); echo "</textarea>"; - } else + } elseif ($itemtype == "fixedtext") { + echo $item['text']; + } else { echo "<input name='$itemnamenr' id='$itemnamenr' type='text' value='{$itemvalue}' size='{$item['size']}' />"; + } } else { - if ($itemtype == "select"){ + if ($itemtype == "select") { echo $item['items'][$itemvalue]['name']; - } else - if ($itemtype == "checkbox"){ + } elseif ($itemtype == "checkbox") { echo $itemvalue=='yes' ? gettext('yes') : gettext('no'); - } else - if ($itemtype == "textarea"){ - echo '<div style="overlow:scroll;max-height:120px;overflow-y: scroll;">'; - echo str_replace("\n","<br/>", htmlspecialchars(base64_decode($itemvalue))); + } elseif ($itemtype == "textarea") { + echo "<div style='overlow:scroll;max-height:120px;max-width:{$item['colwidth']};overflow-y: scroll;'>"; + echo str_replace(" "," ", str_replace("\n","<br/>", htmlspecialchars(base64_decode($itemvalue)))); echo '</div>'; - } else + } elseif ($itemtype == "fixedtext") { + echo $item['text']; + } else { echo htmlspecialchars($itemvalue); + } } } function haproxy_htmllist($rowvalues,$items,$editstate=false,$itemdetails=null){ $tablename = $this->tablename; global $g, $counter; - echo "<table class='' width='100%' cellpadding='0' cellspacing='0' id='$tablename'> + echo "<table class='' width='100%' cellpadding='0' cellspacing='0' id='{$tablename}'> + <thead> <tr>"; foreach($items as $item){ echo "<td width='{$item['colwidth']}' class='listhdrr'>{$item['columnheader']}</td>"; } echo "<td width='5%' class=''></td> - </tr>"; - if (is_array($rowvalues)){ - foreach($rowvalues as $keyid => $value){ - if ($this->keyfield != "") { - if (preg_match("/[^0-9]/", $keyid)) + </tr> + </thead> + <tbody>"; + if (is_array($rowvalues)) { + foreach($rowvalues as $keyid => $value) { + if (!empty($this->keyfield)) { + if (preg_match("/[^0-9]/", $keyid)) { $itemvalue = $keyid; - else + } else { $itemvalue = $value[$this->keyfield]; + } $key = "<input name='{$tablename}_key{$counter}' id='{$tablename}_key{$counter}' type='hidden' value='{$itemvalue}'>"; - } else + } else { $key = ""; + } if (!$editstate) { echo "<tr id='tr_view_$counter' ondblclick='editRow($counter); return false;' >"; @@ -152,26 +181,36 @@ class HaproxyHtmlList $itemname = $item['name']; $itemvalue = $value[$itemname]; if (isset($item['customdrawcell'])) { - $item['customdrawcell']($item, $itemvalue, false); - } else + $item['customdrawcell']($this, $item, $itemvalue, false, $itemname, $counter); + } else { $this->haproxy_htmllist_drawcell($item, $itemvalue, false, $itemname, $counter); + } echo "</td>"; $leftitem = false; } echo " - <td class='list'> - <table border='0' cellspacing='0' cellpadding='1'><tr> - <td valign='middle'> - <img src='/themes/{$g['theme']}/images/icons/icon_e.gif' title='edit entry' width='17' height='17' border='0' onclick='editRow($counter); return false;' /> - </td> - <td valign='middle'> - <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='deleteRow($counter, \"$tablename\"); return false;' /> - </td> - <td valign='middle'> - <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' /> - </td></tr></table> - </td>"; + <td class='list'> + <table border='0' cellspacing='0' cellpadding='1'><tr> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_e.gif' title='edit entry' width='17' height='17' border='0' onclick='editRow({$counter}); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='deleteRow({$counter}, \"{$tablename}\"); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow({$counter}, \"{$tablename}\"); return false;' /> + </td>"; + if (empty($this->noindex)) { + echo "<td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_up.gif' title='move row up' width='17' height='17' border='0' onclick='moveRowUp({$counter}, \"{$tablename}\"); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_down.gif' title='move row down' width='17' height='17' border='0' onclick='moveRowDown({$counter}, \"{$tablename}\"); return false;' /> + </td>"; + } + echo "</tr></table> + </td>"; echo "</tr>"; } $displaystyle = $editstate ? "" : "display: none;"; @@ -181,9 +220,10 @@ class HaproxyHtmlList $itemvalue = $value[$itemname]; echo "<td class='vtable'>".$key; if (isset($item['customdrawcell'])) { - $item['customdrawcell']($item, $itemvalue, true, $item['name'].$counter); - } else + $item['customdrawcell']($this, $item, $itemvalue, true, $itemname, $counter); + } else { $this->haproxy_htmllist_drawcell($item, $itemvalue, true, $itemname, $counter); + } echo "</td>"; $key = ""; } @@ -191,11 +231,21 @@ class HaproxyHtmlList <td class='list'> <table border='0' cellspacing='0' cellpadding='1'><tr> <td valign='middle'> - <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='removeRow(this); return false;' /> + <input name='{$tablename}_rowindex{$counter}' id='{$tablename}_rowindex{$counter}' type='hidden' value='{$counter}' /> + <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='deleteRow({$counter}, \"{$tablename}\"); return false;' /> </td> <td valign='middle'> - <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' /> - </td></tr></table> + <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow({$counter}, \"{$tablename}\"); return false;' /> + </td>"; + if (empty($this->noindex)) { + echo "<td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_up.gif' title='move row up' width='17' height='17' border='0' onclick='moveRowUp({$counter}, \"{$tablename}\"); return false;' /> + </td> + <td valign='middle'> + <img src='/themes/{$g['theme']}/images/icons/icon_down.gif' title='move row down' width='17' height='17' border='0' onclick='moveRowDown({$counter}, \"{$tablename}\"); return false;' /> + </td>"; + } + echo "</tr></table> </td>"; echo "</tr>"; if (isset($itemdetails)) { @@ -204,7 +254,7 @@ class HaproxyHtmlList ?> <td class='vtable listlr' style='border-bottom-width: medium;vertical-align:top;'> <div style="position:relative;float:right;width:11px;height:11px;"> - <a onclick="htmltable_toggle_details('<?="htmltable_{$tablename}_{$counter}_details"?>')"> + <a onclick="htmltable_toggle_details('<?=$tablename?>','<?=$counter?>','<?="htmltable_{$tablename}_{$counter}_details"?>')"> <img id="htmltable_<?="{$tablename}_{$counter}"?>_details_off" alt="Expand advanced server settings" src="tree/plus.gif" style="clip:rect(19px 13px 30px 2px); top:-19px;position:absolute;"/> </a> @@ -215,80 +265,92 @@ class HaproxyHtmlList $itemnr = 0; echo "<div id='htmltable_{$tablename}_{$counter}_details_view'>"; $itemcount = count($itemdetails); + $leftitem = true; foreach($itemdetails as $item) { - echo "<div style='float: left;padding-right: 2px;'>"; - $tdclass = "";//$leftitem ? "vtable listlr" : "vtable listr"; - echo $item['columnheader'] . ": "; $itemname = $item['name']; $itemvalue = $value[$itemname]; + //TODO don't filter empty items, filter context un-related items through customizable function.. + if (empty($itemvalue)) { + continue; + } + echo "<div style='float: left;padding-right: 2px;'>"; + $tdclass = ""; + if (!$leftitem) { + echo ", "; + } + $leftitem = false; + echo $item['columnheader'] . ": "; if (isset($item['customdrawcell'])) { - $item['customdrawcell']($item, $itemvalue, false); - } else + $item['customdrawcell']($this, $item, $itemvalue, false, $itemname, $counter); + } else { $this->haproxy_htmllist_drawcell($item, $itemvalue, false, $itemname, $counter); - $leftitem = false; + } $itemnr++; - if ($itemcount != $itemnr) - echo ", "; echo "</div>"; } echo "</div>"; echo "<div id='htmltable_{$tablename}_{$counter}_details_edit' style='display:none;'>"; echo "<table class='tabcont' style='border-collapse:collapse' border='1' cellspacing='0' >"; - $leftitem = true; foreach($itemdetails as $item) { - echo "<tr id='tr_edititemdetails_$counter' ondblclick='editRow($counter); return false;'>"; - $tdclass = "";//$leftitem ? "vtable listlr" : "vtable listr"; - echo "<td style='border-right:0' class='$tdclass'>"; + $itemname = $item['name']; + echo "<tr id='tr_edititemdetails_{$counter}_{$itemname}'>"; + echo "<td style='border-right:0'>"; echo "{$item['columnheader']}: "; echo "</td>"; - echo "<td style='border-left:0' class='$tdclass'>"; - $itemname = $item['name']; + echo "<td style='border-left:0'>"; $itemvalue = $value[$itemname]; - echo "{$item['description']}<br/>"; + + if (!empty($item['description'])) { + echo "{$item['description']}<br/>"; + } if (isset($item['customdrawcell'])) { - $item['customdrawcell']($item, $itemvalue, true, $itemname . $counter); - } else + $item['customdrawcell']($this, $item, $itemvalue, true, $itemname, $counter); + } else { $this->haproxy_htmllist_drawcell($item, $itemvalue, true, $itemname, $counter); + } echo "</td>"; - $leftitem = false; - echo "</tr>"; + echo "</tr>"; } echo "</table>"; echo "</div>"; echo "</td>"; echo "</tr>"; } - if (isset($itemdetails)) { - $colspan = count($items)-1; - echo "<tr id='htmltable_{$tablename}_{$counter}_details' style='$displaystyle' >"; - echo "<td class='vtable listlr' style='border-bottom-width: medium;'> </td>"; - echo "<td class='vtable listr' colspan='$colspan' style='border-bottom-width: medium;'>"; - echo "</td>"; - echo "</tr>"; - } - $counter++; } } - echo "</table> - <a onclick='javascript:addRowTo(\"$tablename\"); return false;' href='#'> + echo "</tbody> + </table> + <a onclick='javascript:addRowTo(\"{$tablename}\"); return false;' href='#'> <img border='0' src='/themes/{$g['theme']}/images/icons/icon_plus.gif' alt='' title='add another entry' /> </a>"; } } +function sort_index(&$a, &$b) { + // sort callback function, cannot be inside the object. + if ($a['_index'] != $b['_index']) { + return $a['_index'] > $b['_index'] ? 1 : -1; + } + return 0; +} + function haproxy_htmllist($tablename,$rowvalues,$items,$editstate=false,$itemdetails=null){ $list = new HaproxyHtmlList($tablename, $items); $list->haproxy_htmllist($rowvalues, $items, $editstate, $itemdetails); } -function haproxy_htmllist_get_values($html_list){ - $list = new HaproxyHtmlList("-", $html_list); +function haproxy_htmllist_get_values($tablename, $html_list){ + $list = new HaproxyHtmlList($tablename, $html_list); return $list->haproxy_htmllist_get_values(); } function haproxy_htmllist_js(){ + global $g; ?><script type="text/javascript"> + + var theme = "<?=$g['theme']?>"; + function html_listitem_change(tableId, fieldId, rowNr, field) { javascript_event = tableId + "_listitem_change"; var fn = window[javascript_event]; @@ -297,61 +359,73 @@ function haproxy_htmllist_js(){ } } - function htmllist_get_select_items(prefix,tableId) { + function htmllist_get_select_items(prefix, tableId) { var items; - var i = tableId.lastIndexOf('_'); - var items_name = prefix+"_"+tableId.substr(i+1); - items = eval("typeof "+items_name+" !== 'undefined' ? "+items_name+" : {}"); + var items_name = prefix+"_"+tableId; + items = eval("typeof "+items_name+" !== 'undefined' ? "+items_name+" : null"); return items; } + function createFieldHtml(tableId, field, rowId) { + var result = ""; + if(field['type'] == 'textbox') { + result="<input size='" + field['size'] + "' name='" + tableId + field['name'] + rowId + + "' id='" + tableId + field['name'] + rowId + + "'><\/input> "; + } else if(field['type'] == 'textarea') { + result="<textarea cols='" + field['size'] + "' rows='30' name='" + tableId + field['name'] + rowId + + "' id='" + tableId + field['name'] + rowId + + "'><\/textarea> "; + } else if(field['type'] == 'select') { + var seltext = ""; + var fieldid = field['name']; + var fn = window["htmllist_get_select_options"]; + fielditems = field['items']; + if (typeof fn === 'function'){ + fielditems = htmllist_get_select_options(tableId, field['name'], fielditems); + } + for (var fieldvalueid in fielditems) { + var fieldvalue = fielditems[fieldvalueid] + seltext += "<option value='"+fieldvalueid+"'>"+fieldvalue['name']+"<\/option>"; + } + + result="<select style='width:" + field['size'] + "' name='" + tableId + field['name'] + rowId + + "' id='" + tableId + field['name'] + rowId + "' "+ + "onchange='html_listitem_change(\""+tableId+"\",\""+field['name']+"\",\""+rowId+"\",this);' " + + ">" + seltext + "<\/select> "; + } else if(field['type'] == 'fixedtext') { + result=field['text']; + } else { + result="<input type='checkbox' name='" + tableId + field['name'] + rowId +"'"+ + "id='" + tableId + field['name'] + rowId + "' "+ + "onclick='html_listitem_change(\""+tableId+"\",\""+field['name']+"\",\""+rowId+"\",this);' " + + "value='yes'><\/input> "; + } + return result; + } + var addRowTo = (function() { return (function (tableId) { var d, tbody, tr, td, bgc, i, ii, j, type, seltext, items; var btable, btbody, btr, btd; d = document; - items = htmllist_get_select_items('fields',tableId); - tbody = d.getElementById(tableId).getElementsByTagName("tbody").item(0); - tr = d.createElement("tr"); totalrows++; - tr.setAttribute("id","aclrow" + totalrows); - + + // create edit row fields + items = htmllist_get_select_items('fields',tableId); + tr = d.createElement("tr"); + tr.setAttribute("id","tr_edit_" + totalrows); for (var i in items) { + fieldhtml = createFieldHtml(tableId, items[i], totalrows); td = d.createElement("td"); - if(items[i]['type'] == 'textbox') { - td.innerHTML="<input size='" + items[i]['size'] + "' name='" + items[i]['name'] + totalrows + - "' id='" + items[i]['name'] + totalrows + - "'><\/input> "; - } else if(items[i]['type'] == 'textarea') { - td.innerHTML="<textarea cols='" + items[i]['size'] + "' rows='30' name='" + items[i]['name'] + totalrows + - "' id='" + items[i]['name'] + totalrows + - "'><\/textarea> "; - } else if(items[i]['type'] == 'select') { - seltext = htmllist_get_select_options(tableId, items[i]['name']); - td.innerHTML="<select style='width:" + items[i]['size'] + "' name='" + items[i]['name'] + totalrows + - "' id='" + items[i]['name'] + totalrows + "' "+ - "onchange='html_listitem_change(\""+tableId+"\",\""+items[i]['name']+"\",\""+totalrows+"\",this);' " + - ">" + seltext + "<\/select> "; - } else { - td.innerHTML="<input type='checkbox' name='" + items[i]['name'] + totalrows +"'"+ - "id='" + items[i]['name'] + totalrows + "' "+ - "onclick='html_listitem_change(\""+tableId+"\",\""+items[i]['name']+"\",\""+totalrows+"\",this);' " + - "value='yes'><\/input> "; - } + td.innerHTML = fieldhtml; tr.appendChild(td); } td = d.createElement("td"); td.rowSpan = "1"; td.setAttribute("class","list"); - - items = htmllist_get_select_items('fields_details',tableId); - for (var i in items) { - td.innerHTML=td.innerHTML+"<input type='hidden' name='" + items[i]['name'] + totalrows + - "' id='" + items[i]['name'] + totalrows + - "'><\/input> "; - } // Recreate the button table. btable = document.createElement("table"); @@ -360,20 +434,75 @@ function haproxy_htmllist_js(){ btable.setAttribute("cellpadding", "1"); btbody = document.createElement("tbody"); btr = document.createElement("tr"); + btd = document.createElement("td"); btd.setAttribute("valign", "middle"); - btd.innerHTML = '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="removeRow(this); return false;" />'; + btd.innerHTML = + '<input name="'+tableId+'_rowindex'+totalrows+'" id="'+tableId+'_rowindex'+totalrows+'" type="hidden" value="'+totalrows+'" />' + + '<img src="/themes/' + theme + '/images/icons/icon_x.gif" title="delete entry" width="17" height="17" border="0" onclick="deleteRow(' + totalrows + ", '" + tableId + "'); return false;\" />"; btr.appendChild(btd); + btd = document.createElement("td"); btd.setAttribute("valign", "middle"); btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_plus.gif\" title=\"duplicate entry\" width=\"17\" height=\"17\" border=\"0\" onclick=\"dupRow(" + totalrows + ", '" + tableId + "'); return false;\" />"; btr.appendChild(btd); + + + var tabledefinition = htmllist_get_select_items("tabledefinition", tableId); + if (tabledefinition && tabledefinition['keyfield'] == "") { + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_up.gif\" title=\"move entry up\" width=\"17\" height=\"17\" border=\"0\" onclick=\"moveRowUp(" + totalrows + ", '" + tableId + "'); return false;\" />"; + btr.appendChild(btd); + + btd = document.createElement("td"); + btd.setAttribute("valign", "middle"); + btd.innerHTML = '<img src="/themes/' + theme + "/images/icons/icon_down.gif\" title=\"move entry down\" width=\"17\" height=\"17\" border=\"0\" onclick=\"moveRowDown(" + totalrows + ", '" + tableId + "'); return false;\" />"; + btr.appendChild(btd); + } + btbody.appendChild(btr); btable.appendChild(btbody); td.appendChild(btable); tr.appendChild(td); - tbody.appendChild(tr); - + tbody.appendChild(tr); // add the edit row to the table + + // create viewdetail row + items = htmllist_get_select_items('fields_details',tableId); + if (items) { + tr = d.createElement("tr"); + tr.setAttribute("id","tr_viewdetail_" + totalrows); + td = d.createElement("td"); + tr.appendChild(td); + td = d.createElement("td"); + table = d.createElement("table"); + table.setAttribute("cellspacing","0"); + for (var i in items) { + field = items[i]; + fieldhtml = createFieldHtml(tableId, field, totalrows); + subtr = d.createElement("tr"); + subtr.setAttribute("id","tr_edititemdetails_" + totalrows + "_" + field['name']); + subtd = d.createElement("td"); + subtd.setAttribute("class","vncell"); + subtd.innerHTML = field['columnheader'] + ": "; + subtr.appendChild(subtd); + subtd = d.createElement("td"); + subtd.setAttribute("class","vncell"); + subtd.innerHTML = field['description'] + "<br/>" + fieldhtml; + subtr.appendChild(subtd); + table.appendChild(subtr); + } + td.appendChild(table); + tr.appendChild(td); + tbody.appendChild(tr); // add the viewdetail row to the table + } + // show/hide conditional fields if applicable using a custom function. + javascript_event = tableId + "_listitem_change"; + var fn = window[javascript_event]; + if (typeof fn === 'function'){ + fn(tableId, "toggle_details", totalrows, null); + } + javascript_row_added = tableId + "_row_added"; var fn = window[javascript_row_added]; if (typeof fn === 'function'){ @@ -387,18 +516,18 @@ function haproxy_htmllist_js(){ addRowTo(tableId); items = htmllist_get_select_items('fields',tableId); for (var i in items) { - dupEl = document.getElementById(items[i]['name'] + rowId); - newEl = document.getElementById(items[i]['name'] + totalrows); + dupEl = document.getElementById(tableId + items[i]['name'] + rowId); + newEl = document.getElementById(tableId + items[i]['name'] + totalrows); if (dupEl && newEl) if(items[i]['type'] == 'checkbox') newEl.checked = dupEl.checked; else newEl.value = dupEl.value; } - items = htmllist_get_select_items('fields_details',tableId); + items = htmllist_get_select_items('fields_details', tableId); for (var i in items) { - dupEl = document.getElementById(items[i]['name'] + rowId); - newEl = document.getElementById(items[i]['name'] + totalrows); + dupEl = document.getElementById(tableId + items[i]['name'] + rowId); + newEl = document.getElementById(tableId + items[i]['name'] + totalrows); if (dupEl && newEl) if(items[i]['type'] == 'checkbox') newEl.value = dupEl.checked ? 'yes' : ''; @@ -428,21 +557,89 @@ function haproxy_htmllist_js(){ if (edit) edit.parentNode.removeChild(edit); } - function removeRow(el) { - var cel; - // Break out of one table first - while (el && el.nodeName.toLowerCase() != "table") - el = el.parentNode; - while (el && el.nodeName.toLowerCase() != "tr") - el = el.parentNode; - if (el && el.parentNode) { - cel = el.getElementsByTagName("td").item(0); - el.parentNode.removeChild(el); + function moveRowUp(rowId, tableId) { + moveRow(rowId, tableId, true); + } + function moveRowDown(rowId, tableId) { + moveRow(rowId, tableId, false); + } + function moveRow(rowId, tableId, up) { + var rowview = document.getElementById("tr_view_" + rowId); + var rowedit = document.getElementById("tr_edit_" + rowId); + var rowviewdetail = document.getElementById("tr_viewdetail_" + rowId); + + var parent = rowedit.parentNode; + var swapid; + var swaprowedit; + if (up){ + //move current rows before the previous row + var prevtr; + if (rowview) { + prevtr = rowview.previousElementSibling; + } else { + prevtr = rowedit.previousElementSibling; + } + if (!prevtr) + return; // was already top element. + var swapid = prevtr['id']; + var i = swapid.lastIndexOf('_'); + swapid = swapid.substr(i+1); + var prevrowview = document.getElementById("tr_view_" + swapid); + swaprowedit = document.getElementById("tr_edit_" + swapid); + if (prevrowview){ + firstprevrow = prevrowview; + } else { + firstprevrow = swaprowedit; + } + // move the 3 rows + if (rowview) { + parent.insertBefore(rowview, firstprevrow); + } + parent.insertBefore(rowedit, firstprevrow); + if (rowviewdetail) { + parent.insertBefore(rowviewdetail, firstprevrow); + } + } else { + //move next row before the current row + var nexttr; + if (rowviewdetail) { + nexttr = rowviewdetail.nextElementSibling; + } else { + nexttr = rowedit.nextElementSibling; + } + if (!nexttr) { + return; // was already bottom element. + } + var swapid = nexttr['id']; + var i = swapid.lastIndexOf('_'); + swapid = swapid.substr(i+1); + var prevrowview = document.getElementById("tr_view_" + swapid); + swaprowedit = document.getElementById("tr_edit_" + swapid); + var prevrowviewdetail = document.getElementById("tr_viewdetail_" + swapid); + if (rowview){ + firstrow = rowview; + } else { + firstrow = rowedit; + } + // move the 3 rows + if (prevrowview) { + parent.insertBefore(prevrowview, firstrow); + } + parent.insertBefore(swaprowedit, firstrow); + if (prevrowviewdetail) { + parent.insertBefore(prevrowviewdetail, firstrow); + } } + + var id_a = document.getElementById(tableId+'_rowindex' + swapid); + var id_b = document.getElementById(tableId+'_rowindex' + rowId); + temp = id_a.value; + id_a.value = id_b.value; + id_b.value = temp; } - function htmltable_toggle_details(table_row_detail_id) { + function htmltable_toggle_details(tableId, rowNr, table_row_detail_id) { tredit = document.getElementById(table_row_detail_id+'_off'); trviewdetail = document.getElementById(table_row_detail_id+'_edit'); treditdetail = document.getElementById(table_row_detail_id+'_view'); @@ -450,6 +647,13 @@ function haproxy_htmllist_js(){ tredit.style.display=current_on ? '' : 'none'; trviewdetail.style.display=current_on ? 'none' : ''; treditdetail.style.display=current_on ? '' : 'none'; + + // show/hide conditional fields if applicable using a custom function. + javascript_event = tableId + "_listitem_change"; + var fn = window[javascript_event]; + if (typeof fn === 'function'){ + fn(tableId, "toggle_details", rowNr, null); + } } </script><? } diff --git a/config/haproxy-devel/pkg/haproxy_upgrade_config.inc b/config/haproxy-devel/pkg/haproxy_upgrade_config.inc index c1c951df..052f7c77 100644 --- a/config/haproxy-devel/pkg/haproxy_upgrade_config.inc +++ b/config/haproxy-devel/pkg/haproxy_upgrade_config.inc @@ -1,6 +1,6 @@ <?php /* - haproxy.inc + haproxy_upgrade_config.inc Copyright (C) 2015 PiBa-NL All rights reserved. @@ -26,7 +26,9 @@ POSSIBILITY OF SUCH DAMAGE. */ +require_once("haproxy_utils.inc"); require_once("pkg-utils.inc"); +require_once("haproxy.inc"); function haproxy_upgrade_config() { global $config, $static_output; @@ -143,16 +145,18 @@ function haproxy_upgrade_config() { } if ($configversion < "00.13") { // update config to "haproxy-devel 1.5-dev19 pkg v0.13" - foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) { - if (isset($bind['extaddr'])) { - $new['extaddr'] = $bind['extaddr']; - $new['extaddr_port'] = $bind['port']; - $new['extaddr_ssl'] = $bind['ssloffload']; - $bind['a_extaddr']['item'][] = $new; + if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) { + if (isset($bind['extaddr'])) { + $new['extaddr'] = $bind['extaddr']; + $new['extaddr_port'] = $bind['port']; + $new['extaddr_ssl'] = $bind['ssloffload']; + $bind['a_extaddr']['item'][] = $new; + } + unset($bind['extaddr']); + unset($bind['port']); + //unset($bind['ssloffload']); } - unset($bind['extaddr']); - unset($bind['port']); - //unset($bind['ssloffload']); } $configversion = "00.13"; } @@ -167,15 +171,17 @@ function haproxy_upgrade_config() { $static_output .= "HAProxy, 00.17\n"; update_output_window($static_output); // remove 'none' ca-cert, and set checkbox to allow for no certificate instead. - foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) { - $list = array(); - foreach ($bind['clientcert_ca']['item'] as $ca){ - if (empty($ca['cert_ca'])) - $bind['sslclientcert-none'] = 'yes'; - else - $list[] = $ca; + if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) { + $list = array(); + foreach ($bind['clientcert_ca']['item'] as $ca){ + if (empty($ca['cert_ca'])) + $bind['sslclientcert-none'] = 'yes'; + else + $list[] = $ca; + } + $bind['clientcert_ca']['item'] = $list; } - $bind['clientcert_ca']['item'] = $list; } $configversion = "00.17"; } @@ -193,6 +199,71 @@ function haproxy_upgrade_config() { } $configversion = "00.19"; } + if ($configversion < "00.32") { + $frontends = array(); + if (is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { + foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) { + $primaryfrontend = get_primaryfrontend($frontend); + $fe_name = $primaryfrontend['name']; + $frontends[$fe_name][] = &$frontend; + } + + foreach ($frontends as $primary) { + $acl_count = array(); + foreach ($primary as &$frontend){ + $acl_use = array(); + $a_actions = &$frontend['a_actionitems']['item']; + if (!is_array($a_actions)) { + $a_actions = array(); + } + + $primaryfrontend = get_primaryfrontend($frontend); + $frontendtype = $primaryfrontend['type']; + $is_default = true; + if (is_array($frontend['ha_acls']['item'])) { + $a_acl = &$frontend['ha_acls']['item']; + + foreach ($a_acl as &$aclitem) { + $aclname = $aclitem['name']; + $acltype = haproxy_find_acl($aclitem['expression']); + if ($aclitem['expression'] == "backendservercount") { + $aclitem['backendservercountbackend'] = $frontend['backend_serverpool']; + } + if (!isset($acl_count[$aclname])) { + $acl_count[$aclname] = 1; + } else { + $acl_count[$aclname] += 1; + $aclitem['name'] .= "_{$acl_count[$aclname]}"; + } + if (!isset($acltype)) + continue; + if ($acltype['mode'] != '' && $acltype['mode'] != strtolower($frontendtype)) { + continue; + } + $acl_use[$aclname][] = $aclitem['name']; + } + foreach ($acl_use as $key => $acl_x) { + $aclx = $acl_count[$key]; + $aclnames = ""; + foreach($acl_x as $aclname) { + $aclnames .= " $aclname"; + } + $aclnames = trim($aclnames); + $action['action'] = 'use_backend'; + $action['use_backendbackend'] = $frontend['backend_serverpool']; + $action['acl'] = $aclnames; + $a_actions[] = $action; + $is_default = false; + } + } + if (!$is_default) { + $frontend['backend_serverpool'] = ""; + } + } + } + } + $configversion = "00.32"; + } $writeconfigupdate = $config['installedpackages']['haproxy']['configversion'] <> $configversion; if ($writeconfigupdate) { diff --git a/config/haproxy-devel/pkg/haproxy_utils.inc b/config/haproxy-devel/pkg/haproxy_utils.inc index ec72b986..04cacb30 100644 --- a/config/haproxy-devel/pkg/haproxy_utils.inc +++ b/config/haproxy-devel/pkg/haproxy_utils.inc @@ -122,11 +122,11 @@ function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,l // $bindable[key]['description'] can be shown to user in a selection box global $config; - $ipverions = split(',',$ipv); + $ipversions = split(',',$ipv); $interfacetypes= split(',',$interfacetype); $bindable = array(); - if (in_array("ipv4",$ipverions)){ + if (in_array("ipv4",$ipversions)){ if (in_array('any',$interfacetypes)){ $item = array(); $item[ip] = '0.0.0.0'; @@ -187,7 +187,7 @@ function haproxy_get_bindable_interfaces($ipv="ipv4,ipv6", $interfacetype="any,l if (!isset($config['system']['ipv6allow'])) return $bindable;// skip adding the IPv6 addresses if those are not 'allowed' - if (in_array("ipv6",$ipverions)){ + if (in_array("ipv6",$ipversions)){ if (in_array('any',$interfacetypes)){ $item = array(); $item[ip] = '::'; @@ -386,6 +386,27 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal return $certificates; } +function haproxy_get_certificate_subjectAltNames($str_crt, $decode = true) { + if ($decode) { + $str_crt = base64_decode($str_crt); + } + $result = array(); + $ext = openssl_x509_parse($str_crt, false); + $subjectAltName = $ext['extensions']['subjectAltName']; + $lines = explode('\n', $subjectAltName); + foreach($lines as $line) { + $items = explode(',', $line); + foreach($items as $item) { + $item = trim($item); + if (strpos($item, "DNS:") === 0) { + $DNSitem = substr($item, 4); + $result[] = $DNSitem; + } + } + } + return $result; +} + function haproxy_get_crls() { global $config; $certificates=array(); @@ -406,7 +427,8 @@ function haproxy_get_crls() { function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { $offset = str_repeat(' ',$nestID); $itemName = "item$nestID"; - echo "{$offset}$nodeName = {};\n"; + //echo "{$offset}$nodeName = {};\n"; + echo "{$offset}$nodeName = Object.create(null);\n"; if (is_array($items)) foreach ($items as $key => $item) { diff --git a/config/haproxy-devel/www/haproxy_files.php b/config/haproxy-devel/www/haproxy_files.php index 12ab5a88..4fe6bf45 100644 --- a/config/haproxy-devel/www/haproxy_files.php +++ b/config/haproxy-devel/www/haproxy_files.php @@ -42,15 +42,20 @@ if (!is_array($a_pools)) $a_pools = array(); $fields_files = array(); $fields_files[0]['name']="name"; $fields_files[0]['columnheader']="Name"; -$fields_files[0]['colwidth']="30%"; +$fields_files[0]['colwidth']="20%"; $fields_files[0]['type']="textbox"; $fields_files[0]['size']="20"; - -$fields_files[1]['name']="content"; -$fields_files[1]['columnheader']="content"; -$fields_files[1]['colwidth']="70%"; -$fields_files[1]['type']="textarea"; -$fields_files[1]['size']="70"; +$fields_files[1]['name']="type"; +$fields_files[1]['columnheader']="Type"; +$fields_files[1]['colwidth']="10%"; +$fields_files[1]['type']="select"; +$fields_files[1]['size']="10"; +$fields_files[1]['items']=$a_filestype; +$fields_files[2]['name']="content"; +$fields_files[2]['columnheader']="content"; +$fields_files[2]['colwidth']="70%"; +$fields_files[2]['type']="textarea"; +$fields_files[2]['size']="70"; $fileslist = new HaproxyHtmlList("table_files", $fields_files); $fileslist->keyfield = "name"; @@ -63,7 +68,7 @@ if ($_POST) { if ($result) unlink_if_exists($d_haproxyconfdirty_path); } else { - $a_files = $fileslist->haproxy_htmllist_get_values($fields_files); + $a_files = $fileslist->haproxy_htmllist_get_values(); $filedupcheck = array(); foreach($a_files as $key => $file) { @@ -77,7 +82,7 @@ if ($_POST) { // replace references in backends to renamed 'files' foreach($a_pools as &$backend) { - if (is_arrayset($backend,'errorfiles','item')) + if (is_arrayset($backend,'errorfiles','item')) { foreach($backend['errorfiles']['item'] as &$errorfile) { $found = false; foreach($a_files as $key => $file) { @@ -86,9 +91,11 @@ if ($_POST) { $found = true; } } - if (!$found) + if (!$found) { $input_errors[] = "Errorfile marked for deletion: " . $errorfile['errorfile'] . " which is used in backend " . $backend['name']; + } } + } } if (!$input_errors) { // save config when no errors found @@ -100,10 +107,9 @@ if ($_POST) { } } -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); - $pgtitle = "Services: HAProxy: Files"; include("head.inc"); +haproxy_css(); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> @@ -165,7 +171,7 @@ include("head.inc"); <script type="text/javascript"> totalrows = <?php echo $counter; ?>; <? - phparray_to_javascriptarray($fields_files,"fields_files",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); + $fileslist->outputjavascript(); ?> </script> diff --git a/config/haproxy-devel/www/haproxy_global.php b/config/haproxy-devel/www/haproxy_global.php index 2ae92256..4902b966 100644 --- a/config/haproxy-devel/www/haproxy_global.php +++ b/config/haproxy-devel/www/haproxy_global.php @@ -38,12 +38,13 @@ require_once("pkg_haproxy_tabs.inc"); require_once("haproxy_htmllist.inc"); $simplefields = array('localstats_refreshtime', 'localstats_sticktable_refreshtime', 'log-send-hostname', 'ssldefaultdhparam', - 'email_level', 'email_myhostname', 'email_from', 'email_to'); + 'email_level', 'email_myhostname', 'email_from', 'email_to', + 'resolver_retries', 'resolver_timeoutretry', 'resolver_holdvalid'); $none = array(); $none['']['name'] = "Dont log"; $a_sysloglevel = $none + $a_sysloglevel; - + $fields_mailers = array(); $fields_mailers[0]['name'] = "name"; $fields_mailers[0]['columnheader'] = "Name"; @@ -61,8 +62,27 @@ $fields_mailers[2]['colwidth'] = "10%"; $fields_mailers[2]['type'] = "textbox"; $fields_mailers[2]['size'] = "10"; +$fields_resolvers = array(); +$fields_resolvers[0]['name'] = "name"; +$fields_resolvers[0]['columnheader'] = "Name"; +$fields_resolvers[0]['colwidth'] = "30%"; +$fields_resolvers[0]['type'] = "textbox"; +$fields_resolvers[0]['size'] = "20"; +$fields_resolvers[1]['name'] = "server"; +$fields_resolvers[1]['columnheader'] = "DNSserver"; +$fields_resolvers[1]['colwidth'] = "60%"; +$fields_resolvers[1]['type'] = "textbox"; +$fields_resolvers[1]['size'] = "60"; +$fields_resolvers[2]['name'] = "port"; +$fields_resolvers[2]['columnheader'] = "DNSport"; +$fields_resolvers[2]['colwidth'] = "10%"; +$fields_resolvers[2]['type'] = "textbox"; +$fields_resolvers[2]['size'] = "10"; + $mailerslist = new HaproxyHtmlList("table_mailers", $fields_mailers); $mailerslist->keyfield = "name"; +$resolverslist = new HaproxyHtmlList("table_resolvers", $fields_resolvers); +$resolverslist->keyfield = "name"; if (!is_array($config['installedpackages']['haproxy'])) $config['installedpackages']['haproxy'] = array(); @@ -82,7 +102,7 @@ if ($_POST) { unlink_if_exists($d_haproxyconfdirty_path); } else { $a_mailers = $mailerslist->haproxy_htmllist_get_values(); - $pool['ha_servers']['item'] = $a_servers; + $a_resolvers = $resolverslist->haproxy_htmllist_get_values(); if ($_POST['carpdev'] == "disabled") unset($_POST['carpdev']); @@ -99,28 +119,18 @@ if ($_POST) { if ($_POST['localstats_sticktable_refreshtime'] && (!is_numeric($_POST['localstats_sticktable_refreshtime']))) $input_errors[] = "The local stats sticktable refresh time should be numeric or empty."; - /*if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) - $input_errors[] = "Synchost1 needs to be an IPAddress."; - if($_POST['synchost2'] && !is_ipaddr($_POST['synchost2'])) - $input_errors[] = "Synchost2 needs to be an IPAddress."; - if($_POST['synchost3'] && !is_ipaddr($_POST['synchost3'])) - $input_errors[] = "Synchost3 needs to be an IPAddress.";*/ - if (!$input_errors) { - $config['installedpackages']['haproxy']['email_mailers']['items'] = $a_mailers; + $config['installedpackages']['haproxy']['email_mailers']['item'] = $a_mailers; + $config['installedpackages']['haproxy']['dns_resolvers']['item'] = $a_resolvers; $config['installedpackages']['haproxy']['enable'] = $_POST['enable'] ? true : false; $config['installedpackages']['haproxy']['terminate_on_reload'] = $_POST['terminate_on_reload'] ? true : false; $config['installedpackages']['haproxy']['maxconn'] = $_POST['maxconn'] ? $_POST['maxconn'] : false; $config['installedpackages']['haproxy']['enablesync'] = $_POST['enablesync'] ? true : false; - //$config['installedpackages']['haproxy']['synchost1'] = $_POST['synchost1'] ? $_POST['synchost1'] : false; - //$config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost2'] ? $_POST['synchost2'] : false; - //$config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost3'] ? $_POST['synchost3'] : false; $config['installedpackages']['haproxy']['remotesyslog'] = $_POST['remotesyslog'] ? $_POST['remotesyslog'] : false; $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; $config['installedpackages']['haproxy']['carpdev'] = $_POST['carpdev'] ? $_POST['carpdev'] : false; - //$config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; $config['installedpackages']['haproxy']['localstatsport'] = $_POST['localstatsport'] ? $_POST['localstatsport'] : false; $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; @@ -132,16 +142,19 @@ if ($_POST) { } } -$a_mailers = $config['installedpackages']['haproxy']['email_mailers']['items']; +$a_mailers = $config['installedpackages']['haproxy']['email_mailers']['item']; +if (!is_array($a_mailers)) { + $a_mailers = array(); +} +$a_resolvers = $config['installedpackages']['haproxy']['dns_resolvers']['item']; +if (!is_array($a_resolvers)) { + $a_resolvers = array(); +} $pconfig['enable'] = isset($config['installedpackages']['haproxy']['enable']); $pconfig['terminate_on_reload'] = isset($config['installedpackages']['haproxy']['terminate_on_reload']); $pconfig['maxconn'] = $config['installedpackages']['haproxy']['maxconn']; $pconfig['enablesync'] = isset($config['installedpackages']['haproxy']['enablesync']); -//$pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; -//$pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; -//$pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; -//$pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; $pconfig['remotesyslog'] = $config['installedpackages']['haproxy']['remotesyslog']; $pconfig['logfacility'] = $config['installedpackages']['haproxy']['logfacility']; $pconfig['loglevel'] = $config['installedpackages']['haproxy']['loglevel']; @@ -158,13 +171,9 @@ if (!$pconfig['logfacility']) if (!$pconfig['loglevel']) $pconfig['loglevel'] = 'info'; -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; - $pgtitle = "Services: HAProxy: Settings"; include("head.inc"); - +haproxy_css(); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <script type="text/javascript" src="javascript/scriptaculous/prototype.js"></script> @@ -179,9 +188,6 @@ function enable_change(enable_change) { } //--> </script> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></p> -<?php endif; ?> <form action="haproxy_global.php" method="post" name="iform"> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> @@ -210,7 +216,7 @@ function enable_change(enable_change) { <tr> <td width="22%" valign="top" class="vncell">Installed version:</td> <td width="78%" class="vtable"> - <strong><?=haproxy_verion()?></strong> + <strong><?=haproxy_version()?></strong> </td> </tr> <tr> @@ -400,9 +406,55 @@ function enable_change(enable_change) { </td> </tr> <tr><td> </td></tr> - <? if (haproxy_verion() >= '1.6' ) { ?> + <? if (haproxy_version() >= '1.6-dev4' ) { ?> <tr> - <td colspan="2" valign="top" class="listtopic">Email notifications</td> + <td colspan="2" valign="top" class="listtopic">Global DNS resolvers for haproxy</td> + </tr> + <tr> + <td valign="top" class="vncell"> + DNS servers + </td> + <td class="vtable"> + Configuring DNS servers will allow haproxy to detect when a servers IP changes to a different one in 'elastic' environments without needing to be restarted. + <br/> + <? + $counter=0; + $resolverslist->Draw($a_resolvers); + ?> + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + 'resolver_retries' + </td> + <td class="vtable"> + <input name="resolver_retries" type="text" <?if(isset($pconfig['resolver_retries'])) echo "value=\"{$pconfig['resolver_retries']}\"";?> size="50"/><br/> + Email address to be used as the sender of the emails. + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + 'resolver_timeoutretry' + </td> + <td class="vtable"> + <input name="resolver_timeoutretry" type="text" <?if(isset($pconfig['resolver_timeoutretry'])) echo "value=\"{$pconfig['resolver_timeoutretry']}\"";?> size="50"/><br/> + Email address to be used as the sender of the emails. + </td> + </tr> + <tr> + <td valign="top" class="vncell"> + 'resolver_holdvalid' + </td> + <td class="vtable"> + <input name="resolver_holdvalid" type="text" <?if(isset($pconfig['resolver_holdvalid'])) echo "value=\"{$pconfig['resolver_holdvalid']}\"";?> size="50"/><br/> + Email address to be used as the sender of the emails. + </td> + </tr> + <tr><td> </td></tr> + <? } + if (haproxy_version() >= '1.6' ) { ?> + <tr> + <td colspan="2" valign="top" class="listtopic">Global email notifications</td> </tr> <tr> <td valign="top" class="vncell"> @@ -412,7 +464,6 @@ function enable_change(enable_change) { It is possible to send email alerts when the state of servers changes. If configured email alerts are sent to each mailer that is configured in a mailers section. Email is sent to mailers using SMTP. <br/> <? - $counter=0; $mailerslist->Draw($a_mailers); ?> </td> @@ -582,7 +633,8 @@ haproxy_htmllist_js(); <script type="text/javascript"> totalrows = <?php echo $counter; ?>; <? - phparray_to_javascriptarray($fields_mailers,"fields_mailers",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); + $mailerslist->outputjavascript(); + $resolverslist->outputjavascript(); ?> function scroll_after_fade() { diff --git a/config/haproxy-devel/www/haproxy_listeners.php b/config/haproxy-devel/www/haproxy_listeners.php index db1f3ff2..c7288e7d 100644 --- a/config/haproxy-devel/www/haproxy_listeners.php +++ b/config/haproxy-devel/www/haproxy_listeners.php @@ -93,9 +93,31 @@ if ($_GET['act'] == "del") { } } +function haproxy_userlist_backend_servers($backendname) { + //used for hint title text when hovering mouse over a backend name + global $a_servermodes; + $backend_servers = ""; + $backend = get_backend($backendname); + if ($backend && is_array($backend['ha_servers']) && is_array($backend['ha_servers']['item'])){ + $servers = $backend['ha_servers']['item']; + $backend_servers = sprintf(gettext("Servers in \"%s\" pool:"), $backendname); + if (is_array($servers)){ + foreach($servers as $server){ + $srvstatus = $server['status']; + $status = $a_servermodes[$srvstatus]['sign']; + if (isset($server['forwardto']) && $server['forwardto'] != "") + $backend_servers .= "\n{$status}[{$server['forwardto']}]"; + else + $backend_servers .= "\n{$status}{$server['address']}:{$server['port']}"; + } + } + } + return $backend_servers; +} + $pgtitle = "Services: HAProxy: Frontends"; include("head.inc"); - +haproxy_css(); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> @@ -182,7 +204,7 @@ function js_callback(req) { $first = true; $last_frontend_shared = false; foreach ($a_frontend_grouped as $a_frontend) { - usort($a_frontend,'sort_sharedfrontends'); + usort($a_frontend, 'sort_sharedfrontends'); if ((count($a_frontend) > 1 || $last_frontend_shared) && !$first) { ?> <tr class="<?=$textgray?>"><td colspan="7"> </td></tr> <? } @@ -238,24 +260,6 @@ function js_callback(req) { if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) echo "<img src=\"$img_adv\" title=\"" . gettext("Advanced settings set") . ": {$isadvset}\" border=\"0\" />"; - - $backend_serverpool_hint = ""; - $backend_serverpool = $frontend['backend_serverpool']; - $backend = get_backend($backend_serverpool); - if ($backend && is_array($backend['ha_servers']) && is_array($backend['ha_servers']['item'])){ - $servers = $backend['ha_servers']['item']; - $backend_serverpool_hint = gettext("Servers in pool:"); - if (is_array($servers)){ - foreach($servers as $server){ - $srvstatus = $server['status']; - $status = $a_servermodes[$srvstatus]['sign']; - if (isset($server['forwardto']) && $server['forwardto'] != "") - $backend_serverpool_hint .= "\n{$status}[{$server['forwardto']}]"; - else - $backend_serverpool_hint .= "\n{$status}{$server['address']}:{$server['port']}"; - } - } - } ?> </td> <td class="listr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> @@ -296,15 +300,30 @@ function js_callback(req) { ?> </td> <td class="listr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> - <div title='<?=$backend_serverpool_hint;?>'> - <a href="haproxy_pool_edit.php?id=<?=$frontend['backend_serverpool']?>"> - <?=$frontend['backend_serverpool']?> - </a> - </div> + <? + if (is_array($frontend['a_actionitems']['item'])) { + foreach ($frontend['a_actionitems']['item'] as $actionitem) { + if ($actionitem['action'] == "use_backend") { + $backend = $actionitem['use_backendbackend']; + $hint = haproxy_userlist_backend_servers($backend); + echo "<div title='{$hint}'>"; + echo "<a href='haproxy_pool_edit.php?id={$backend}'>{$backend}</a>"; + if (!empty($actionitem['acl'])) { + echo " if({$actionitem['acl']})"; + } + echo "<br/></div>"; + } + } + } + $hint = haproxy_userlist_backend_servers($frontend['backend_serverpool']); + $backend = $frontend['backend_serverpool']; + if (!empty($backend)) { + echo "<div title='{$hint}'>"; + echo "<a href='haproxy_pool_edit.php?id={$backend}'>{$backend}</a> (default)"; + echo "<br/></div>"; + } + ?> </td> - <!--td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';"> - <?=$frontend['secondary'] == 'yes' ? $frontend['primary_frontend'] : "";?> - </td--> <td class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1"> <tr> diff --git a/config/haproxy-devel/www/haproxy_listeners_edit.php b/config/haproxy-devel/www/haproxy_listeners_edit.php index 6998e099..8e6c1c3d 100644 --- a/config/haproxy-devel/www/haproxy_listeners_edit.php +++ b/config/haproxy-devel/www/haproxy_listeners_edit.php @@ -47,17 +47,6 @@ if (!function_exists("cert_get_purpose")) { } /**/ -function haproxy_js_acl_select($mode) { - global $a_acltypes; - - $seltext = ''; - foreach ($a_acltypes as $key => $expr) { - if ($expr['mode'] == '' || $expr['mode'] == $mode) - $seltext .= "<option value='" . $key . "'>" . $expr['name'] ."<\/option>"; - } - return $seltext; -} - if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); } @@ -71,7 +60,8 @@ uasort($a_pools, haproxy_compareByName); global $simplefields; $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', 'max_connections','client_timeout','port','advanced_bind', - 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacladditional','sslclientcert-none','sslclientcert-invalid','sslocsp', + 'ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','ssloffloadacl_an','ssloffloadacladditional','ssloffloadacladditional_an', + 'sslclientcert-none','sslclientcert-invalid','sslocsp', 'socket-stats', 'dontlognull','dontlog-normal','log-separate-errors','log-detailed'); @@ -88,7 +78,7 @@ $id = get_frontend_id($id); if (!is_numeric($id)) { //default value for new items. - $pconfig['ssloffloadacl'] = "yes"; + $pconfig['ssloffloadacl_an'] = "yes"; $new_item = array(); $new_item['extaddr'] = "wan_ipv4"; $new_item['extaddr_port'] = "80"; @@ -182,12 +172,110 @@ $fields_externalAddress[4]['colwidth']="20%"; $fields_externalAddress[4]['type']="textbox"; $fields_externalAddress[4]['size']="30"; +$fields_actions=array(); +$fields_actions[0]['name']="action"; +$fields_actions[0]['columnheader']="Action"; +$fields_actions[0]['colwidth']="30%"; +$fields_actions[0]['type']="select"; +$fields_actions[0]['size']="200px"; +$fields_actions[0]['items']=&$a_action; +$fields_actions[1]['name']="parameters"; +$fields_actions[1]['columnheader']="Parameters"; +$fields_actions[1]['colwidth']="30%"; +$fields_actions[1]['type']="fixedtext"; +$fields_actions[1]['size']="200px"; +$fields_actions[1]['text']="See below"; +$fields_actions[2]['name']="acl"; +$fields_actions[2]['columnheader']="Condition acl names"; +$fields_actions[2]['colwidth']="15%"; +$fields_actions[2]['type']="textbox"; +$fields_actions[2]['size']="40"; + +$a_files = haproxy_get_fileslist(); +$fields_errorfile = array(); +$fields_errorfile[0]['name']="errorcode"; +$fields_errorfile[0]['columnheader']="errorcode(s)"; +$fields_errorfile[0]['colwidth']="15%"; +$fields_errorfile[0]['type']="textbox"; +$fields_errorfile[0]['size']="70px"; +$fields_errorfile[1]['name']="errorfile"; +$fields_errorfile[1]['columnheader']="Error Page"; +$fields_errorfile[1]['colwidth']="30%"; +$fields_errorfile[1]['type']="select"; +$fields_errorfile[1]['size']="170px"; +$fields_errorfile[1]['items']=&$a_files; + +$backends = get_haproxy_backends(); +$a_action['use_backend']['fields']['backend']['items'] = &$backends; +//$a_action['http-request_lua']['fields']['lua-script']['items'] = &$a_files; +//$a_action['tcp-request_content_lua']['fields']['lua-script']['items'] = &$a_files; + +$fields_actions_details=array(); +foreach($a_action as $key => $action) { + if (is_array($action['fields'])) { + foreach($action['fields'] as $field) { + $item = $field; + $name = $key . $item['name']; + $item['name'] = $name; + $item['columnheader'] = $field['name']; + $item['customdrawcell'] = customdrawcell_actions; + $fields_actions_details[$name] = $item; + } + } +} + +$a_acltypes["backendservercount"]['fields']['backend']['items'] = &$backends; +$fields_acl_details=array(); +foreach($a_acltypes as $key => $action) { + if (is_array($action['fields'])) { + foreach($action['fields'] as $field) { + $item = $field; + $name = $key . $item['name']; + $item['name'] = $name; + $item['columnheader'] = $field['name']; + $item['customdrawcell'] = customdrawcell_actions; + $fields_acl_details[$name] = $item; + } + } +} + +function customdrawcell_actions($object, $item, $itemvalue, $editable, $itemname, $counter) { + if ($editable) { + $object->haproxy_htmllist_drawcell($item, $itemvalue, $editable, $itemname, $counter); + } else { + //TODO hide fields not applicable.?. + echo $itemvalue; + } +} + +$htmllist_extaddr = new HaproxyHtmlList("table_extaddr", $fields_externalAddress); +$htmllist_extaddr->editmode = true; + +$htmllist_acls = new HaproxyHtmlList("table_acls", $fields_aclSelectionList); +$htmllist_acls->fields_details = $fields_acl_details; +//$htmllist_acls->editmode = true; + +$htmllist_actions = new HaproxyHtmlList("table_actions", $fields_actions); +$htmllist_actions->fields_details = $fields_actions_details; +//$htmllist_actions->keyfield = "name"; +//$htmllist_actions->editmode = true; + +$htmllist_sslCertificates = new HaproxyHtmlList("tbl_sslCerts", $fields_sslCertificates); +$htmllist_caCertificates = new HaproxyHtmlList("tbl_caCerts", $fields_caCertificates ); +$htmllist_crlCertificates = new HaproxyHtmlList("tbl_crlCerts", $fields_crlCertificates); + +$errorfileslist = new HaproxyHtmlList("table_errorfile", $fields_errorfile); +$errorfileslist->keyfield = "errorcode"; + if (isset($id) && $a_backend[$id]) { $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; $pconfig['a_certificates']=&$a_backend[$id]['ha_certificates']['item']; $pconfig['clientcert_ca']=&$a_backend[$id]['clientcert_ca']['item']; $pconfig['clientcert_crl']=&$a_backend[$id]['clientcert_crl']['item']; $pconfig['a_extaddr']=&$a_backend[$id]['a_extaddr']['item']; + $pconfig['a_actionitems']=&$a_backend[$id]['a_actionitems']['item']; + $pconfig['a_errorfiles']=&$a_backend[$id]['a_errorfiles']['item']; + $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); foreach($simplefields as $stat) $pconfig[$stat] = $a_backend[$id][$stat]; @@ -195,6 +283,7 @@ if (isset($id) && $a_backend[$id]) { if (isset($_GET['dup'])) { unset($id); + $pconfig['name'] .= "-copy"; if ($pconfig['secondary'] != 'yes') $pconfig['primary_frontend'] = $pconfig['name']; } @@ -243,20 +332,23 @@ if ($_POST) { if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_backends']['item'][$i]['name']) && ($i != $id)) $input_errors[] = "This frontend name has already been used. Frontend names must be unique. $i != $id"; - $a_certificates = haproxy_htmllist_get_values($fields_sslCertificates); + $a_actionitems = $htmllist_actions->haproxy_htmllist_get_values(); + $pconfig['a_actionitems'] = $a_actionitems; + $a_errorfiles = $errorfileslist->haproxy_htmllist_get_values(); + $pconfig['a_errorfiles'] = $a_errorfiles; + $a_certificates = $htmllist_sslCertificates->haproxy_htmllist_get_values(); $pconfig['a_certificates'] = $a_certificates; - $a_clientcert_ca = haproxy_htmllist_get_values($fields_caCertificates); + $a_clientcert_ca = $htmllist_caCertificates->haproxy_htmllist_get_values(); $pconfig['clientcert_ca'] = $a_clientcert_ca; - $a_clientcert_crl = haproxy_htmllist_get_values($fields_crlCertificates); + $a_clientcert_crl = $htmllist_crlCertificates->haproxy_htmllist_get_values(); $pconfig['clientcert_crl'] = $a_clientcert_crl; - $a_acl = haproxy_htmllist_get_values($fields_aclSelectionList); + $a_acl = $htmllist_acls->haproxy_htmllist_get_values(); $pconfig['a_acl'] = $a_acl; - $a_extaddr = haproxy_htmllist_get_values($fields_externalAddress); + $a_extaddr = $htmllist_extaddr->haproxy_htmllist_get_values(); $pconfig['a_extaddr'] = $a_extaddr; - foreach($a_acl as $acl) { $acl_name = $acl['name']; $acl_value = $acl['value']; @@ -311,6 +403,8 @@ if ($_POST) { $backend['clientcert_ca']['item'] = $a_clientcert_ca; $backend['clientcert_crl']['item'] = $a_clientcert_crl; $backend['a_extaddr']['item'] = $a_extaddr; + $backend['a_actionitems']['item'] = $a_actionitems; + $backend['a_errorfiles']['item'] = $a_errorfiles; if (isset($id) && $a_backend[$id]) { $a_backend[$id] = $backend; @@ -328,13 +422,10 @@ if ($_POST) { } } -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; - $closehead = false; $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); +haproxy_css(); if (!isset($_GET['dup'])) $excludefrontend = $pconfig['name']; @@ -353,50 +444,28 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); </head> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php if($one_two): ?> -<script type="text/javascript" src="/javascript/scriptaculous/prototype.js"></script> -<script type="text/javascript" src="/javascript/scriptaculous/scriptaculous.js"></script> -<?php endif; ?> - <script type="text/javascript"> - function htmllist_get_select_options(tableId, fieldname) { - var seltext; - seltext = ""; - var type; - var secondary = d.getElementById("secondary"); - var primary_frontend = d.getElementById("primary_frontend"); - if ((secondary !== null) && (secondary.checked)) - type = primaryfrontends[primary_frontend.value]['ref']['type']; - else - type = d.getElementById("type").value; - - if (tableId == 'tableA_acltable'){ - if (type == 'health') - seltext = "<?php echo haproxy_js_acl_select('health');?>"; - else if (type == 'tcp') - seltext = "<?php echo haproxy_js_acl_select('tcp');?>"; - else if (type == 'https') - seltext = "<?php echo haproxy_js_acl_select('https');?>"; + function htmllist_get_select_options(tableId, fieldname, itemstable) { + if (tableId == 'table_acls' && fieldname == 'expression') { + var type; + var secondary = d.getElementById("secondary"); + var primary_frontend = d.getElementById("primary_frontend"); + if ((secondary !== null) && (secondary.checked)) + type = primaryfrontends[primary_frontend.value]['ref']['type']; else - seltext = "<?php echo haproxy_js_acl_select('http');?>"; - if (seltext == '') { - alert("No ACL types available in current frontend type"); - return; + type = d.getElementById("type").value; + + result = Object.create(null); + for (var key in itemstable) { + newitem = itemstable[key]; + if (newitem['mode'] == type || newitem['mode'] == "") { + result[key] = newitem; + result[key]['name'] = result[key]['name']; + } } + return result; } - if (tableId == 'tableA_sslCertificates'){ - seltext = "<?=haproxy_js_select_options($servercerts);?>"; - } - if (tableId == 'table_clientcert_ca'){ - seltext = "<?=haproxy_js_select_options($certs_ca);?>"; - } - if (tableId == 'table_clientcert_crl'){ - seltext = "<?=haproxy_js_select_options($certs_crl);?>"; - } - if (tableId == 'table_extaddr'){ - seltext = "<?=haproxy_js_select_options($interfaces);?>"; - } - return seltext; + return itemstable; } function setCSSdisplay(cssID, display) { @@ -430,7 +499,7 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); } else { type = d.getElementById("type").value; for (i = 0; i < 99; i++) { - customEdit = document.getElementById("extaddr_ssl"+i); + customEdit = document.getElementById("table_extaddr"+"extaddr_ssl"+i); if (customEdit && customEdit.checked) sslshow = true; } @@ -462,47 +531,31 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); d = document; for (i = 0; i < 99; i++) { - el = d.getElementById("acl_expression" + i); - row = d.getElementById("aclrow" + i); - if (!el) - continue; - for (j = 0; j < count; j++) { - if (acl[j] == el.value) { - if (mode[j] != '' && mode[j] != type) { - Effect.Fade(row,{ duration: 1.0 }); - } else { - Effect.Appear(row,{ duration: 1.0 }); - } - } - } - } - - for (i = 0; i < 99; i++) { - el = d.getElementById("expression" + i); - //row_v = d.getElementById("tr_view_" + i); + el = d.getElementById("table_acls" + "expression" + i); row_e = d.getElementById("tr_edit_" + i); - if (!el) + row_v = d.getElementById("tr_viewdetail_" + i); + if (!el || !row_e) continue; for (j = 0; j < count; j++) { if (acl[j] == el.value) { if (mode[j] != '' && mode[j] != type) { - //Effect.Fade(row_v,{ duration: 1.0 }); Effect.Fade(row_e,{ duration: 1.0 }); + if (row_v) { + Effect.Fade(row_v,{ duration: 1.0 }); + } } else { - //Effect.Appear(row_v,{ duration: 1.0 }); Effect.Appear(row_e,{ duration: 1.0 }); + if (row_v) { + Effect.Appear(row_v,{ duration: 1.0 }); + } } } } } - } </script> <?php include("fbegin.inc"); ?> <?php if ($input_errors) print_input_errors($input_errors); ?> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></p> -<?php endif; ?> <form action="haproxy_listeners_edit.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td class="tabnavtbl"> @@ -566,21 +619,19 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <? $counter=0; $a_extaddr = $pconfig['a_extaddr']; - $htmllist_extadd = new HaproxyHtmlList("table_extaddr", $fields_externalAddress); - $htmllist_extadd->editmode = true; - $htmllist_extadd->Draw($a_extaddr); + $htmllist_extaddr->Draw($a_extaddr); ?> <script type="text/javascript"> - function table_extaddr_row_added(tableid, rowid){ - new AutoSuggestControl(document.getElementById("extaddr_custom"+rowid), new StateSuggestions(address_array)); - new AutoSuggestControl(document.getElementById("extaddr_port"+rowid), new StateSuggestions(port_array)); - table_extaddr_listitem_change(tableid,"",rowid, null);//disables address when not set to custom. + function table_extaddr_row_added(tableId, rowId){ + new AutoSuggestControl(document.getElementById(tableId+"extaddr_custom"+rowId), new StateSuggestions(address_array)); + new AutoSuggestControl(document.getElementById(tableId+"extaddr_port"+rowId), new StateSuggestions(port_array)); + table_extaddr_listitem_change(tableId,"",rowId, null);//disables address when not set to custom. } function table_extaddr_listitem_change(tableId, fieldId, rowNr, field) { if (fieldId == "extaddr" || fieldId == "") { - field = field || document.getElementById("extaddr"+rowNr); - customEdit = document.getElementById("extaddr_custom"+rowNr); + field = field || document.getElementById(tableId+"extaddr"+rowNr); + customEdit = document.getElementById(tableId+"extaddr_custom"+rowNr); customdisabled = field.value == "custom" ? 0 : 1; customEdit.disabled = customdisabled; } @@ -607,23 +658,6 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10" /> </td> </tr> - <tr> - <td width="22%" valign="top" class="vncellreq">Backend server pool</td> - <td width="78%" class="vtable"> - - <select id="backend_serverpool" name="backend_serverpool" class="formfld"> - <?php - if (is_array($a_pools)) { - foreach ($a_pools as $p) { - $selected = $p['name'] == $pconfig['backend_serverpool'] ? 'selected' : ''; - $name = htmlspecialchars("{$p['name']}"); - echo "<option value=\"{$p['name']}\" $selected>$name</option>"; - } - } else { - echo "<option value=\"-\">-</option>"; - } - ?> - </select> <tr class="haproxy_primary" align="left"> <td width="22%" valign="top" class="vncellreq">Type</td> <td width="78%" class="vtable" colspan="2"> @@ -644,11 +678,74 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <td width="78%" class="vtable" colspan="2" valign="top"> <? $a_acl = $pconfig['a_acl']; - haproxy_htmllist("tableA_acltable", $a_acl, $fields_aclSelectionList, true); + $htmllist_acls->Draw($a_acl); ?> <br/> - acl's with the same name wil be 'combined', acl's with different names will be evaluated seperately.<br/> - For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_blank'>HAProxy Documentation</a> Section 7 - Using ACL's + Example: + <table border='1' style='border-collapse:collapse'> + <tr> + <td><b>Name</b></td> + <td><b>Expression</b></td> + <td><b>Not</b></td> + <td><b>Value</b></td> + </tr> + <tr> + <td>Backend1acl</td> + <td>Host matches</td> + <td></td> + <td>www.yourdomain.tld</td> + </tr> + <tr> + <td>addHeaderAcl</td> + <td>SSL Client certificate valid</td> + <td></td> + <td></td> + </tr> + </table> + <br/> + acl's with the same name will be 'combined' using OR criteria.<br/> + For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_blank'>HAProxy Documentation</a> Section 7 - Using ACL's<br/><br/> + <strong>NOTE Important change in behaviour, since package version 0.32</strong><br/> + -acl's are no longer combined with logical AND operators, list multiple acl's below where needed.<br/> + -acl's alone no longer implicitly generate use_backend configuration. Add 'actions' below to accomplish this behaviour. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Actions</td> + <td width="78%" class="vtable" colspan="2" valign="top"> + <? + $a_actionitems = $pconfig['a_actionitems']; + $htmllist_actions->Draw($a_actionitems); + ?> + <br/> + Example: + <table border='1' style='border-collapse:collapse'> + <tr> + <td><b>Action</b></td> + <td><b>Parameters</b></td> + <td><b>Condition</b></td> + </tr> + <tr> + <td>Use Backend</td> + <td>Website1Backend</td> + <td>Backend1acl</td> + </tr> + <tr> + <td>http-request header set</td> + <td>Headername: X-HEADER-ClientCertValid<br/>New logformat value: YES</td> + <td>addHeaderAcl</td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Default Backend</td> + <td width="78%" class="vtable"> + <?php + $listitem_none['']['name']="None"; + $backends = $listitem_none + $backends; + echo_html_select("backend_serverpool", $backends, $pconfig['backend_serverpool'] ? $pconfig['backend_serverpool'] : "none", "", "updatevisibility();"); + ?> </td> </tr> <tr class="haproxy_primary"><td> </td></tr> @@ -704,6 +801,23 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); address and ports. In http mode also the HTTP request and captured headers and cookies will be logged.</div> </td> </tr> + <tr><td> </td></tr> + <tr> + <td colspan="2" valign="top" class="listtopic">Error files</td> + </tr> + <tr class="" align="left" id='errorfiles'> + <td colspan="2" valign="top" class="vtable"> + Use these to replace the error pages that haproxy can generate by custom pages created on the files tab. + For example haproxy will generate a 503 error page when no backend is available, you can replace that page here. + <br/> + <br/> + <? + $a_errorfiles = $pconfig['a_errorfiles']; + $errorfileslist->Draw($a_errorfiles); + ?> + </td> + </tr> + <tr><td> </td></tr> </table> <br/> <br/> <table class="haproxy_primary" width="100%" border="0" cellpadding="6" cellspacing="0"> @@ -785,6 +899,7 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); Choose the cert to use on this frontend. <br/> <input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. (host header matches the 'CN' of the certificate)<br/> + <input id="ssloffloadacl_an" name="ssloffloadacl_an" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl_an']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate Subject Alternative Names.<br/> </td> </tr> <tr class="haproxy_ssloffloading_enabled" align="left"> @@ -799,10 +914,12 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); Which of these certificate will be send will be determined by haproxys SNI recognition. If the browser does not send SNI this will not work properly. (IE on XP is one example, possibly also older browsers or mobile devices) <? $a_certificates = $pconfig['a_certificates']; - haproxy_htmllist("tableA_sslCertificates", $a_certificates, $fields_sslCertificates); + //haproxy_htmllist("tableA_sslCertificates", $a_certificates, $fields_sslCertificates); + $htmllist_sslCertificates->Draw($a_certificates); ?> <br/> <input id="ssloffloadacladditional" name="ssloffloadacladditional" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacladditional']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate CommonName. (host header matches the 'CN' of the certificate)<br/> + <input id="ssloffloadacladditional_an" name="ssloffloadacladditional_an" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacladditional_an']=='yes') echo "checked";?> onclick="updatevisibility();" />Add ACL for certificate Subject Alternative Names.<br/> </td> </tr> <tr class="haproxy_ssloffloading_enabled haproxy_primary" align="left"> @@ -843,7 +960,7 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); Client certificate will be verified against these CA certificates. <? $a_certificates = $pconfig['clientcert_ca']; - haproxy_htmllist("table_clientcert_ca", $a_certificates, $fields_caCertificates); + $htmllist_caCertificates->Draw($a_certificates); ?> </td> </tr> @@ -853,7 +970,7 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); Client certificate will be verified against these CRL revocation lists. <? $a_certificates = $pconfig['clientcert_crl']; - haproxy_htmllist("table_clientcert_crl", $a_certificates, $fields_crlCertificates); + $htmllist_crlCertificates->Draw($a_certificates); ?> </td> </tr> @@ -883,15 +1000,26 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); <br/> <script type="text/javascript"> <? + // On gui descriptions when a closetype has been selected.. + phparray_to_javascriptarray($a_closetypes, "closetypes", Array('/*', '/*/name', '/*/descr')); + + // To find 'type' of frontend to show proper acl's ?? phparray_to_javascriptarray($primaryfrontends,"primaryfrontends",Array('/*', - '/*/name','/*/ref','/*/ref/type','/*/ref/a_extaddr','/*/ref/a_extaddr/item','/*/ref/a_extaddr/item/*', + '/*/name', '/*/ref', '/*/ref/type', '/*/ref/a_extaddr', '/*/ref/a_extaddr/item', '/*/ref/a_extaddr/item/*', '/*/ref/a_extaddr/item/*/extaddr_ssl')); - phparray_to_javascriptarray($a_closetypes,"closetypes",Array('/*','/*/name','/*/descr')); - phparray_to_javascriptarray($fields_sslCertificates,"fields_sslCertificates",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); - phparray_to_javascriptarray($fields_caCertificates,"fields_ca",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); - phparray_to_javascriptarray($fields_crlCertificates,"fields_crl",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); - phparray_to_javascriptarray($fields_aclSelectionList,"fields_acltable",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); - phparray_to_javascriptarray($fields_externalAddress,"fields_extaddr",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); + + phparray_to_javascriptarray($a_action, "showhide_actionfields", + Array('/*', '/*/fields', '/*/fields/*', '/*/fields/*/name')); + phparray_to_javascriptarray($a_acltypes, "showhide_aclfields", + Array('/*', '/*/fields', '/*/fields/*', '/*/fields/*/name')); + + $htmllist_extaddr->outputjavascript(); + $htmllist_acls->outputjavascript(); + $htmllist_actions->outputjavascript(); + $errorfileslist->outputjavascript(); + $htmllist_sslCertificates->outputjavascript(); + $htmllist_caCertificates->outputjavascript(); + $htmllist_crlCertificates->outputjavascript(); ?> </script> <script type="text/javascript"> @@ -902,12 +1030,64 @@ $primaryfrontends = get_haproxy_frontends($excludefrontend); for(i=0;i < <?=count($a_extaddr)?>;i++){ - new AutoSuggestControl(document.getElementById('extaddr_custom'+i), new StateSuggestions(address_array)); - new AutoSuggestControl(document.getElementById('extaddr_port'+i), new StateSuggestions(port_array)); + new AutoSuggestControl(document.getElementById('table_extaddrextaddr_custom'+i), new StateSuggestions(address_array)); + new AutoSuggestControl(document.getElementById('table_extaddrextaddr_port'+i), new StateSuggestions(port_array)); // Initially set fields disabled where needed table_extaddr_listitem_change('table_extaddr','',i,null); } + function table_acls_listitem_change(tableId, fieldId, rowNr, field) { + if (fieldId = "toggle_details") { + fieldId = "expression"; + field = d.getElementById(tableId+"expression"+rowNr); + } + if (fieldId = "expression") { + var actiontype = field.value; + + var table = d.getElementById(tableId); + + for(var actionkey in showhide_aclfields) { + var fields = showhide_aclfields[actionkey]['fields']; + for(var fieldkey in fields){ + var fieldname = fields[fieldkey]['name']; + var rowid = "tr_edititemdetails_"+rowNr+"_"+actionkey+fieldname; + var element = d.getElementById(rowid); + + if (actionkey == actiontype) + element.style.display = ''; + else + element.style.display = 'none'; + } + } + } + } + + function table_actions_listitem_change(tableId, fieldId, rowNr, field) { + if (fieldId = "toggle_details") { + fieldId = "action"; + field = d.getElementById(tableId+"action"+rowNr); + } + if (fieldId = "action") { + var actiontype = field.value; + + var table = d.getElementById(tableId); + + for(var actionkey in showhide_actionfields) { + var fields = showhide_actionfields[actionkey]['fields']; + for(var fieldkey in fields){ + var fieldname = fields[fieldkey]['name']; + var rowid = "tr_edititemdetails_"+rowNr+"_"+actionkey+fieldname; + var element = d.getElementById(rowid); + + if (actionkey == actiontype) + element.style.display = ''; + else + element.style.display = 'none'; + } + } + } + } + updatevisibility(); </script> <?php diff --git a/config/haproxy-devel/www/haproxy_pool_edit.php b/config/haproxy-devel/www/haproxy_pool_edit.php index 6cd78741..2b4787f3 100644 --- a/config/haproxy-devel/www/haproxy_pool_edit.php +++ b/config/haproxy-devel/www/haproxy_pool_edit.php @@ -48,7 +48,7 @@ if (isset($_POST['id'])) $id = $_POST['id']; else $id = $_GET['id']; - + $tmp = get_backend_id($id); if (is_numeric($tmp)) $id = $tmp; @@ -58,7 +58,9 @@ if (isset($_GET['dup'])) global $simplefields; $simplefields = array( -"name","balance","transparent_clientip","transparent_interface", +"name", +"balance","balance_urilen","balance_uridepth","balance_uriwhole", +"transparent_clientip","transparent_interface", "check_type","checkinter","log-health-checks","httpcheck_method","monitor_uri","monitor_httpversion","monitor_username","monitor_domain","monitor_agentport", "agent_check","agent_port","agent_inter", "connection_timeout","server_timeout","retries", @@ -194,21 +196,137 @@ $fields_errorfile[1]['type']="select"; $fields_errorfile[1]['size']="170px"; $fields_errorfile[1]['items']=&$a_files; +$serverslist = new HaproxyHtmlList("tableA_servers", $fields_servers); +$serverslist->keyfield = "name"; +$serverslist->fields_details = $fields_servers_details; + +$errorfileslist = new HaproxyHtmlList("table_errorfile", $fields_errorfile); +$errorfileslist->keyfield = "errorcode"; + + + +$fields_aclSelectionList=array(); +$fields_aclSelectionList[0]['name']="name"; +$fields_aclSelectionList[0]['columnheader']="Name"; +$fields_aclSelectionList[0]['colwidth']="30%"; +$fields_aclSelectionList[0]['type']="textbox"; +$fields_aclSelectionList[0]['size']="20"; + +$fields_aclSelectionList[1]['name']="expression"; +$fields_aclSelectionList[1]['columnheader']="Expression"; +$fields_aclSelectionList[1]['colwidth']="30%"; +$fields_aclSelectionList[1]['type']="select"; +$fields_aclSelectionList[1]['size']="10"; +$fields_aclSelectionList[1]['items']=&$a_acltypes; + +$fields_aclSelectionList[2]['name']="not"; +$fields_aclSelectionList[2]['columnheader']="Not"; +$fields_aclSelectionList[2]['colwidth']="5%"; +$fields_aclSelectionList[2]['type']="checkbox"; +$fields_aclSelectionList[2]['size']="5"; + +$fields_aclSelectionList[3]['name']="value"; +$fields_aclSelectionList[3]['columnheader']="Value"; +$fields_aclSelectionList[3]['colwidth']="35%"; +$fields_aclSelectionList[3]['type']="textbox"; +$fields_aclSelectionList[3]['size']="35"; + +$fields_actions=array(); +$fields_actions[0]['name']="action"; +$fields_actions[0]['columnheader']="Action"; +$fields_actions[0]['colwidth']="30%"; +$fields_actions[0]['type']="select"; +$fields_actions[0]['size']="200px"; +$fields_actions[0]['items']=&$a_action; +$fields_actions[1]['name']="parameters"; +$fields_actions[1]['columnheader']="Parameters"; +$fields_actions[1]['colwidth']="30%"; +$fields_actions[1]['type']="fixedtext"; +$fields_actions[1]['size']="200px"; +$fields_actions[1]['text']="See below"; +$fields_actions[2]['name']="acl"; +$fields_actions[2]['columnheader']="Condition acl names"; +$fields_actions[2]['colwidth']="15%"; +$fields_actions[2]['type']="textbox"; +$fields_actions[2]['size']="40"; + + +$fields_actions_details=array(); +foreach($a_action as $key => $action) { + if (is_array($action['fields'])) { + foreach($action['fields'] as $field) { + $item = $field; + $name = $key . $item['name']; + $item['name'] = $name; + $item['columnheader'] = $field['name']; + $item['customdrawcell'] = customdrawcell_actions; + $fields_actions_details[$name] = $item; + } + } +} + +$a_acltypes["backendservercount"]['fields']['backend']['items'] = &$backends; +$fields_acl_details=array(); +foreach($a_acltypes as $key => $action) { + if (is_array($action['fields'])) { + foreach($action['fields'] as $field) { + $item = $field; + $name = $key . $item['name']; + $item['name'] = $name; + $item['columnheader'] = $field['name']; + $item['customdrawcell'] = customdrawcell_actions; + $fields_acl_details[$name] = $item; + } + } +} + +function customdrawcell_actions($object, $item, $itemvalue, $editable, $itemname, $counter) { + if ($editable) { + $object->haproxy_htmllist_drawcell($item, $itemvalue, $editable, $itemname, $counter); + } else { + //TODO hide fields not applicable.?. + echo $itemvalue; + } +} + +$htmllist_acls = new HaproxyHtmlList("table_acls", $fields_aclSelectionList); +$htmllist_acls->fields_details = $fields_acl_details; +$htmllist_acls->editmode = true; + +$htmllist_actions = new HaproxyHtmlList("table_actions", $fields_actions); +$htmllist_actions->fields_details = $fields_actions_details; +$htmllist_actions->keyfield = "name"; + + if (isset($id) && $a_pools[$id]) { + $pconfig['a_acl'] = &$a_pools[$id]['a_acl']['item']; + if (!is_array($pconfig['a_acl'])) { + $pconfig['a_acl'] = array(); + } + $pconfig['a_actionitems'] = &$a_pools[$id]['a_actionitems']['item']; + if (!is_array($pconfig['a_actionitems'])) { + $pconfig['a_actionitems'] = array(); + } $pconfig['advanced'] = base64_decode($a_pools[$id]['advanced']); $pconfig['advanced_backend'] = base64_decode($a_pools[$id]['advanced_backend']); - $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; + + + $a_servers = &$a_pools[$id]['ha_servers']['item']; foreach($simplefields as $stat) $pconfig[$stat] = $a_pools[$id][$stat]; + $a_errorfiles = &$a_pools[$id]['errorfiles']['item']; - if (!is_array($a_errorfiles)) $a_errorfiles = array(); + if (!is_array($a_errorfiles)) { + $a_errorfiles = array(); + } } -if (isset($_GET['dup'])) +if (isset($_GET['dup'])) { unset($id); - + $pconfig['name'] .= "-copy"; +} $changedesc = "Services: HAProxy: Backend server pool: "; $changecount = 0; @@ -265,7 +383,9 @@ if ($_POST) { if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_pools']['item'][$i]['name']) && ($i != $id)) $input_errors[] = "This pool name has already been used. Pool names must be unique."; - $a_servers = haproxy_htmllist_get_values(array_merge($fields_servers,$fields_servers_details)); + $pconfig['a_acl'] = $htmllist_acls->haproxy_htmllist_get_values(); + $pconfig['a_actionitems'] = $htmllist_actions->haproxy_htmllist_get_values(); + $a_servers = $serverslist->haproxy_htmllist_get_values(); foreach($a_servers as $server){ $server_name = $server['name']; $server_address = $server['address']; @@ -294,66 +414,75 @@ if ($_POST) { $input_errors[] = "The field 'Port' value is not a number."; } - $a_errorfiles = haproxy_htmllist_get_values($fields_errorfile); + $a_errorfiles = $errorfileslist->haproxy_htmllist_get_values(); if ($_POST['strict_transport_security'] !== "" && !is_numeric($_POST['strict_transport_security'])) $input_errors[] = "The field 'Strict-Transport-Security' is not empty or a number."; -// if (!$input_errors) { - $pool = array(); - if(isset($id) && $a_pools[$id]) - $pool = $a_pools[$id]; - - if ($pool['name'] != $_POST['name']) { - // name changed: - if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { - $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); - } - $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + $pool = array(); + if(isset($id) && $a_pools[$id]) + $pool = $a_pools[$id]; + + if (!empty($pool['name']) && ($pool['name'] != $_POST['name'])) { + //old $pool['name'] can be empty if a new or cloned item is saved, nothing should be renamed then + // name changed: + $oldvalue = $pool['name']; + $newvalue = $_POST['name']; + + $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_backend)) { + $a_backend = array(); + } - for ( $i = 0; $i < count($a_backend); $i++) { - if ($a_backend[$i]['backend_serverpool'] == $pool['name']) - $a_backend[$i]['backend_serverpool'] = $_POST['name']; + for ( $i = 0; $i < count($a_backend); $i++) { + $backend = &$a_backend[$i]; + if ($a_backend[$i]['backend_serverpool'] == $oldvalue) { + $a_backend[$i]['backend_serverpool'] = $newvalue; + } + if (is_array($backend['a_actionitems']['item'])) { + foreach($backend['a_actionitems']['item'] as &$item) { + if ($item['action'] == "use_backend") { + if ($item['use_backendbackend'] == $oldvalue) { + $item['use_backendbackend'] = $newvalue; + } + } + } } } + } - if($pool['name'] != "") - $changedesc .= " modified pool: '{$pool['name']}'"; + if($pool['name'] != "") + $changedesc .= " modified pool: '{$pool['name']}'"; + $pool['ha_servers']['item'] = $a_servers; + $pool['a_acl']['item'] = $pconfig['a_acl']; + $pool['a_actionitems']['item'] = $pconfig['a_actionitems']; - $pool['ha_servers']['item']=$a_servers; + update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); + update_if_changed("advanced_backend", $pool['advanced_backend'], base64_encode($_POST['advanced_backend'])); - update_if_changed("advanced", $pool['advanced'], base64_encode($_POST['advanced'])); - update_if_changed("advanced_backend", $pool['advanced_backend'], base64_encode($_POST['advanced_backend'])); + global $simplefields; + foreach($simplefields as $stat) + update_if_changed($stat, $pool[$stat], $_POST[$stat]); - global $simplefields; - foreach($simplefields as $stat) - update_if_changed($stat, $pool[$stat], $_POST[$stat]); - - if (isset($id) && $a_pools[$id]) { - $a_pools[$id] = $pool; - } else { - $a_pools[] = $pool; - } + if (isset($id) && $a_pools[$id]) { + $a_pools[$id] = $pool; + } else { + $a_pools[] = $pool; + } if (!isset($input_errors)) { if ($changecount > 0) { touch($d_haproxyconfdirty_path); - write_config($changedesc); - /* - echo "<PRE>"; - print_r($config); - echo "</PRE>"; - */ + write_config($changedesc); } - header("Location: haproxy_pools.php"); exit; } - $pconfig['a_servers']=&$a_pools[$id]['ha_servers']['item']; } $closehead = false; $pgtitle = "HAProxy: Backend server pool: Edit"; include("head.inc"); +haproxy_css(); // 'processing' done, make all simple fields usable in html. foreach($simplefields as $field){ @@ -379,16 +508,6 @@ foreach($simplefields as $field){ </head> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <script type="text/javascript"> - function htmllist_get_select_options(tableId, fieldname) { - if (fieldname == 'forwardto') - return "<?=haproxy_js_select_options($primaryfrontends);?>"; - else - if (fieldname == 'errorfile') - return "<?=haproxy_js_select_options($a_files);?>"; - else - return "<?=haproxy_js_select_options($a_servermodes);?>"; - } - function clearcombo(){ for (var i=document.iform.serversSelect.options.length-1; i>=0; i--){ document.iform.serversSelect.options[i] = null; @@ -498,8 +617,7 @@ foreach($simplefields as $field){ </span> <? $counter=0; - $a_servers = $pconfig['a_servers']; - haproxy_htmllist("tableA_servers", $a_servers, $fields_servers, null, $fields_servers_details); + $serverslist->Draw($a_servers); ?> <table class="haproxy_help_serverlist" style="border:1px dashed green" cellspacing="0"> <tr><td class="vncell"> @@ -528,66 +646,104 @@ foreach($simplefields as $field){ <tr align="left"> <td width="22%" valign="top" class="vncellreq">Balance</td> <td width="78%" class="vtable" colspan="1"> - <table width="100%"> + <table width="100%" cellspacing="0"> <tr> - <td width="25%" valign="top"> + <td class="vncell" width="25%" valign="top"> + <input type="radio" name="balance" value=""<?php if(empty($pconfig['balance'])) echo " CHECKED"; ?> />None + </td> + <td class="vncell"> + This allows writing your own custom balance settings into the advanced section. + Or when you have no need for balancing with only 1 server. + </td> + </tr> + <tr> + <td class="vncell" width="25%" valign="top"> <input type="radio" name="balance" value="roundrobin"<?php if($pconfig['balance'] == "roundrobin") echo " CHECKED"; ?> />Round robin </td> - <td> - Each server is used in turns, according to their weights. - This is the smoothest and fairest algorithm when the server's - processing time remains equally distributed. This algorithm - is dynamic, which means that server weights may be adjusted - on the fly for slow starts for instance. + <td class="vncell"> + Each server is used in turns, according to their weights. + This is the smoothest and fairest algorithm when the server's + processing time remains equally distributed. This algorithm + is dynamic, which means that server weights may be adjusted + on the fly for slow starts for instance. </td> </tr> <tr> - <td width="25%" valign="top"> + <td class="vncell" width="25%" valign="top"> <input type="radio" name="balance" value="static-rr"<?php if($pconfig['balance'] == "static-rr") echo " CHECKED"; ?> />Static Round Robin </td> - <td> + <td class="vncell"> Each server is used in turns, according to their weights. - This algorithm is as similar to roundrobin except that it is - static, which means that changing a server's weight on the - fly will have no effect. On the other hand, it has no design - limitation on the number of servers, and when a server goes - up, it is always immediately reintroduced into the farm, once - the full map is recomputed. It also uses slightly less CPU to - run (around -1%). + This algorithm is as similar to roundrobin except that it is + static, which means that changing a server's weight on the + fly will have no effect. On the other hand, it has no design + limitation on the number of servers, and when a server goes + up, it is always immediately reintroduced into the farm, once + the full map is recomputed. It also uses slightly less CPU to + run (around -1%). </td> </tr> <tr> - <td width="25%" valign="top"> + <td class="vncell" width="25%" valign="top"> <input type="radio" name="balance" value="leastconn"<?php if($pconfig['balance'] == "leastconn") echo " CHECKED"; ?> />Least Connections </td> - <td> - The server with the lowest number of connections receives the - connection. Round-robin is performed within groups of servers - of the same load to ensure that all servers will be used. Use - of this algorithm is recommended where very long sessions are - expected, such as LDAP, SQL, TSE, etc... but is not very well - suited for protocols using short sessions such as HTTP. This - algorithm is dynamic, which means that server weights may be - adjusted on the fly for slow starts for instance. + <td class="vncell"> + The server with the lowest number of connections receives the + connection. Round-robin is performed within groups of servers + of the same load to ensure that all servers will be used. Use + of this algorithm is recommended where very long sessions are + expected, such as LDAP, SQL, TSE, etc... but is not very well + suited for protocols using short sessions such as HTTP. This + algorithm is dynamic, which means that server weights may be + adjusted on the fly for slow starts for instance. </td> </tr> - <tr><td valign="top"><input type="radio" name="balance" value="source"<?php if($pconfig['balance'] == "source") echo " CHECKED"; ?> />Source - </td> - <td> - The source IP address is hashed and divided by the total - weight of the running servers to designate which server will - receive the request. This ensures that the same client IP - address will always reach the same server as long as no - server goes down or up. If the hash result changes due to the - number of running servers changing, many clients will be - directed to a different server. This algorithm is generally - used in TCP mode where no cookie may be inserted. It may also - be used on the Internet to provide a best-effort stickyness - to clients which refuse session cookies. This algorithm is - static, which means that changing a server's weight on the - fly will have no effect. + <tr> + <td class="vncell" valign="top"> + <input type="radio" name="balance" value="source"<?php if($pconfig['balance'] == "source") echo " CHECKED"; ?> />Source + </td> + <td class="vncell"> + The source IP address is hashed and divided by the total + weight of the running servers to designate which server will + receive the request. This ensures that the same client IP + address will always reach the same server as long as no + server goes down or up. If the hash result changes due to the + number of running servers changing, many clients will be + directed to a different server. This algorithm is generally + used in TCP mode where no cookie may be inserted. It may also + be used on the Internet to provide a best-effort stickyness + to clients which refuse session cookies. This algorithm is + static, which means that changing a server's weight on the + fly will have no effect. + </td> + </tr> + <tr> + <td class="vncell" valign="top"> + <input type="radio" name="balance" value="uri"<?php if($pconfig['balance'] == "uri") echo " CHECKED"; ?> />Uri (HTTP backends only) + </td> + <td class="vncell"> + This algorithm hashes either the left part of the URI (before + the question mark) or the whole URI (if the "whole" parameter + is present) and divides the hash value by the total weight of + the running servers. The result designates which server will + receive the request. This ensures that the same URI will + always be directed to the same server as long as no server + goes up or down. This is used with proxy caches and + anti-virus proxies in order to maximize the cache hit rate. + Note that this algorithm may only be used in an HTTP backend.<br/> + <input name="balance_urilen" size="10" value="<?=$pconfig['balance_urilen']?>" />Len (optional) <br/> + The "len" parameter + indicates that the algorithm should only consider that many + characters at the beginning of the URI to compute the hash.<br/> + <input name="balance_uridepth" size="10" value="<?=$pconfig['balance_uridepth']?>" />Depth (optional) <br/> + The "depth" parameter indicates the maximum directory depth + to be used to compute the hash. One level is counted for each + slash in the request.<br/> + <input id="balance_uriwhole" name="balance_uriwhole" type="checkbox" value="yes" <?php if ($pconfig['balance_uriwhole']=='yes') echo "checked"; ?> /> + Allow using whole URI including url parameters behind a question mark. </td> </tr> + <!-- TODO add some other balance methods --> </table> </td> </tr> @@ -636,6 +792,71 @@ foreach($simplefields as $field){ <br/> NOTE: paste text into this box that you would like to pass thru. Applied to the backend section. </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell">Access Control lists</td> + <td width="78%" class="vtable" colspan="2" valign="top"> + <? + $a_acl = $pconfig['a_acl']; + $htmllist_acls->Draw($a_acl); + ?> + <br/> + Example: + <table border='1' style='border-collapse:collapse'> + <tr> + <td><b>Name</b></td> + <td><b>Expression</b></td> + <td><b>Not</b></td> + <td><b>Value</b></td> + </tr> + <tr> + <td>Backend1acl</td> + <td>Host matches</td> + <td></td> + <td>www.yourdomain.tld</td> + </tr> + <tr> + <td>addHeaderAcl</td> + <td>SSL Client certificate valid</td> + <td></td> + <td></td> + </tr> + </table> + <br/> + acl's with the same name will be 'combined' using OR criteria.<br/> + For more information about ACL's please see <a href='http://haproxy.1wt.eu/download/1.5/doc/configuration.txt' target='_blank'>HAProxy Documentation</a> Section 7 - Using ACL's<br/><br/> + <strong>NOTE Important change in behaviour, since package version 0.32</strong><br/> + -acl's are no longer combined with logical AND operators, list multiple acl's below where needed.<br/> + -acl's alone no longer implicitly generate use_backend configuration. Add 'actions' below to accomplish this behaviour. + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">Actions</td> + <td width="78%" class="vtable" colspan="2" valign="top"> + <? + $a_actionitems = $pconfig['a_actionitems']; + $htmllist_actions->Draw($a_actionitems); + ?> + <br/> + Example: + <table border='1' style='border-collapse:collapse'> + <tr> + <td><b>Action</b></td> + <td><b>Parameters</b></td> + <td><b>Condition</b></td> + </tr> + <tr> + <td>Use Backend</td> + <td>Website1Backend</td> + <td>Backend1acl</td> + </tr> + <tr> + <td>http-request header set</td> + <td>Headername: X-HEADER-ClientCertValid<br/>New logformat value: YES</td> + <td>addHeaderAcl</td> + </tr> + </table> + </td> </tr> <tr><td> </td></tr> <tr> @@ -868,7 +1089,7 @@ set by the 'retries' parameter.</div> </td> </tr> <tr><td> </td></tr> - <? if (haproxy_verion() >= '1.6' ) { ?> + <? if (haproxy_version() >= '1.6' ) { ?> <tr> <td colspan="2" valign="top" class="listtopic">Email notifications</td> </tr> @@ -985,7 +1206,7 @@ set by the 'retries' parameter.</div> <br/> <br/> <? - haproxy_htmllist("table_errorfile", $a_errorfiles, $fields_errorfile); + $errorfileslist->Draw($a_errorfiles); ?> </td> </tr> @@ -1030,17 +1251,78 @@ set by the 'retries' parameter.</div> <br/> <script type="text/javascript"> <? - phparray_to_javascriptarray($fields_servers,"fields_servers",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); phparray_to_javascriptarray($fields_servers_details,"fields_details_servers",Array('/*','/*/name','/*/type')); - phparray_to_javascriptarray($fields_errorfile,"fields_errorfile",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name')); phparray_to_javascriptarray($a_checktypes,"checktypes",Array('/*','/*/name','/*/descr')); phparray_to_javascriptarray($a_cookiemode,"cookiemode",Array('/*','/*/name','/*/descr')); phparray_to_javascriptarray($a_sticky_type,"sticky_type",Array('/*','/*/descr','/*/cookiedescr')); - phparray_to_javascriptarray($a_files,"a_files",Array('/*','/*/name','/*/descr')); + //phparray_to_javascriptarray($a_files,"a_files",Array('/*','/*/name','/*/descr')); + + phparray_to_javascriptarray($a_action, "showhide_actionfields", + Array('/*', '/*/fields', '/*/fields/*', '/*/fields/*/name')); + phparray_to_javascriptarray($a_acltypes, "showhide_aclfields", + Array('/*', '/*/fields', '/*/fields/*', '/*/fields/*/name')); + + $serverslist->outputjavascript(); + $errorfileslist->outputjavascript(); + $htmllist_acls->outputjavascript(); + $htmllist_actions->outputjavascript(); ?> browser_InnerText_support = (document.getElementsByTagName("body")[0].innerText != undefined) ? true : false; - + totalrows = <?php echo $counter; ?>; + + function table_acls_listitem_change(tableId, fieldId, rowNr, field) { + if (fieldId = "toggle_details") { + fieldId = "expression"; + field = d.getElementById(tableId+"expression"+rowNr); + } + if (fieldId = "expression") { + var actiontype = field.value; + + var table = d.getElementById(tableId); + + for(var actionkey in showhide_aclfields) { + var fields = showhide_aclfields[actionkey]['fields']; + for(var fieldkey in fields){ + var fieldname = fields[fieldkey]['name']; + var rowid = "tr_edititemdetails_"+rowNr+"_"+actionkey+fieldname; + var element = d.getElementById(rowid); + + if (actionkey == actiontype) + element.style.display = ''; + else + element.style.display = 'none'; + } + } + } + } + + function table_actions_listitem_change(tableId, fieldId, rowNr, field) { + if (fieldId = "toggle_details") { + fieldId = "action"; + field = d.getElementById(tableId+"action"+rowNr); + } + if (fieldId = "action") { + var actiontype = field.value; + + var table = d.getElementById(tableId); + + for(var actionkey in showhide_actionfields) { + var fields = showhide_actionfields[actionkey]['fields']; + for(var fieldkey in fields){ + var fieldname = fields[fieldkey]['name']; + var rowid = "tr_edititemdetails_"+rowNr+"_"+actionkey+fieldname; + var element = d.getElementById(rowid); + + if (actionkey == actiontype) + element.style.display = ''; + else + element.style.display = 'none'; + } + } + } + } + updatevisibility(); </script> <?php diff --git a/config/haproxy-devel/www/haproxy_pools.php b/config/haproxy-devel/www/haproxy_pools.php index 92235933..d98c7f41 100644 --- a/config/haproxy-devel/www/haproxy_pools.php +++ b/config/haproxy-devel/www/haproxy_pools.php @@ -65,19 +65,13 @@ if ($_GET['act'] == "del") { exit; } -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; - $pgtitle = "Services: HAProxy: Backend server pools"; include("head.inc"); +haproxy_css(); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></p> -<?php endif; ?> <form action="haproxy_pools.php" method="post"> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> @@ -108,18 +102,31 @@ include("head.inc"); foreach ($a_pools as $pool){ $fe_list = ""; $sep = ""; - foreach ($a_backends as $backend) { - if($backend['backend_serverpool'] == $pool['name']) { - $fe_list .= $sep . $backend['name']; - $sep = ", "; - } + foreach ($a_backends as $frontend) { + $used = false; + if($frontend['backend_serverpool'] == $pool['name']) { + $used = true; + } + $actions = $frontend['a_actionitems']['item']; + if (is_array($actions)) { + foreach($actions as $action) { + if ($action["action"] == "use_backend" && $action['use_backendbackend'] == $pool['name']) { + $used = true; + } + } + } + if ($used) { + $fe_list .= $sep . $frontend['name']; + $sep = ", "; + } } $textgray = $fe_list == "" ? " gray" : ""; - if (is_array($pool['ha_servers'])) + if (is_array($pool['ha_servers'])) { $count = count($pool['ha_servers']['item']); - else - $count = 0; + } else { + $count = 0; + } ?> <tr class="<?=$textgray?>"> <td class="listlr" ondblclick="document.location='haproxy_pool_edit.php?id=<?=$i;?>';"> diff --git a/config/haproxy-devel/www/haproxy_stats.php b/config/haproxy-devel/www/haproxy_stats.php index 302793b6..628d0e5a 100644 --- a/config/haproxy-devel/www/haproxy_stats.php +++ b/config/haproxy-devel/www/haproxy_stats.php @@ -68,7 +68,7 @@ if (isset($_GET['haproxystats']) || isset($_GET['scope']) || (isset($_POST) && i exit(0); } require_once("guiconfig.inc"); -if (isset($_GET['showsticktablecontent'])){ +if (isset($_GET['showsticktablecontent']) || isset($_GET['showstatresolvers'])) { if (is_numeric($pconfig['localstats_sticktable_refreshtime'])) header("Refresh: {$pconfig['localstats_sticktable_refreshtime']}"); } @@ -91,10 +91,6 @@ if ($_POST) { } } -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; - $pgtitle = "Services: HAProxy: Stats"; include("head.inc"); @@ -102,9 +98,6 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="haproxy_stats.php" method="post"> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></p> -<?php endif; ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> <?php if (file_exists($d_haproxyconfdirty_path)): ?> @@ -123,15 +116,25 @@ include("head.inc"); <table class="tabcont" width="100%" height="100%" cellspacing="0"> <tr> <? -if (isset($_GET['showsticktablecontent'])){ + +if (isset($_GET['showstatresolvers'])){ + $showstatresolversname = $_GET['showstatresolvers']; + echo "<td colspan='2'>"; + echo "Contents of the sticktable: $sticktablename<br/>"; + $res = haproxy_socket_command("show stat resolvers $showstatresolversname"); + foreach($res as $line){ + echo "<br/>".print_r($line,true); + } + echo "</td>"; +} elseif (isset($_GET['showsticktablecontent'])){ $sticktablename = $_GET['showsticktablecontent']; -echo "<td colspan='2'>"; + echo "<td colspan='2'>"; echo "Contents of the sticktable: $sticktablename<br/>"; $res = haproxy_socket_command("show table $sticktablename"); foreach($res as $line){ echo "<br/>".print_r($line,true); } -echo "</td>"; + echo "</td>"; } else { ?> <td colspan="2"> @@ -177,6 +180,15 @@ echo "</td>"; <td> </td> </tr> <tr> + <td colspan="2" valign="top" class="listtopic">HAProxy DNS</td> + </tr> + <tr> + <td colspan="2" valign="top" class="vncell"><a href="/haproxy_stats.php?showstatresolvers=globalresolvers" target="_blank">DNS statistics</a></td> + </tr> + <tr> + <td> </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">HAProxy stats</td> </tr> <tr> diff --git a/config/haproxy-devel/www/haproxy_templates.php b/config/haproxy-devel/www/haproxy_templates.php index 478c83a3..072df508 100644 --- a/config/haproxy-devel/www/haproxy_templates.php +++ b/config/haproxy-devel/www/haproxy_templates.php @@ -114,6 +114,7 @@ EOD; $savemsg = "File 'ExampleErrorfile' is already configured on the Files tab."; } + $changedesc = "haproxy, add template errorfile"; if ($changecount > 0) { header("Location: haproxy_files.php"); echo "touching: $d_haproxyconfdirty_path"; @@ -122,7 +123,83 @@ EOD; exit; } } + +function haproxy_template_multipledomains() { + global $config, $d_haproxyconfdirty_path; + $a_backends = &$config['installedpackages']['haproxy']['ha_pools']['item']; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + + $backend = array(); + $backend["name"] = "example_backend1"; + $backend["stats_enabled"] = "yes"; + $backend["stats_uri"] = "/"; + $backend["stats_refresh"] = "10"; + $backend["stats_scope"] = "."; + $backend["stats_node"] = "NODE1"; + $a_backends[] = $backend; + + $backend = array(); + $backend["name"] = "example_backend2"; + $backend["stats_enabled"] = "yes"; + $backend["stats_uri"] = "/"; + $backend["stats_refresh"] = "10"; + $backend["stats_scope"] = "."; + $backend["stats_node"] = "NODE2"; + $a_backends[] = $backend; + + $backend = array(); + $backend["name"] = "example_backend3"; + $backend["stats_enabled"] = "yes"; + $backend["stats_uri"] = "/"; + $backend["stats_refresh"] = "10"; + $backend["stats_scope"] = "."; + $backend["stats_node"] = "NODE3"; + $a_backends[] = $backend; + + $frontend = array(); + $frontend["name"] = "example_multipledomains"; + $frontend["status"] = "active"; + $frontend["type"] = "http"; + $frontend["a_extaddr"]["item"]["stats_name"]["extaddr"] = "wan_ipv4"; + $frontend["a_extaddr"]["item"]["stats_name"]["extaddr_port"] = "80"; + $frontend["backend_serverpool"] = "example_backend1"; + $acl = array(); + $acl["name"] = "mail_acl"; + $acl["expression"] = "host_matches"; + $acl["value"] = "mail.domain.tld"; + $frontend["ha_acls"]["item"][] = $acl; + $action = array(); + $action["action"] = "use_backend"; + $action["use_backendbackend"] = "example_backend2"; + $action["acl"] = "mail_acl"; + $frontend["a_actionitems"]["item"][] = $action; + $a_frontends[] = $frontend; + + $frontend = array(); + $frontend["name"] = "example_multipledomains_forum"; + $frontend["status"] = "active"; + $frontend["secondary"] = "yes"; + $frontend["primary_frontend"] = "example_multipledomains"; + $acl = array(); + $acl["name"] = "forum_acl"; + $acl["expression"] = "host_matches"; + $acl["value"] = "forum.domain.tld"; + $frontend["ha_acls"]["item"][] = $acl; + $action = array(); + $action["action"] = "use_backend"; + $action["use_backendbackend"] = "example_backend3"; + $action["acl"] = "forum_acl"; + $frontend["a_actionitems"]["item"][] = $action; + $a_frontends[] = $frontend; + $changedesc = "haproxy, add multi domain example"; + header("Location: haproxy_listeners.php"); + echo "touching: $d_haproxyconfdirty_path"; + touch($d_haproxyconfdirty_path); + write_config($changedesc); + exit; +} + if (isset($_GET['add_stats_example'])) { $templateid = $_GET['add_stats_example']; switch ($templateid) { @@ -132,6 +209,9 @@ if (isset($_GET['add_stats_example'])) { case "2": template_errorfile(); break; + case "3": + haproxy_template_multipledomains(); + break; } } @@ -145,14 +225,12 @@ if ($_POST) { $pgtitle = "Services: HAProxy: Templates"; include("head.inc"); +haproxy_css(); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> <form action="haproxy_templates.php" method="post"> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></p> -<?php endif; ?> <?php if ($input_errors) print_input_errors($input_errors); ?> <?php if ($savemsg) print_info_box($savemsg); ?> <?php if (file_exists($d_haproxyconfdirty_path)): ?> @@ -179,6 +257,20 @@ include("head.inc"); <td> </td> </tr> <tr> + <td colspan="2" valign="top" class="listtopic">Serving multiple domains from 1 frontend.</td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"> + <a href="haproxy_templates.php?add_stats_example=3">Create configuration</a> + </td> + <td class="vtable"> + As an basic example of how to serve multiple domains on 1 listening ip:port. + </td> + </tr> + <tr> + <td> </td> + </tr> + <tr> <td colspan="2" valign="top" class="listtopic">Stats SSL frontent+backend</td> </tr> <tr> diff --git a/config/haproxy-legacy/haproxy.inc b/config/haproxy-legacy/haproxy.inc index 55b86882..9b19bbd4 100644 --- a/config/haproxy-legacy/haproxy.inc +++ b/config/haproxy-legacy/haproxy.inc @@ -345,8 +345,8 @@ function haproxy_sync_on_changes() { } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['ipaddress']=$system_carp['synchronizetoip']; $rs[0]['username']=$system_carp['username']; $rs[0]['password']=$system_carp['password']; diff --git a/config/ladvd/ladvd.inc b/config/ladvd/ladvd.inc index da37a1a9..c1d769ab 100644 --- a/config/ladvd/ladvd.inc +++ b/config/ladvd/ladvd.inc @@ -36,18 +36,24 @@ require_once("pkg-utils.inc"); function ladvd_resync_config() { global $config; - conf_mount_rw(); - - if (!is_array($config['installedpackages']['ladvd'])) + if (!is_array($config['installedpackages']['ladvd'])) { return; - if (!is_array($config['installedpackages']['ladvd']['config'])) + } + if (!is_array($config['installedpackages']['ladvd']['config'])) { return; + } $ladvd_conf = &$config['installedpackages']['ladvd']['config'][0]; + conf_mount_rw(); /* ladvd is turned off in package settings */ - if (empty($ladvd_conf['enable'])) + if (empty($ladvd_conf['enable'])) { + if (is_service_running("ladvd")) { + stop_service("ladvd"); + } + unlink_if_exists("/usr/local/etc/rc.d/ladvd.sh"); return; + } $cmdline = ""; @@ -98,7 +104,12 @@ function ladvd_resync_config() { ) ); - restart_service("ladvd"); + if (is_service_running("ladvd")) { + restart_service("ladvd"); + } else { + start_service("ladvd"); + } + sleep(1); conf_mount_ro(); } diff --git a/config/ladvd/ladvd.priv.inc b/config/ladvd/ladvd.priv.inc new file mode 100644 index 00000000..5dd30d44 --- /dev/null +++ b/config/ladvd/ladvd.priv.inc @@ -0,0 +1,43 @@ +<?php +/* + ladvd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-ladvd'] = array(); +$priv_list['page-services-ladvd']['name'] = "WebCfg - Services: ladvd"; +$priv_list['page-services-ladvd']['descr'] = "Allow access to ladvd package GUI"; +$priv_list['page-services-ladvd']['match'] = array(); +$priv_list['page-services-ladvd']['match'][] = "pkg_edit.php?xml=ladvd.xml*"; + +$priv_list['page-services-ladvd-status'] = array(); +$priv_list['page-services-ladvd-status']['name'] = "WebCfg - Status: ladvd"; +$priv_list['page-services-ladvd-status']['descr'] = "Allow access to ladvd status page"; +$priv_list['page-services-ladvd-status']['match'] = array(); +$priv_list['page-services-ladvd-status']['match'][] = "status_ladvd.php*"; + +?> diff --git a/config/ladvd/ladvd.xml b/config/ladvd/ladvd.xml index 5862afca..42c6485e 100644 --- a/config/ladvd/ladvd.xml +++ b/config/ladvd/ladvd.xml @@ -44,17 +44,19 @@ </copyright> <description>Link Layer Discovery Protocol</description> <name>LADVD</name> - <version>1.0.4.2</version> + <version>1.0.4.3</version> <category>Network Management</category> <title>Services: LADVD</title> - <savetext>Save</savetext> <include_file>/usr/local/pkg/ladvd.inc</include_file> - <aftersaveredirect>/pkg_edit.php?xml=ladvd.xml&id=0</aftersaveredirect> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/ladvd/ladvd.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/ladvd/ladvd.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/ladvd/status_ladvd.php</item> </additional_files_needed> @@ -62,7 +64,7 @@ <name>LADVD</name> <tooltiptext>Modify LADVD settings.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=ladvd.xml&id=0</url> + <url>/pkg_edit.php?xml=ladvd.xml</url> </menu> <menu> <name>LADVD Status</name> @@ -74,12 +76,12 @@ <name>ladvd</name> <rcfile>ladvd.sh</rcfile> <executable>ladvd</executable> - <description>Send and decode link layer advertisements.</description> + <description>Link Layer Discovery Protocol Daemon</description> </service> <tabs> <tab> <text>General</text> - <url>/pkg_edit.php?xml=ladvd.xml&id=0</url> + <url>/pkg_edit.php?xml=ladvd.xml</url> <active/> </tab> <tab> @@ -89,7 +91,7 @@ </tabs> <fields> <field> - <fielddescr>Enable ladvd</fielddescr> + <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> <description>Enable or disable ladvd.</description> <enablefields>iface_array[],autoenable,silent,management,location,lldp,cdp,edp,ndp</enablefields> @@ -105,7 +107,7 @@ <description>Select the interfaces that LADVD will bind to. You can use the CTRL or COMMAND key to select multiple interfaces.</description> </field> <field> - <fielddescr>Auto-enable protocols</fielddescr> + <fielddescr>Auto-Enable Protocols</fielddescr> <fieldname>autoenable</fieldname> <description>Auto-enable protocols based on received packets (also enables receive mode).</description> <type>checkbox</type> @@ -113,11 +115,11 @@ <field> <fielddescr>Silent</fielddescr> <fieldname>silent</fieldname> - <description>Silent, don't transmit packets.</description> + <description>Silent mode, do not transmit packets.</description> <type>checkbox</type> </field> <field> - <fielddescr>Management interfaces</fielddescr> + <fielddescr>Management Interfaces</fielddescr> <fieldname>management</fieldname> <value>lan</value> <type>interfaces_selection</type> @@ -151,7 +153,7 @@ <field> <fielddescr>Enable NDP</fielddescr> <fieldname>ndp</fieldname> - <description>Enable NDP (Nortel Discovery Protocol) formerly called SynOptics Network Management Protocol (SONMP).</description> + <description>Enable NDP (Nortel Discovery Protocol); formerly called SynOptics Network Management Protocol (SONMP).</description> <type>checkbox</type> </field> </fields> diff --git a/config/lcdproc-dev/lcdproc.priv.inc b/config/lcdproc-dev/lcdproc.priv.inc new file mode 100644 index 00000000..6b2c061f --- /dev/null +++ b/config/lcdproc-dev/lcdproc.priv.inc @@ -0,0 +1,40 @@ +<?php +/* + lcdproc.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-lcdproc'] = array(); +$priv_list['page-services-lcdproc']['name'] = "WebCfg - Services: LCDproc package"; +$priv_list['page-services-lcdproc']['descr'] = "Allow access to LCDproc package GUI"; +$priv_list['page-services-lcdproc']['match'] = array(); +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc_screens.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc_screens.xml*"; + +?> diff --git a/config/lcdproc-dev/lcdproc.xml b/config/lcdproc-dev/lcdproc.xml index ce62cb5c..e5915e69 100644 --- a/config/lcdproc-dev/lcdproc.xml +++ b/config/lcdproc-dev/lcdproc.xml @@ -45,31 +45,35 @@ </copyright> <title>Services: LCDproc</title> <name>lcdproc</name> - <version>0.9.13</version> + <version>0.9.15</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> <active/> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> </tab> </tabs> <menu> <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc-dev/lcdproc.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/lcdproc-dev/lcdproc.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc-dev/lcdproc_screens.xml</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> diff --git a/config/lcdproc-dev/lcdproc_screens.xml b/config/lcdproc-dev/lcdproc_screens.xml index c3ba7aa1..ca2b0f87 100644 --- a/config/lcdproc-dev/lcdproc_screens.xml +++ b/config/lcdproc-dev/lcdproc_screens.xml @@ -44,18 +44,18 @@ ]]> </copyright> <title>Services: LCDproc: Screens</title> - <name>lcdproc_screens</name> - <version>0.9.13</version> + <name>lcdprocscreens</name> + <version>0.9.15</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> <active/> </tab> </tabs> @@ -63,7 +63,7 @@ <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <fields> <field> diff --git a/config/lcdproc/lcdproc.priv.inc b/config/lcdproc/lcdproc.priv.inc new file mode 100644 index 00000000..6b2c061f --- /dev/null +++ b/config/lcdproc/lcdproc.priv.inc @@ -0,0 +1,40 @@ +<?php +/* + lcdproc.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-lcdproc'] = array(); +$priv_list['page-services-lcdproc']['name'] = "WebCfg - Services: LCDproc package"; +$priv_list['page-services-lcdproc']['descr'] = "Allow access to LCDproc package GUI"; +$priv_list['page-services-lcdproc']['match'] = array(); +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg.php?xml=lcdproc_screens.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc.xml*"; +$priv_list['page-services-lcdproc']['match'][] = "pkg_edit.php?xml=lcdproc_screens.xml*"; + +?> diff --git a/config/lcdproc/lcdproc.xml b/config/lcdproc/lcdproc.xml index 4f109e47..33e61288 100644 --- a/config/lcdproc/lcdproc.xml +++ b/config/lcdproc/lcdproc.xml @@ -45,31 +45,35 @@ </copyright> <title>Services: LCDproc</title> <name>lcdproc</name> - <version>1.0.3</version> + <version>1.0.5</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> <active/> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> </tab> </tabs> <menu> <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc/lcdproc.inc</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/lcdproc/lcdproc.priv.inc</item> + <prefix>/etc/inc/priv/</prefix> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/lcdproc/lcdproc_screens.xml</item> <prefix>/usr/local/pkg/</prefix> </additional_files_needed> diff --git a/config/lcdproc/lcdproc_screens.xml b/config/lcdproc/lcdproc_screens.xml index def770e6..6b6e283b 100644 --- a/config/lcdproc/lcdproc_screens.xml +++ b/config/lcdproc/lcdproc_screens.xml @@ -44,18 +44,18 @@ ]]> </copyright> <title>Services: LCDproc: Screens</title> - <name>lcdproc_screens</name> - <version>1.0.3</version> + <name>lcdprocscreens</name> + <version>1.0.5</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> <tab> <text>Server</text> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </tab> <tab> <text>Screens</text> - <url>/pkg_edit.php?xml=lcdproc_screens.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc_screens.xml</url> <active/> </tab> </tabs> @@ -63,7 +63,7 @@ <name>LCDproc</name> <tooltiptext>Set LCDproc settings such as display driver and COM port.</tooltiptext> <section>Services</section> - <url>/pkg_edit.php?xml=lcdproc.xml&id=0</url> + <url>/pkg_edit.php?xml=lcdproc.xml</url> </menu> <fields> <field> diff --git a/config/notes/notes.priv.inc b/config/notes/notes.priv.inc new file mode 100644 index 00000000..fe4adae4 --- /dev/null +++ b/config/notes/notes.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + notes.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-status-notes'] = array(); +$priv_list['page-status-notes']['name'] = "WebCfg - Status: Notes"; +$priv_list['page-status-notes']['descr'] = "Allow access to Notes package GUI"; +$priv_list['page-status-notes']['match'] = array(); +$priv_list['page-status-notes']['match'][] = "pkg.php?xml=notes.xml*"; +$priv_list['page-status-notes']['match'][] = "pkg_edit.php?xml=notes.xml*"; + +?> diff --git a/config/notes/notes.xml b/config/notes/notes.xml index 03c0a01a..d6fb9abf 100644 --- a/config/notes/notes.xml +++ b/config/notes/notes.xml @@ -43,23 +43,29 @@ </copyright> <description>Notes</description> <name>Notes</name> - <version>0.2.6</version> - <title>Settings</title> + <version>0.2.8</version> + <title>Status: Notes</title> + <aftersaveredirect>/pkg.php?xml=notes.xml</aftersaveredirect> + <addedit_string>[notes] Successfully created/modified a note.</addedit_string> + <delete_string>[notes] Successfully deleted a note.</delete_string> <menu> <name>Notes</name> - <tooltiptext>Notes.</tooltiptext> <section>Status</section> <configfile>notes.xml</configfile> <url>/pkg.php?xml=notes.xml</url> </menu> <tabs> <tab> - <text>Settings</text> - <url>/pkg_edit.php?xml=notes.xml</url> + <text>Notes</text> + <url>/pkg.php?xml=notes.xml</url> <active/> </tab> </tabs> <configpath>installedpackages->package->$packagename->configuration->notes</configpath> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/notes/notes.priv.inc</item> + </additional_files_needed> <adddeleteeditpagefields> <columnitem> <fielddescr>Title</fielddescr> @@ -69,6 +75,9 @@ <fielddescr>Category</fielddescr> <fieldname>category</fieldname> </columnitem> + <addtext>Add a new note</addtext> + <edittext>Edit this note</edittext> + <deletetext>Delete this note</deletetext> </adddeleteeditpagefields> <fields> <field> diff --git a/config/ntop2/ntop.inc b/config/ntop2/ntop.inc new file mode 100644 index 00000000..da017eac --- /dev/null +++ b/config/ntop2/ntop.inc @@ -0,0 +1,157 @@ +<?php +/* + ntop.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2011-2013 Jim Pingle + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +require_once("pkg-utils.inc"); + +function ntop_php_install_command() { + safe_mkdir("/var/db/ntop/rrd/graphics", 0755); + mwexec("/bin/chmod -R 0755 /var/db/ntop"); + mwexec("/usr/sbin/chown -R nobody:nobody /var/db/ntop"); + mwexec("/bin/cp -Rp /usr/local/lib/X11/fonts/webfonts/ /usr/local/lib/X11/fonts/TTF/"); + ntop_upgrade_config(); +} + +function ntop_php_deinstall_command() { + global $config; + + /* Wipe data and settings if the user does not wish to keep them */ + if (is_array($config['installedpackages']['ntop'])) { + $ntop_config = $config['installedpackages']['ntop']['config'][0]; + } else { + $ntop_config = array(); + } + if ($ntop_config['keepdata'] != "on") { + if (is_dir("/var/db/ntop/")) { + mwexec("rm -rf /var/db/ntop/"); + } + unset($config['installedpackages']['ntop']); + write_config("[ntop] Removed package settings on uninstall."); + log_error(gettext("[ntop] Removed package data and settings since 'Keep Data/Settings' is disabled.")); + } +} + +function ntop_upgrade_config() { + global $config; + /* Fix flipped --no-interface-merge configuration meaning */ + if (is_array($config['installedpackages']['ntop'])) { + if (isset($config['installedpackages']['ntop']['config'][0]['allowmerge'])) { + $config['installedpackages']['ntop']['config'][0]['disallowmerge'] = "on"; + unset($config['installedpackages']['ntop']['config'][0]['allowmerge']); + } + } +} + +function sync_package_ntop() { + global $config, $g; + + if (is_array($config['installedpackages']['ntop'])) { + $ntop_config = $config['installedpackages']['ntop']['config'][0]; + } else { + $ntop_config = array(); + } + conf_mount_rw(); + + /* Just stop services and unlink rc script if disabled */ + if ($ntop_config['enable'] != "on") { + ntop_stop_service(); + unlink_if_exists("/usr/local/etc/rc.d/ntop.sh"); + return; + } + + /* Set up ntop interfaces */ + $ifaces_final = ""; + $first = 0; + $mergeifs = $ntop_config['disallowmerge'] == "on" ? "-M" : ""; + + foreach ($ntop_config['interface_array'] as $iface) { + $if = convert_friendly_interface_to_real_interface_name($iface); + if ($if) { + if ($first == 1) { + $ifaces_final .= ","; + } + $ifaces_final .= $if; + $first = 1; + } + } + + $start = "/usr/local/bin/ntop -i {$ifaces_final} -u root -d -4 {$mergeifs} -x 8102 -X 8192 &"; + write_rcfile(array("file" => "ntop.sh", "start" => $start, "stop" => "/usr/bin/killall ntop")); + + /* Set up admin password and (re)start services if not booting */ + if ((function_exists("platform_booting")) && (!platform_booting())) { + ntop_stop_service(); + ntop_set_password(); + start_service("ntop"); + } elseif (!($g['booting'])) { + ntop_stop_service(); + ntop_set_password(); + start_service("ntop"); + } + + conf_mount_ro(); +} + +function ntop_stop_service() { + if (is_service_running("ntop")) { + stop_service("ntop"); + // Wait for ntop to shut down cleanly. + for ($i = 0; $i <= 10; $i++) { + if (!is_process_running("ntop")) { + break; + } + sleep(2); + } + } +} + +function ntop_set_password() { + global $config; + + if (is_array($config['installedpackages']['ntop'])) { + $ntop_config = $config['installedpackages']['ntop']['config'][0]; + } else { + $ntop_config = array(); + } + $ntop_password = $ntop_config['password'] ?: "admin"; + unlink_if_exists("/var/db/ntop/ntop_pw.db"); + mwexec("/usr/local/bin/ntop --set-admin-password={$ntop_password}"); + sleep(2); +} + +function ntop_validate_input($post, &$input_errors) { + if (empty($post['password']) || empty($post['passwordagain'])) { + $input_errors[] = "You must provide (and confirm) ntop's password."; + } + + if ($post['password'] != $post['passwordagain']) { + $input_errors[] = "The provided passwords did not match."; + } +} + +?> diff --git a/config/ntop2/ntop.priv.inc b/config/ntop2/ntop.priv.inc new file mode 100644 index 00000000..e8c80977 --- /dev/null +++ b/config/ntop2/ntop.priv.inc @@ -0,0 +1,37 @@ +<?php +/* + ntop.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-diagnostics-ntop'] = array(); +$priv_list['page-diagnostics-ntop']['name'] = "WebCfg - Diagnostics: ntop package"; +$priv_list['page-diagnostics-ntop']['descr'] = "Allow access to ntop package GUI"; +$priv_list['page-diagnostics-ntop']['match'] = array(); +$priv_list['page-diagnostics-ntop']['match'][] = "pkg_edit.php?xml=ntop.xml*"; + +?> diff --git a/config/ntop2/ntop.xml b/config/ntop2/ntop.xml index 6ba86525..5aab1e53 100644 --- a/config/ntop2/ntop.xml +++ b/config/ntop2/ntop.xml @@ -1,28 +1,31 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2008 Scott Ullrich + ntop.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2011-2013 Jim Pingle + Copyright (C) 2015 ESF, LLC All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -35,19 +38,26 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ +/* ====================================================================================== */ ]]> </copyright> <name>ntop</name> - <version>3.0</version> + <version>2.3.2</version> <title>Diagnostics: ntop Settings</title> - <savetext>Change</savetext> - <aftersaveredirect>pkg_edit.php?xml=ntop.xml&id=0</aftersaveredirect> + <include_file>/usr/local/pkg/ntop.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/ntop2/ntop.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/ntop2/ntop.priv.inc</item> + </additional_files_needed> + <aftersaveredirect>pkg_edit.php?xml=ntop.xml</aftersaveredirect> <menu> <name>ntop Settings</name> - <tooltiptext>Set ntop settings such as password and port.</tooltiptext> <section>Diagnostics</section> - <url>/pkg_edit.php?xml=ntop.xml&id=0</url> + <url>/pkg_edit.php?xml=ntop.xml</url> </menu> <menu> <name>ntop</name> @@ -60,12 +70,12 @@ <name>ntop</name> <rcfile>ntop.sh</rcfile> <executable>ntop</executable> - <description>NTOP bandwidth monitoring/graphing</description> + <description>NTOP Network Traffic Monitor</description> </service> <tabs> <tab> - <text>ntop Settings</text> - <url>/pkg_edit.php?xml=ntop.xml&id=0</url> + <text>Settings</text> + <url>/pkg_edit.php?xml=ntop.xml</url> <active/> </tab> <tab> @@ -75,15 +85,37 @@ </tabs> <fields> <field> + <fielddescr>Enable ntop</fielddescr> + <fieldname>enable</fieldname> + <description>Check this to enable ntop.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Keep Data/Settings</fielddescr> + <fieldname>keepdata</fieldname> + <description> + <![CDATA[ + Check this to keep ntop settings, graphs and traffic data. (Default: on)<br /> + <strong><span class="errmsg">Note:</span> If 'Keep Data/Settings' is disabled, all settings and data will be wiped on package uninstall/reinstall/upgrade!</strong> + ]]> + </description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> <fielddescr>ntop Admin Password</fielddescr> <fieldname>password</fieldname> - <description>Enter the password for the NTOP Web GUI. Minimum 5 characters.</description> + <description>Enter the password for the NTOP Web GUI. Minimum 5 characters.</description> <type>password</type> + <required>true</required> + <size>20</size> </field> <field> - <fielddescr>ntop Admin Password AGAIN</fielddescr> + <fielddescr>Confirm ntop Admin Password</fielddescr> <fieldname>passwordagain</fieldname> <type>password</type> + <required>true</required> + <size>20</size> </field> <field> <fielddescr>Interface</fielddescr> @@ -92,82 +124,30 @@ <size>3</size> <value>lan</value> <multiple>true</multiple> + <hideinterfaceregex>loopback</hideinterfaceregex> </field> <field> - <fielddescr>Allow merging interfaces<br>(Def: Do not merge)</fielddescr> - <fieldname>allowmerge</fieldname> + <fielddescr>Disallow merging interfaces</fielddescr> + <fieldname>disallowmerge</fieldname> + <description> + <![CDATA[ + By default, traffic information obtained by all the interfaces is merged together as if the traffic was seen by only one interface.<br /> + Use this option to keep traffic separate by interface. (Default: Disabled) + ]]> + </description> <type>checkbox</type> </field> </fields> - <custom_php_global_functions> - <![CDATA[ - function sync_package_ntop() { - conf_mount_rw(); - global $config; - global $input_errors; - if ($_POST) { - $config['installedpackages']['ntop']['config'] = array(); - $config['installedpackages']['ntop']['config'][0] = $_POST; - } - $ntop_config =& $config['installedpackages']['ntop']['config'][0]; - $if_final = ""; - $ifaces_final = ""; - system("/bin/mkdir -p /var/db/ntop"); - system("/bin/mkdir -p /var/db/ntop/rrd"); - system("/bin/mkdir -p /var/db/ntop/rrd/graphics"); - system("/bin/chmod -R 755 /var/db/ntop"); - system("/usr/sbin/chown -R nobody:nobody /var/db/ntop"); - system("/bin/cp -Rp /usr/local/lib/X11/fonts/webfonts/ /usr/local/lib/X11/fonts/TTF/"); - $first = 0; - $mergeifs = ($ntop_config['allowmerge'] == "on") ? "" : "-M"; - foreach($ntop_config['interface_array'] as $iface) { - $if = convert_friendly_interface_to_real_interface_name($iface); - if($if) { - if($first == 1) - $ifaces_final .= ","; - $ifaces_final .= $if; - $first = 1; - } - } - $start = "/usr/local/bin/ntop -i {$ifaces_final} -u root -d -4 {$mergeifs} -x 8102 -X 8192 &"; - write_rcfile(array( - "file" => "ntop.sh", - "start" => $start, - "stop" => "/usr/bin/killall ntop" - ) - ); - if (is_service_running("ntop")) { - stop_service("ntop"); - // Wait for ntop to shut down cleanly. - sleep(20); - } - if (empty($ntop_config['password'])) - $ntop_config['password'] = "admin"; - unlink_if_exists("/var/db/ntop/ntop_pw.db"); - exec("/usr/local/bin/ntop --set-admin-password={$ntop_config['password']}"); - sleep(2); - start_service("ntop"); - conf_mount_ro(); - } - ]]> - </custom_php_global_functions> - <custom_add_php_command> - sync_package_ntop(); - </custom_add_php_command> + <custom_php_install_command> + ntop_php_install_command(); + </custom_php_install_command> + <custom_php_deinstall_command> + ntop_php_deinstall_command(); + </custom_php_deinstall_command> <custom_php_resync_config_command> sync_package_ntop(); </custom_php_resync_config_command> - <custom_php_install_command> - sync_package_ntop(); - </custom_php_install_command> <custom_php_validation_command> - <![CDATA[ - if ($_POST) { - if (empty($_POST['password']) || empty($_POST['passwordagain'])) - $input_errors[] = "You must provide (and confirm) ntop's password."; - if ($_POST['password'] != $_POST['passwordagain']) - $input_errors[] = "The provided passwords did not match."; - } - ]]> + ntop_validate_input($_POST, $input_errors); </custom_php_validation_command> </packagegui> diff --git a/config/nut/nut.priv.inc b/config/nut/nut.priv.inc new file mode 100644 index 00000000..44cb7402 --- /dev/null +++ b/config/nut/nut.priv.inc @@ -0,0 +1,40 @@ +<?php +/* + nut.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-nut'] = array(); +$priv_list['page-services-nut']['name'] = "WebCfg - Services: NUT package"; +$priv_list['page-services-nut']['descr'] = "Allow access to NUT package GUI"; + +$priv_list['page-services-nut']['match'] = array(); +$priv_list['page-services-nut']['match'][] = "pkg_edit.php?xml=nut.xml*"; +$priv_list['page-services-nut']['match'][] = "status_nut.php*"; +$priv_list['page-services-nut']['match'][] = "ups_status.widget.php*"; + +?> diff --git a/config/nut/nut.xml b/config/nut/nut.xml index e066bc83..061a77de 100644 --- a/config/nut/nut.xml +++ b/config/nut/nut.xml @@ -41,7 +41,7 @@ ]]> </copyright> <name>nut</name> - <version>2.1.1</version> + <version>2.1.2</version> <title>Services: NUT</title> <savetext>Change</savetext> <aftersaveredirect>/status_nut.php</aftersaveredirect> @@ -65,7 +65,7 @@ </tab> <tab> <text>NUT Settings</text> - <url>/pkg_edit.php?xml=nut.xml&id=0</url> + <url>/pkg_edit.php?xml=nut.xml</url> <active/> </tab> </tabs> @@ -74,6 +74,10 @@ <item>https://packages.pfsense.org/packages/config/nut/nut.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/nut/nut.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/nut/status_nut.php</item> </additional_files_needed> diff --git a/config/phpsysinfo/phpsysinfo.inc b/config/phpsysinfo/phpsysinfo.inc deleted file mode 100644 index 54ece241..00000000 --- a/config/phpsysinfo/phpsysinfo.inc +++ /dev/null @@ -1,156 +0,0 @@ -<?php -function phpsysinfo_install_deinstall() { - conf_mount_rw(); - exec("cd /var/db/pkg/ && pkg_delete `ls | grep mbmon`"); - exec("rm -d -R /usr/local/www/phpsysinfo"); - conf_mount_ro(); -} - -function phpsysinfo_install_config() { -global $config, $g; - conf_mount_rw(); - exec("cd .."); - exec("tar -zxovf /usr/local/pkg/phpsysinfo-2.5.4.tar.gz"); - exec("mv phpsysinfo /usr/local/www/phpsysinfo"); - -// link shared libraries -// if ((!file_exists("/lib/libm.so.4")) AND (file_exists("/lib/libm.so.5"))) { -// exec("ln -s /lib/libm.so.5 /lib/libm.so.4"); -// } - - /* lines need in config.php */ -$default_lng = en; -$default_template= pfSense; -$hide_picklist = "false"; -$show_vhostname = "false"; -$sensor_program = '""'; -$show_mount_point = "false"; -$show_inodes = "false"; -$hide_mounts = "array()"; -$hide_fstypes = "array()"; -$loadbar = "false"; -$showerrors = "false"; -$temperatureformat = '"c-f"'; -$hide_picklist = $config['installedpackages']['phpsysinfo']['config'][0]['hidepicklist']; -if($hide_picklist) - $hide_picklist = "true"; - else - $hide_picklist = "false"; - $sensor_program = $config['installedpackages']['phpsysinfo']['config'][0]['sensorprogram']; -if($sensor_program) - $sensor_program= "mbmon"; - else - $sensor_program = '""'; - $show_mount_point = $config['installedpackages']['phpsysinfo']['config'][0]['showmountpoint']; -if($show_mount_point) - $show_mount_point = "true"; - else - $show_mount_point = "false"; - $hide_fstypes = $config['installedpackages']['phpsysinfo']['config'][0]['hidefstypes']; -if($hide_fstypes) - $hide_fstypes = "$hide_fstypes"; - $show_inodes = $config['installedpackages']['phpsysinfo']['config'][0]['showinodes']; -if($show_inodes) - $show_inodes = "true"; - else - $show_inodes = "false"; - $loadbar = $config['installedpackages']['phpsysinfo']['config'][0]['loadbar']; -if($loadbar) - $loadbar = "true"; - else - $loadbar = "false"; - $showerrors = $config['installedpackages']['phpsysinfo']['config'][0]['showerrors']; -if($showerrors) - $showerrors = "true"; - else - $showerrors = "false"; - $hf = fopen("/usr/local/www/phpsysinfo/config.php","w"); -if(!$hf) { - log_error("could not open /usr/local/www/phpsysinfo/config.php for writing"); -exit; -} - -fwrite($hf, '<?php'); -fwrite($hf, "\n"); -// webpath but not used -fwrite($hf, '$webpath = "";'); -fwrite($hf, "\n"); -// define the default lang and template here -fwrite($hf, '$default_lng='); -fwrite($hf, "'"); -fwrite($hf, $default_lng); -fwrite($hf, "'"); -fwrite($hf, ';'); -fwrite($hf, "\n"); -fwrite($hf, '$default_template='); -fwrite($hf, "'"); -fwrite($hf, $default_template); -fwrite($hf, "'"); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// hide language and template picklist -// false = display picklist -// true = do not display picklist -fwrite($hf, '$hide_picklist = '); -fwrite($hf, $hide_picklist); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// display the virtual host name and address -// default is canonical host name and address -fwrite($hf, '$show_vhostname = '); -fwrite($hf, $show_vhostname); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// define the motherboard monitoring program here -fwrite($hf, '$sensor_program = '); -fwrite($hf, $sensor_program); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// show mount point -fwrite($hf, '$show_mount_point = '); -fwrite($hf, $show_mount_point); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// show bind -fwrite($hf, '$show_bind = false;'); -fwrite($hf, "\n"); -// show inode usage -fwrite($hf, '$show_inodes = '); -fwrite($hf, $show_inodes); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// show inode usage -fwrite($hf, '$hide_mounts = '); -fwrite($hf, $hide_mounts); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// Hide filesystem typess. Example: 'tmpfs', 'usbfs' -fwrite($hf, '$hide_fstypes = array('); -fwrite($hf, $hide_fstypes); -fwrite($hf, ');'); -fwrite($hf, "\n"); -// show a graph for current cpuload -fwrite($hf, '$loadbar = '); -fwrite($hf, $loadbar); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// e.g. $addpaths = array('/opt/bin', '/opt/sbin'); -fwrite($hf, '$addpaths = array();'); -fwrite($hf, "\n"); -// display error messages at the top of the page -fwrite($hf, '$showerrors = '); -fwrite($hf, $showerrors); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// format in which temperature is displayed -fwrite($hf, '$temperatureformat = '); -fwrite($hf, $temperatureformat); -fwrite($hf, ';'); -fwrite($hf, "\n"); -// The end of the config file -fwrite($hf, '?>'); -fwrite($hf, "\n"); -fclose($hf); - conf_mount_ro(); -} -?> diff --git a/config/phpsysinfo/phpsysinfo.xml b/config/phpsysinfo/phpsysinfo.xml deleted file mode 100644 index 550c0785..00000000 --- a/config/phpsysinfo/phpsysinfo.xml +++ /dev/null @@ -1,121 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>phpsysinfo</name> - <version>1.0</version> - <title>phpsysinfo</title> - <aftersaveredirect>/pkg_edit.php?xml=phpsysinfo.xml&id=0</aftersaveredirect> - <include_file>/usr/local/pkg/phpsysinfo.inc</include_file> - <menu> - <name>phpsysinfo</name> - <tooltiptext></tooltiptext> - <section>Status</section> - <url>/pkg_edit.php?xml=phpsysinfo.xml&id=0</url> - </menu> - <tabs> - <tab> - <text>phpsysinfo</text> - <url>/pkg_edit.php?xml=phpsysinfo.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Access phpsysinfo</text> - <url>/phpsysinfo</url> - </tab> - </tabs> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0644</chmod> - <item>https://packages.pfsense.org/packages/config/phpsysinfo/phpsysinfo.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0644</chmod> - <item>https://files.pfsense.org/packages/phpsysinfo-2.5.4.tar.gz</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Hide picklist</fielddescr> - <fieldname>hidepicklist</fieldname> - <description>Hide language and template picklist</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show mbmon</fielddescr> - <fieldname>sensorprogram</fieldname> - <description>Define the motherboard monitoring program here. Note that not all motherboards are supported and some only partly.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show mount point</fielddescr> - <fieldname>showmountpoint</fieldname> - <description>Show mount point</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show inodes</fielddescr> - <fieldname>showinodes</fieldname> - <description>Show inode usage</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show loadbar</fielddescr> - <fieldname>loadbar</fieldname> - <description>Show a graph for current cpuload</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Show errors</fielddescr> - <fieldname>showerrors</fieldname> - <description>Display error messages at the top of the page. Note that vmstat is added in 1.0.1-SNAPSHOT-03-15-2007 and later</description> - <type>checkbox</type> - </field> - </fields> - <custom_php_resync_config_command>phpsysinfo_install_config();</custom_php_resync_config_command> - <custom_php_install_command>phpsysinfo_install_config();</custom_php_install_command> - <custom_php_deinstall_command>phpsysinfo_install_deinstall();</custom_php_deinstall_command> -</packagegui> diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index 0629c187..9db7e5a1 100755 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -1,16 +1,16 @@ <?php /* postfix.inc - part of the Postfix package for pfSense + part of pfSense (https://www.pfSense.org/) Copyright (C) 2010 Erik Fonnesbeck Copyright (C) 2011-2014 Marcello Coutinho - + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -27,7 +27,6 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ $shortcut_section = "postfix"; require_once("util.inc"); @@ -689,8 +688,15 @@ MASTEREOF2; //check postfix etc dir on 2.2 $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); $postfix_etc_lnk="/usr/local/etc/postfix"; - if ($pfs_version == 2.2 && !is_dir($postfix_etc_lnk)) + if ($pfs_version == 2.2 && !is_dir($postfix_etc_lnk)) { @symlink(POSTFIX_LOCALBASE.'/etc/postfix',$postfix_etc_lnk); + } + + // Fixup library path so postfix can find its libraries + // XXX: Bug #4420 + if (POSTFIX_LOCALBASE != '/usr/local') { + mwexec("/sbin/ldconfig -m " . POSTFIX_LOCALBASE . "/local/lib/"); + } log_error("Writing out configuration"); file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/main.cf", $postfix_main, LOCK_EX); @@ -737,6 +743,12 @@ MASTEREOF2; function postfix_start(){ global $config; $pf_dir=POSTFIX_LOCALBASE; + if (POSTFIX_LOCALBASE != '/usr/local') { + $pf_libdir = POSTFIX_LOCALBASE . "/local/lib"; + $pf_start_cmd = "LD_LIBRARY_PATH={$pf_libdir} {$pf_dir}/sbin/postfix start"; + } else { + $pf_start_cmd = "{$pf_dir}/sbin/postfix start"; + } $start=<<<EOF sysctl kern.ipc.nmbclusters=65536 @@ -744,7 +756,7 @@ function postfix_start(){ sysctl kern.maxfiles=131072 sysctl kern.maxfilesperproc=104856 sysctl kern.threads.max_threads_per_proc=4096 - {$pf_dir}/sbin/postfix start + {$pf_start_cmd} EOF; $stop = POSTFIX_LOCALBASE."/sbin/postfix stop\n"; @@ -813,163 +825,166 @@ function postfix_php_deinstall_command() { /* Uses XMLRPC to synchronize the changes to a remote node */ function postfix_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['postfixsync']['config'])){ - $postfix_sync=$config['installedpackages']['postfixsync']['config'][0]; - $synctimeout = $postfix_sync['synctimeout']; + if (is_array($config['installedpackages']['postfixsync']['config'])) { + $postfix_sync = $config['installedpackages']['postfixsync']['config'][0]; + $synctimeout = $postfix_sync['synctimeout'] ?: '250'; $synconchanges = $postfix_sync['synconchanges']; - switch ($synconchanges){ + switch ($synconchanges) { case "manual": - if (is_array($postfix_sync[row])){ - $rs=$postfix_sync[row]; - } - else{ - log_error("[postfix] xmlrpc sync is enabled but there is no hosts to push postfix config."); + if (is_array($postfix_sync['row'])) { + $rs = $postfix_sync['row']; + } else { + log_error("[postfix] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; - } + } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['ipaddress']=$system_carp['synchronizetoip']; - $rs[0]['username']=$system_carp['username']; - $rs[0]['password']=$system_carp['password']; - $rs[0]['enabless']=true; - $rs[0]['sync_type']="xmlrpc"; - if (! is_ipaddr($system_carp['synchronizetoip'])){ - log_error("[postfix] xmlrpc sync is enabled but there is no system backup hosts to push postfix config."); - return; - } + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + $rs[0]['sync_type'] = "xmlrpc"; + $rs[0]['enabless'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; } - else{ - log_error("[postfix] xmlrpc sync is enabled but there is no system backup hosts to push postfix config."); + if (!is_ipaddr($system_carp['synchronizetoip'])) { + log_error("[postfix] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['enabless'] = TRUE; } + } else { + log_error("[postfix] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } break; default: return; - break; + break; } - if (is_array($rs)){ - log_error("[postfix] xmlrpc sync is starting."); - foreach($rs as $sh){ - $sync_to_ip = $sh['ipaddress']; - if($sh['username']) - $username = $sh['username']; - else - $username = 'admin'; - if($sh['password'] && $sh['ipaddress'] && $sh['enabless']) - postfix_do_xmlrpc_sync($sh['ipaddress'], $username, $sh['password'],$sh['sync_type'],$synctimeout); + if (is_array($rs)) { + log_error("[postfix] XMLRPC sync is starting."); + foreach($rs as $sh) { + if ($sh['enabless'] && $sh['sync_type'] == 'xmlrpc') { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + $sync_type = $sh['sync_type']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + postfix_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[postfix] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } } - log_error("[postfix] xmlrpc sync is ending."); } - } + log_error("[postfix] XMLRPC sync completed."); + } + } } /* Do the actual XMLRPC sync */ -function postfix_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$synctimeout) { +function postfix_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if(!$username) - $username="admin"; - - if(!$password) + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[postfix] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; + } - if(!$sync_to_ip) - return; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } - if(!$synctimeout) - $synctimeout=120; - - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") - $port = "80"; - else - $port = "443"; - } - $synchronizetoip .= $sync_to_ip; + $url = "{$protocol}://{$sync_to_ip}"; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync. */ $xml = array(); - $sync_xml=$config['installedpackages']['postfixsync']['config'][0]['synconchanges']; - $sync_db=$config['installedpackages']['postfixsync']['config'][0]['rsync']; - if ($sync_xml && preg_match("/xmlrpc/",$sync_type)){ - log_error("Include postfix xmls"); - $xml['postfix'] = $config['installedpackages']['postfix']; - $xml['postfixdomains'] = $config['installedpackages']['postfixdomains']; - $xml['postfixacl'] = $config['installedpackages']['postfixacl']; - $xml['postfixrecipients'] = $config['installedpackages']['postfixrecipients']; - $xml['postfixantispam'] = $config['installedpackages']['postfixantispam']; - } - if (count($xml) > 0){ - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("Beginning Postfix XMLRPC sync to {$url}:{$port}."); - $method = 'pfsense.merge_installedpackages_section_xmlrpc'; - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials($username, $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after $sync_timeout seconds */ + $xml['postfix'] = $config['installedpackages']['postfix']; + $xml['postfixdomains'] = $config['installedpackages']['postfixdomains']; + $xml['postfixacl'] = $config['installedpackages']['postfixacl']; + $xml['postfixrecipients'] = $config['installedpackages']['postfixrecipients']; + $xml['postfixantispam'] = $config['installedpackages']['postfixantispam']; + + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ + log_error("[postfix] Beginning XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if ($g['debug']) { + $cli->setDebug(1); + } + /* Send our XMLRPC message and timeout after defined sync timeout value */ + $resp = $cli->send($msg, $synctimeout); + if (!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[postfix] {$error}"); + file_notice("sync_settings", $error, "Postfix Settings Sync", ""); + } elseif ($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { - $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port}."; - log_error($error); - file_notice("sync_settings", $error, "Postfix Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "Postfix Settings Sync", ""); - } else { - log_error("Postfix XMLRPC sync successfully completed with {$url}:{$port}."); - } + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[postfix] {$error}"); + file_notice("sync_settings", $error, "Postfix Settings Sync", ""); + } else { + log_error("[postfix] XMLRPC sync successfully completed with {$url}:{$port}."); + } - /* tell postfix to reload our settings on the destionation sync host. */ - $method = 'pfsense.exec_php'; - $execcmd = "require_once('/usr/local/pkg/postfix.inc');\n"; - $execcmd .= "sync_package_postfix('yes');"; - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); - - log_error("postfix XMLRPC reload data {$url}:{$port}."); - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials($username, $password); + /* Tell postfix to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/postfix.inc');\n"; + $execcmd .= "sync_package_postfix('yes');"; + + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); + log_error("[postfix] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[postfix] {$error}"); + file_notice("sync_settings", $error, "postfix Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { - $error = "A communications error occurred while attempting postfix XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); - file_notice("sync_settings", $error, "postfix Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting postfix XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "postfix Settings Sync", ""); - } else { - log_error("postfix XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); - } + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[postfix] {$error}"); + file_notice("sync_settings", $error, "postfix Settings Sync", ""); + } else { + log_error("[postfix] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/postfix/postfix.php b/config/postfix/postfix.php index 4cf85033..4c444ab8 100644 --- a/config/postfix/postfix.php +++ b/config/postfix/postfix.php @@ -1,15 +1,15 @@ <?php /* postfix.php - part of pfSense (https://www.pfsense.org/) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2011-2014 Marcello Coutinho <marcellocoutinho@gmail.com> - based on varnish_view_config. + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, + 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright @@ -33,110 +33,140 @@ require_once("/etc/inc/pkg-utils.inc"); require_once("/etc/inc/globals.inc"); require_once("/usr/local/pkg/postfix.inc"); -$uname=posix_uname(); -if ($uname['machine']=='amd64') +$uname = posix_uname(); +if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '250M'); +} -function get_remote_log(){ - global $config,$g,$postfix_dir; +function get_remote_log() { + global $config, $g, $postfix_dir; $curr_time = time(); - $log_time=date('YmdHis',$curr_time); - #get protocol - if($config['system']['webgui']['protocol'] != "") - $synchronizetoip = $config['system']['webgui']['protocol']. "://"; - #get port - $port = $config['system']['webgui']['port']; - #if port is empty lets rely on the protocol selection - if($port == "") - $port =($config['system']['webgui']['protocol'] == "http"?"80":"443"); - $synchronizetoip .= $sync_to_ip; - if (is_array($config['installedpackages']['postfixsync'])) - foreach($config['installedpackages']['postfixsync']['config'][0]['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $sync_type = $sh['sync_type']; - $password = $sh['password']; - $file= '/var/db/postfix/'.$server.'.sql'; - #get remote data - if ($sync_type=='fetch'){ - $url= $synchronizetoip . $sync_to_ip; - print "$sync_to_ip $url, $port\n"; - $method = 'pfsense.exec_php'; - $execcmd = "require_once('/usr/local/www/postfix.php');\n"; - $execcmd .= '$toreturn=get_sql('.$log_time.');'; - /* assemble xmlrpc payload */ - $params = array(XML_RPC_encode($password), - XML_RPC_encode($execcmd)); - log_error("postfix get sql data from {$sync_to_ip}."); - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - #$cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $a=$resp->value(); - $errors=0; - #var_dump($sql); - foreach($a as $b) - foreach ($b as $c) - foreach ($c as $d) - foreach ($d as $e){ - $update=unserialize($e['string']); - print $update['day']."\n"; - if ($update['day'] != ""){ - create_db($update['day'].".db"); - if ($debug=true) - print $update['day'] ." writing from remote system to db..."; - $dbhandle = sqlite_open($postfix_dir.'/'.$update['day'].".db", 0666, $error); - #file_put_contents("/tmp/".$key.'-'.$update['day'].".sql",gzuncompress(base64_decode($update['sql'])), LOCK_EX); - $ok = sqlite_exec($dbhandle, gzuncompress(base64_decode($update['sql'])), $error); - if (!$ok){ - $errors++; - die ("Cannot execute query. $error\n".$update['sql']."\n"); - } - else{ - if ($debug=true) - print "ok\n"; - } - sqlite_close($dbhandle); - } - } - if ($errors ==0){ + $log_time = date('YmdHis', $curr_time); + + if (is_array($config['installedpackages']['postfixsync'])) { + $synctimeout = $config['installedpackages']['postfixsync']['config'][0]['synctimeout'] ?: '250'; + foreach ($config['installedpackages']['postfixsync']['config'][0]['row'] as $sh) { + // Get remote data for enabled fetch hosts + if ($sh['enabless'] && $sh['sync_type'] == 'fetch') { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + $file = '/var/db/postfix/' . $server . '.sql'; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if ($protocol == "") { + $error = "Protocol parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } + $url = "{$protocol}://{$sync_to_ip}"; + + print "{$sync_to_ip} {$url}, {$port}\n"; $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/www/postfix.php');\n"; - $execcmd .= 'flush_sql('.$log_time.');'; - /* assemble xmlrpc payload */ - $params = array(XML_RPC_encode($password), - XML_RPC_encode($execcmd)); - log_error("postfix flush sql buffer file from {$sync_to_ip}."); + $execcmd .= '$toreturn = get_sql('.$log_time.');'; + + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); + log_error("[postfix] Fetching sql data from {$sync_to_ip}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - #$cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + //$cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $a = $resp->value(); + $errors = 0; + //var_dump($sql); + foreach($a as $b) { + foreach ($b as $c) { + foreach ($c as $d) { + foreach ($d as $e) { + $update = unserialize($e['string']); + print $update['day'] . "\n"; + if ($update['day'] != "") { + create_db($update['day'] . ".db"); + if ($debug) { + print $update['day'] . " writing from remote system to db..."; + } + $dbhandle = sqlite_open($postfix_dir . '/' . $update['day'] . ".db", 0666, $error); + //file_put_contents("/tmp/" . $key . '-' . $update['day'] . ".sql", gzuncompress(base64_decode($update['sql'])), LOCK_EX); + $ok = sqlite_exec($dbhandle, gzuncompress(base64_decode($update['sql'])), $error); + if (!$ok) { + $errors++; + die ("Cannot execute query. $error\n".$update['sql']."\n"); + } elseif ($debug) { + print "ok\n"; + } + sqlite_close($dbhandle); + } + } + } + } + } + if ($errors == 0) { + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/www/postfix.php');\n"; + $execcmd .= 'flush_sql('.$log_time.');'; + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); + log_error("[postfix] Flushing sql buffer file from {$sync_to_ip}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + //$cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); } + } else { + log_error("[postfix] Fetch sql database from '{$sync_to_ip}' aborted due to the following error(s): {$error}"); } + } } + log_error("[postfix] Fetch sql database completed."); + } } -function get_sql($log_time){ - global $config,$xmlrpc_g; - $server=$_SERVER['REMOTE_ADDR']; - if (is_array($config['installedpackages']['postfixsync'])) - foreach($config['installedpackages']['postfixsync']['config'][0]['row'] as $sh){ +function get_sql($log_time) { + global $config, $xmlrpc_g; + $server = $_SERVER['REMOTE_ADDR']; + + if (is_array($config['installedpackages']['postfixsync'])) { + foreach($config['installedpackages']['postfixsync']['config'][0]['row'] as $sh) { $sync_to_ip = $sh['ipaddress']; $sync_type = $sh['sync_type']; - $password = $sh['password']; - $file= '/var/db/postfix/'.$server.'.sql'; - if ($sync_to_ip==$server && $sync_type=='share' && file_exists($file)){ - rename($file,$file.".$log_time"); - return (file($file.".$log_time")); - } + $file = '/var/db/postfix/' . $server . '.sql'; + if ($sync_to_ip == "{$server}" && $sync_type == "share" && file_exists($file)) { + rename($file, $file . ".$log_time"); + return (file($file . ".$log_time")); + } } return ""; + } } -function flush_sql($log_time){ - if (preg_match("/\d+\.\d+\.\d+\.\d+/",$_SERVER['REMOTE_ADDR'])) - unlink_if_exists('/var/db/postfix/'.$_SERVER['REMOTE_ADDR'].".sql.$log_time"); +function flush_sql($log_time) { + if (preg_match("/\d+\.\d+\.\d+\.\d+/", $_SERVER['REMOTE_ADDR'])) { + unlink_if_exists('/var/db/postfix/' . $_SERVER['REMOTE_ADDR'] . ".sql.{$log_time}"); + } } function grep_log(){ @@ -296,73 +326,60 @@ function grep_log(){ } } - $config=parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']); - //print count($config['installedpackages']); - #start db replication if configured - if ($config['installedpackages']['postfixsync']['config'][0]['rsync']) - foreach ($config['installedpackages']['postfixsync']['config'] as $rs ) - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $sync_type = $sh['sync_type']; - $password = $sh['password']; - print "checking replication to $sync_to_ip..."; - if ($password && $sync_to_ip && preg_match("/(both|database)/",$sync_type)) - postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type); - print "ok\n"; - } - } -function write_db($stm,$table,$days){ - global $postfix_dir,$config,$g; +function write_db($stm, $table, $days) { + global $postfix_dir, $config, $g; conf_mount_rw(); - $do_sync=array(); + $do_sync = array(); print "writing to database..."; - foreach ($days as $day) - if (strlen($stm[$day]) > 10){ - if ($config['installedpackages']['postfixsync']['config'][0]) - foreach ($config['installedpackages']['postfixsync']['config'] as $rs ) - foreach($rs['row'] as $sh){ + foreach ($days as $day) { + if ((strlen($stm[$day]) > 10) && (is_array($config['installedpackages']['postfixsync']['config']))) { + foreach ($config['installedpackages']['postfixsync']['config'] as $rs) { + foreach($rs['row'] as $sh) { $sync_to_ip = $sh['ipaddress']; $sync_type = $sh['sync_type']; $password = $sh['password']; - $sql_file='/var/db/postfix/'.$sync_to_ip.'.sql'; - ${$sync_to_ip}=""; - if (file_exists($sql_file)) - ${$sync_to_ip}=file_get_contents($sql_file); - if ($sync_to_ip && $sync_type=="share"){ - ${$sync_to_ip}.=serialize(array('day'=> $day,'sql'=> base64_encode(gzcompress($stm[$day]."COMMIT;",9))))."\n"; - if (! in_array($sync_to_ip,$do_sync)) - $do_sync[]=$sync_to_ip; + $sql_file = '/var/db/postfix/' . $sync_to_ip . '.sql'; + ${$sync_to_ip} = ""; + if (file_exists($sql_file)) { + ${$sync_to_ip} = file_get_contents($sql_file); + } + if ($sync_to_ip && $sync_type == "share") { + ${$sync_to_ip} .= serialize(array('day' => $day, 'sql' => base64_encode(gzcompress($stm[$day] . "COMMIT;", 9)))) . "\n"; + if (!in_array($sync_to_ip, $do_sync)) { + $do_sync[] = $sync_to_ip; } } - #write local db file - create_db($day.".db"); - if ($debug=true) - print " writing to local db $day..."; - $dbhandle = sqlite_open($postfix_dir.$day.".db", 0666, $error); - if (!$dbhandle) die ($error); - #file_put_contents("/tmp/".$key.'-'.$update['day'].".sql",gzuncompress(base64_decode($update['sql'])), LOCK_EX); - $ok = sqlite_exec($dbhandle, $stm[$day]."COMMIT;", $error); - if (!$ok){ - if ($debug=true) - print ("Cannot execute query. $error\n".$stm[$day]."COMMIT;\n"); - } - else{ - if ($debug=true) - print "ok\n"; } - sqlite_close($dbhandle); } - #write update sql files - if (count ($do_sync) > 0 ){ - - foreach($do_sync as $ip) - file_put_contents('/var/db/postfix/'.$ip.'.sql',${$ip},LOCK_EX); - conf_mount_ro(); + /* Write local db file */ + create_db($day . ".db"); + if ($debug) { + print "writing to local db $day..."; + } + $dbhandle = sqlite_open($postfix_dir.$day.".db", 0666, $error); + if (!$dbhandle) { + die ($error); + } + //file_put_contents("/tmp/" . $key . '-' . $update['day'] . ".sql", gzuncompress(base64_decode($update['sql'])), LOCK_EX); + $ok = sqlite_exec($dbhandle, $stm[$day] . "COMMIT;", $error); + if (!$ok) { + print ("Cannot execute query. $error\n" . $stm[$day] . "COMMIT;\n"); + } elseif ($debug) { + print "ok\n"; + } + sqlite_close($dbhandle); + } } - #write local file - + /* Write updated sql files */ + if (count($do_sync) > 0 ) { + foreach ($do_sync as $ip) { + file_put_contents('/var/db/postfix/' . $ip . '.sql', ${$ip}, LOCK_EX); + } + } + conf_mount_ro(); + /* Write local file */ } function create_db($postfix_db){ @@ -748,4 +765,4 @@ if ($_REQUEST['files']!= ""){ print '</table>'; } } -?>
\ No newline at end of file +?> diff --git a/config/postfix/postfix_sync.xml b/config/postfix/postfix_sync.xml index 727305ff..eb3ab27b 100644 --- a/config/postfix/postfix_sync.xml +++ b/config/postfix/postfix_sync.xml @@ -5,44 +5,44 @@ <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - postfix_sync.xml - part of the Postfix package for pfSense - Copyright (C) 2011-2014 Marcello Coutinho - All rights reserved. - */ -/* ========================================================================== */ + postfix_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2011-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>postfix_sync</name> - <version>1.0</version> + <name>postfixsync</name> + <version>2.4.5</version> <title>Services: Postfix relay and antispam</title> <include_file>/usr/local/pkg/postfix.inc</include_file> <menu> @@ -100,12 +100,12 @@ <type>listtopic</type> </field> <field> - <fielddescr>Sync method</fielddescr> + <fielddescr>Sync Method</fielddescr> <fieldname>synconchanges</fieldname> <description>Automatically sync postfix configuration changes.</description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> <option><name>Sync to host(s) defined below</name><value>manual</value></option> @@ -113,7 +113,7 @@ </options> </field> <field> - <fielddescr>Sync timeout</fielddescr> + <fielddescr>Sync Timeout</fielddescr> <fieldname>synctimeout</fieldname> <description>Select sync max wait time</description> <type>select</type> @@ -128,73 +128,89 @@ </options> </field> <field> - <fielddescr><![CDATA[Remote Server]]></fielddescr> + <fielddescr>Remote Server</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <dontdisplayname/> <usecolspan2/> <rowhelper> - <rowhelperfield> - <fielddescr>Enable</fielddescr> - <fieldname>enabless</fieldname> - <type>checkbox</type> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Sync Type </fielddescr> - <fieldname>sync_type</fieldname> - <type>select</type> - <options> - <option><name>XMLRPC Sync</name><value>xmlrpc</value></option> - <option><name>Share Database To</name><value>share</value></option> - <option><name>Fetch Database From</name><value>fetch</value></option> - <option><name>Disabled</name><value>disabled</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Remote Server IP</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> - <type>input</type> - <size>10</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Username</fielddescr> - <fieldname>username</fieldname> - <description>Username for remote server.</description> - <type>input</type> - <size>10</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>10</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Description</fielddescr> - <fieldname>description</fieldname> - <type>input</type> - <size>27</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>enabless</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Sync Type</fielddescr> + <fieldname>sync_type</fieldname> + <type>select</type> + <options> + <option><name>XMLRPC Sync</name><value>xmlrpc</value></option> + <option><name>Share Database To</name><value>share</value></option> + <option><name>Fetch Database From</name><value>fetch</value></option> + <option><name>Disabled</name><value>disabled</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description>Choose the protocol used to sync with the destination host (HTTP or HTTPS).</description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Remote Server IP/Hostname</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP address or hostname of remote server</description> + <type>input</type> + <size>30</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description>Choose the sync port of the remote server.</description> + <type>input</type> + <size>5</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Username</fielddescr> + <fieldname>username</fieldname> + <description>Username for remote server.</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <type>input</type> + <size>30</size> + </rowhelperfield> </rowhelper> - <description><![CDATA[<br>Sync types Description:<br><br> - <strong>XMLRPC Sync</strong> - Forward postfix settings to other pfsense boxes. Remote password required<br> - <strong>Share Database To</strong> - Allow other pfsense boxes to fetch maillog data via xml. Remote password NOT required.<br> - <strong>Fetch Database From</strong> - Merge logs from other pfsense boxes to this local database. Remote password required.<br> - <strong>Disabled</strong> - Ignore this host while sync.<br><br> - While sharing databases works only when you select 'Sync to host(s) defined below' on sync method and you must setup 'Share Database To' in source box and 'Fetch Database From' on destination box.]]></description> + <description> + <![CDATA[ + <br/>Sync types Description:<br/><br/> + <strong>XMLRPC Sync</strong> - Forward postfix settings to other pfSense boxes. Remote password required.<br/> + <strong>Share Database To</strong> - Allow other pfSense boxes to fetch maillog data via XMLRPC. Remote password NOT required.<br/> + <strong>Fetch Database From</strong> - Merge logs from other pfSense boxes to this local database. Remote password required.<br/> + <strong>Disabled</strong> - Ignore this host while syncing.<br/><br/> + Sharing databases works only when you select 'Sync to host(s) defined below' sync method; you must setup 'Share Database To' in source box and 'Fetch Database From' on destination box. + ]]> + </description> </field> </fields> - <custom_php_install_command> - postfix_php_install_command(); - </custom_php_install_command> - <custom_php_deinstall_command> - postfix_php_deinstall_command(); - </custom_php_deinstall_command> <custom_php_validation_command> postfix_validate_input($_POST, $input_errors); - </custom_php_validation_command> + </custom_php_validation_command> <custom_php_resync_config_command> sync_package_postfix(); </custom_php_resync_config_command> diff --git a/config/routed/routed.inc b/config/routed/routed.inc index 3bcef0aa..c83b0052 100644 --- a/config/routed/routed.inc +++ b/config/routed/routed.inc @@ -29,7 +29,6 @@ */ function setup_routed() { global $config; - $gw = ""; if (!is_array($config['installedpackages']['routed'])) { return; @@ -37,6 +36,10 @@ function setup_routed() { if (!is_array($config['installedpackages']['routed']['config'])) { return; } + + $gw = ""; + conf_mount_rw(); + if (isset($config['installedpackages']['routed']['config'][0]['enable']) && $config['installedpackages']['routed']['config'][0]['enable'] == "on") { /* if user selected individual interfaces */ @@ -55,21 +58,30 @@ function setup_routed() { /* setup for all interfaces */ $gw = setup_etc_gateways(); } - conf_mount_rw(); file_put_contents("/etc/gateways", $gw); - conf_mount_ro(); - restart_service("routed"); + routed_write_rcfile(); + if (is_service_running("routed")) { + restart_service("routed"); + } else { + start_service("routed"); + } } else { - stop_service("routed"); + if (is_service_running("routed")) { + stop_service("routed"); + } + unlink_if_exists("/etc/gateways"); + unlink_if_exists("/usr/local/etc/rc.d/routed.sh"); } + + conf_mount_ro(); } -function setup_etc_gateways($iface="", $mode="") { +function setup_etc_gateways($iface = "", $mode = "") { global $config; $ret = ""; if ($iface != "") { - $realif=convert_friendly_interface_to_real_interface_name($iface); + $realif = convert_friendly_interface_to_real_interface_name($iface); if (!empty($realif)) { $ret = "if={$realif} "; } @@ -104,7 +116,7 @@ function setup_etc_gateways($iface="", $mode="") { return $ret; } -function routed_install_command() { +function routed_write_rcfile() { write_rcfile(array( "file" => "routed.sh", "start" => "/usr/bin/nohup /sbin/routed > /dev/null 2>&1 &", @@ -114,7 +126,7 @@ function routed_install_command() { } function routed_deinstall_command() { - stop_service("routed"); + unlink_if_exists("/etc/gateways"); unlink_if_exists("/usr/local/etc/rc.d/routed.sh"); } diff --git a/config/routed/routed.priv.inc b/config/routed/routed.priv.inc new file mode 100644 index 00000000..f0068f81 --- /dev/null +++ b/config/routed/routed.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + routed.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-routed'] = array(); +$priv_list['page-services-routed']['name'] = "WebCfg - Services: Routed"; +$priv_list['page-services-routed']['descr'] = "Allow access to routed package GUI"; +$priv_list['page-services-routed']['match'] = array(); +$priv_list['page-services-routed']['match'][] = "pkg.php?xml=routed.xml*"; +$priv_list['page-services-routed']['match'][] = "pkg_edit.php?xml=routed.xml*"; + +?> diff --git a/config/routed/routed.xml b/config/routed/routed.xml index b38d7ee3..960cf83b 100644 --- a/config/routed/routed.xml +++ b/config/routed/routed.xml @@ -42,17 +42,23 @@ ]]> </copyright> <name>routed</name> - <version>1.2</version> + <version>1.2.2</version> <title>Services: RIP</title> <include_file>/usr/local/pkg/routed.inc</include_file> + <aftersaveredirect>pkg_edit.php?xml=routed.xml</aftersaveredirect> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/routed/routed.inc</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/routed/routed.priv.inc</item> + </additional_files_needed> <menu> <name>RIP</name> <section>Services</section> <configfile>routed.xml</configfile> - <url>pkg_edit.php?xml=routed.xml&id=0</url> + <url>pkg_edit.php?xml=routed.xml</url> </menu> <service> <name>routed</name> @@ -117,13 +123,9 @@ <type>checkbox</type> </field> </fields> - <aftersaveredirect>pkg_edit.php?xml=routed.xml&id=0</aftersaveredirect> <custom_php_resync_config_command> setup_routed(); </custom_php_resync_config_command> - <custom_php_install_command> - routed_install_command(); - </custom_php_install_command> <custom_php_deinstall_command> routed_deinstall_command(); </custom_php_deinstall_command> diff --git a/config/rrd-summary/rrd-summary.priv.inc b/config/rrd-summary/rrd-summary.priv.inc new file mode 100644 index 00000000..f75315e8 --- /dev/null +++ b/config/rrd-summary/rrd-summary.priv.inc @@ -0,0 +1,37 @@ +<?php +/* + rrd-summary.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-status-rrd-summary'] = array(); +$priv_list['page-status-rrd-summary']['name'] = "WebCfg - Status: RRD Summary"; +$priv_list['page-status-rrd-summary']['descr'] = "Allow access to RRD Summary package GUI"; +$priv_list['page-status-rrd-summary']['match'] = array(); +$priv_list['page-status-rrd-summary']['match'][] = "status_rrd_summary.php*"; + +?> diff --git a/config/rrd-summary/rrd-summary.xml b/config/rrd-summary/rrd-summary.xml index 67c20937..309f23d1 100644 --- a/config/rrd-summary/rrd-summary.xml +++ b/config/rrd-summary/rrd-summary.xml @@ -43,7 +43,7 @@ </copyright> <description>RRD Summary Page</description> <name>RRD Summary</name> - <version>1.2</version> + <version>1.2.1</version> <title>Status: RRD Summary</title> <menu> <name>RRD Summary</name> @@ -52,6 +52,10 @@ <url>/status_rrd_summary.php</url> </menu> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/rrd-summary/rrd-summary.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/rrd-summary/status_rrd_summary.php</item> </additional_files_needed> diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 85410560..561f7c61 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -438,18 +438,20 @@ function sarg_validate_input($post, &$input_errors) { } # check squidguard - if (substr($key, 0, 10) == "proxy_server" && $value == "squidguard") - if (!is_array($config['installedpackages']['squidguardgeneral'])) + if (substr($key, 0, 10) == "proxy_server" && $value == "squidguard") { + if (!is_array($config['installedpackages']['squidguardgeneral'])) { $input_errors[]='squidguard package not detected'; + } + } # check squid if (substr($key, 0, 5) == "proxy_server" && $value == "squid") { if (is_array($config['installedpackages']['squid'])) { if (!$config['installedpackages']['squid']['log_enabled']) { - $input_errors[]='squidlogs not enabled'; + $input_errors[] = 'Squid logging not enabled'; } } else { - $input_errors[]='squid package not installed'; + $input_errors[] = 'Squid package not installed'; } } @@ -469,108 +471,113 @@ function sarg_validate_input($post, &$input_errors) { /* Uses XMLRPC to synchronize the changes to a remote node */ function sarg_sync_on_changes() { global $config, $g; + if (is_array($config['installedpackages']['sargsync']['config'])) { $sarg_sync = $config['installedpackages']['sargsync']['config'][0]; $synconchanges = $sarg_sync['synconchanges']; - $synctimeout = $sarg_sync['synctimeout']; + $synctimeout = $sarg_sync['synctimeout'] ?: '250'; switch ($synconchanges) { case "manual": - if (is_array($sarg_sync[row])) { - $rs = $sarg_sync[row]; + if (is_array($sarg_sync['row'])) { + $rs = $sarg_sync['row']; } else { - log_error("[sarg] xmlrpc sync is enabled but there is no hosts to push on sarg config."); + log_error("[sarg] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; $rs[0]['username'] = $system_carp['username']; $rs[0]['password'] = $system_carp['password']; - if ($system_carp['synchronizetoip'] == "" || $system_carp['username'] == "") { - log_error("[sarg] xmlrpc sync is enabled but there are no system backup hosts to push sarg config."); + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[sarg] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['syncdestinenable'] = TRUE; } - } else { - log_error("[sarg] xmlrpc sync is enabled but there are no system backup hosts to push sarg config."); + log_error("[sarg] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; } break; default: return; - break; + break; } if (is_array($rs)) { - log_error("[sarg] xmlrpc sync is starting."); - foreach($rs as $sh) { - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($sh['username']) { - $username = $sh['username']; - } else { - $username = 'admin'; - } - if ($password && $sync_to_ip) { - sarg_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + log_error("[sarg] XMLRPC sync is starting."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + sarg_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[sarg] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } } } - log_error("[sarg] xmlrpc sync is ending."); + log_error("[sarg] XMLRPC sync completed."); } } } /* do the actual XMLRPC sync */ -function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { +function sarg_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if (!$username) { - return; - } - - if (!$password) { + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[sarg] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - if (!$sync_to_ip) { - return; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - if (!$synctimeout) { - $synctimeout="250"; - } - - $xmlrpc_sync_neighbor = $sync_to_ip; - - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty, let's rely on the protocol selection */ - if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $synchronizetoip .= $sync_to_ip; + $url = "{$protocol}://{$sync_to_ip}"; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['sarg'] = $config['installedpackages']['sarg']; $xml['sarguser'] = $config['installedpackages']['sarguser']; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code */ - $url = $synchronizetoip; - log_error("Beginning sarg XMLRPC sync to {$url}:{$port}."); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -578,49 +585,45 @@ function sarg_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { if ($g['debug']) { $cli->setDebug(1); } - /* send our XMLRPC message and timeout after $synctimeout seconds */ + /* Send our XMLRPC message and timeout after defined sync timeout value */ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting sarg XMLRPC sync with {$url}:{$port}."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[sarg] {$error}"); file_notice("sync_settings", $error, "sarg Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting sarg XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[sarg] {$error}"); file_notice("sync_settings", $error, "sarg Settings Sync", ""); } else { - log_error("sarg XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[sarg] XMLRPC sync successfully completed with {$url}:{$port}."); } - /* tell sarg to reload our settings on the destionation sync host. */ + /* Tell sarg to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/sarg.inc');\n"; $execcmd .= "sync_package_sarg();"; - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("sarg XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting sarg XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[sarg] {$error}"); file_notice("sync_settings", $error, "sarg Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting sarg XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[sarg] {$error}"); file_notice("sync_settings", $error, "sarg Settings Sync", ""); } else { - log_error("sarg XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[sarg] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/sarg/sarg_sync.xml b/config/sarg/sarg_sync.xml index 9ae141e5..64e93fe3 100755 --- a/config/sarg/sarg_sync.xml +++ b/config/sarg/sarg_sync.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>sargsync</name> - <version>0.6.5</version> + <version>0.6.6</version> <title>Status: Sarg Sync</title> <include_file>/usr/local/pkg/sarg.inc</include_file> <tabs> @@ -82,9 +82,15 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically Sync Sarg Configuration Changes.</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Select a sync method for Sarg.</description> + <description> + <![CDATA[ + Select a sync method for Sarg.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> <default_value>auto</default_value> @@ -97,7 +103,7 @@ <field> <fielddescr>Sync Timeout</fielddescr> <fieldname>synctimeout</fieldname> - <description>Select sync max wait time</description> + <description>XMLRPC timeout in seconds.</description> <type>select</type> <required/> <default_value>250</default_value> @@ -110,21 +116,45 @@ </options> </field> <field> - <fielddescr>Remote Server</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr>IP Address</fielddescr> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>20</size> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> </rowhelperfield> <rowhelperfield> - <fielddescr>Password</fielddescr> + <fielddescr>Admin Password</fielddescr> <fieldname>password</fieldname> - <description>Password for remote server.</description> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> </rowhelperfield> diff --git a/config/shellcmd/shellcmd.priv.inc b/config/shellcmd/shellcmd.priv.inc new file mode 100644 index 00000000..ae64514d --- /dev/null +++ b/config/shellcmd/shellcmd.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + shellcmd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-shellcmd'] = array(); +$priv_list['page-services-shellcmd']['name'] = "WebCfg - Services: shellcmd"; +$priv_list['page-services-shellcmd']['descr'] = "Allow access to shellcmd package GUI"; +$priv_list['page-services-shellcmd']['match'] = array(); +$priv_list['page-services-shellcmd']['match'][] = "pkg.php?xml=shellcmd.xml*"; +$priv_list['page-services-shellcmd']['match'][] = "pkg_edit.php?xml=shellcmd.xml*"; + +?> diff --git a/config/shellcmd/shellcmd.xml b/config/shellcmd/shellcmd.xml index ea3144ff..78b876ff 100644 --- a/config/shellcmd/shellcmd.xml +++ b/config/shellcmd/shellcmd.xml @@ -42,8 +42,8 @@ ]]> </copyright> <name>Shellcmd Settings</name> - <version>1.0</version> - <title>Shellcmd Settings</title> + <version>1.0.1</version> + <title>Services: Shellcmd Settings</title> <include_file>/usr/local/pkg/shellcmd.inc</include_file> <aftersaveredirect>/pkg.php?xml=shellcmd.xml</aftersaveredirect> <addedit_string>[shellcmd] Successfully created/modified custom (early)shellcmd.</addedit_string> @@ -66,6 +66,10 @@ <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/shellcmd/shellcmd.inc</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/shellcmd/shellcmd.priv.inc</item> + </additional_files_needed> <adddeleteeditpagefields> <columnitem> <fielddescr>Command</fielddescr> diff --git a/config/snort/snort.inc b/config/snort/snort.inc index b7d4299e..60959ad6 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -3737,103 +3737,117 @@ function snort_sync_on_changes() { /* Do not attempt a package sync while booting up or installing package */ if ($g['booting'] || $g['snort_postinstall']) { - log_error("[snort] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + log_error("[snort] Skipping XMLRPC sync when booting up or during package reinstallation."); return; } if (is_array($config['installedpackages']['snortsync']['config'])){ - $snort_sync=$config['installedpackages']['snortsync']['config'][0]; + $snort_sync = $config['installedpackages']['snortsync']['config'][0]; $synconchanges = $snort_sync['varsynconchanges']; - $synctimeout = $snort_sync['varsynctimeout']; + $synctimeout = $snort_sync['varsynctimeout'] ?: '150'; $syncdownloadrules = $snort_sync['vardownloadrules']; switch ($synconchanges){ case "manual": if (is_array($snort_sync['row'])){ $rs=$snort_sync['row']; - } - else{ - log_error("[snort] xmlrpc sync is enabled but there are no hosts configured as replication targets."); + } else { + log_error("[snort] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['hasync'])) { - $system_carp=$config['hasync']; - $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; - $rs[0]['varsyncusername']=$system_carp['username']; - $rs[0]['varsyncpassword']=$system_carp['password']; - $rs[0]['varsyncsnortstart']="no"; - if ($system_carp['synchronizetoip'] ==""){ - log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); - return; - } + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['varsyncusername'] = $system_carp['username']; + $rs[0]['varsyncpassword'] = $system_carp['password']; + $rs[0]['varsyncsnortstart'] = FALSE; + $rs[0]['varsyncdestinenable'] = FALSE; + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['varsyncprotocol'] = "http"; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['varsyncprotocol'] = "https"; + $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443'; } - else{ - log_error("[snort] xmlrpc sync is enabled but there are no system backup hosts configured as replication targets."); + if ($system_carp['synchronizetoip'] == "") { + log_error("[snort] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['varsyncdestinenable'] = TRUE; } + } else { + log_error("[snort] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } break; default: return; - break; + break; } if (is_array($rs)){ - log_error("[snort] Snort pkg xmlrpc sync is starting."); - foreach($rs as $sh){ - if ($sh['varsyncsnortstart']) - $syncstartsnort = $sh['varsyncsnortstart']; - else - $syncstartsnort = "OFF"; - $sync_to_ip = $sh['varsyncipaddress']; - $port = $sh['varsyncport']; - $password = $sh['varsyncpassword']; - if($sh['varsyncusername']) - $username = $sh['varsyncusername']; - else - $username = 'admin'; - if($password && $sync_to_ip) - snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $password, $synctimeout, $syncstartsnort); + log_error("[snort] XMLRPC sync is starting."); + foreach ($rs as $sh){ + // Only sync enabled replication targets + if ($sh['varsyncdestinenable']) { + if ($sh['varsyncsnortstart']) { + $syncstartsnort = $sh['varsyncsnortstart']; + } else { + $syncstartsnort = "OFF"; + } + $sync_to_ip = $sh['varsyncipaddress']; + $port = $sh['varsyncport']; + $password = $sh['varsyncpassword']; + $protocol = $sh['varsyncprotocol']; + $error = ''; + $success = TRUE; + $username = $sh['varsyncusername'] ?: 'admin'; + if ($password == "") { + $error = "Password parameter is empty. "; + $success = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address. "; + $success = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $success = FALSE; + } + if ($success) { + snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsnort); + } else { + log_error("[snort] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } } - log_error("[snort] Snort pkg xmlrpc sync completed."); + log_error("[snort] XMLRPC sync completed."); } } } /* Do the actual XMLRPC sync */ -function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $password, $synctimeout, $syncstartsnort) { +function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout = 150, $syncstartsnort) { global $config, $g; /* Do not attempt a package sync while booting up or installing package */ if ($g['booting'] || $g['snort_postinstall']) { - log_error("[snort] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + log_error("[snort] Skipping XMLRPC sync when booting up or during package reinstallation."); return; } - if(!$username || !$password || !$sync_to_ip) { - log_error("[snort] A required XMLRPC sync parameter (user, host IP or password) is empty ... aborting pkg sync"); + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[snort] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - /* Test key variables and set defaults if empty */ - if(!$synctimeout) - $synctimeout=150; - - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - if ($port == "") - $port = $config['system']['webgui']['port']; - /* if port is empty let's rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") - $port = "80"; - else - $port = "443"; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - $synchronizetoip .= $sync_to_ip; - $url = $synchronizetoip; + + $url = "{$protocol}://{$sync_to_ip}"; /*************************************************/ /* Send over any auto-SID management files */ @@ -3847,25 +3861,26 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $method = 'pfsense.exec_php'; $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); - log_error("[snort] Snort XMLRPC CARP sync sending auto-SID conf files to {$url}:{$port}."); + log_error("[snort] Snort XMLRPC sync sending auto-SID conf files to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); $error = ""; if(!$resp) { - $error = "A communications error occurred while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + $error = "A communications error occurred while attempting Snort XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file); log_error($error); file_notice("sync_settings", $error, "Snort Settings Sync", ""); } elseif($resp->faultCode()) { - $error = "An error code was received while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Snort Settings Sync", ""); } } - if (!empty($sid_files) && $error == "") - log_error("[snort] Snort pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + if (!empty($sid_files) && $error == "") { + log_error("[snort] XMLRPC sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + } /*************************************************/ /* Send over any IPREP IP List files */ @@ -3879,25 +3894,26 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $method = 'pfsense.exec_php'; $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); - log_error("[snort] Snort XMLRPC CARP sync sending IPREP files to {$url}:{$port}."); + log_error("[snort] Snort XMLRPC sync sending IPREP files to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); $error = ""; - if(!$resp) { - $error = "A communications error occurred while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + if (!$resp) { + $error = "A communications error occurred while attempting Snort XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file); log_error($error); file_notice("sync_settings", $error, "Snort Settings Sync", ""); - } elseif($resp->faultCode()) { - $error = "An error code was received while attempting Snort XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + } elseif ($resp->faultCode()) { + $error = "An error code was received while attempting Snort XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Snort Settings Sync", ""); } } - if (!empty($sid_files) && $error == "") - log_error("[snort] Snort pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); + if (!empty($sid_files) && $error == "") { + log_error("[snort] XMLRPC sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); + } /**************************************************/ /* Send over the <snortglobal> portion of the */ @@ -3911,7 +3927,7 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, XML_RPC_encode($xml) ); - log_error("[snort] Beginning Snort pkg configuration XMLRPC sync to {$url}:{$port}."); + log_error("[snort] Beginning package configuration XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -3919,16 +3935,16 @@ function snort_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { - log_error("[snort] Snort pkg configuration XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[snort] Package configuration XMLRPC sync successfully completed with {$url}:{$port}."); } $downloadrulescmd = ""; @@ -3992,16 +4008,16 @@ EOD; $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { - log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[snort] XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } /*************************************************/ @@ -4016,16 +4032,16 @@ EOD; log_error("[snort] Snort XMLRPC sending {$url}:{$port} cmd to execute configuration reload."); $msg2 = new XML_RPC_Message($method, $params2); $resp = $cli->send($msg2, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting snort XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $error = "An error code was received while attempting snort XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "snort Settings Sync", ""); } else { - log_error("[snort] Snort pkg XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[snort] XMLRPC reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/snort/snort_sync.xml b/config/snort/snort_sync.xml index 46922822..6b9e6a7f 100755 --- a/config/snort/snort_sync.xml +++ b/config/snort/snort_sync.xml @@ -172,11 +172,11 @@ </options> </rowhelperfield> <rowhelperfield> - <fielddescr>IP-Address</fielddescr> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>varsyncipaddress</fieldname> - <description><![CDATA[IP Address of the destination host.]]></description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>15</size> + <size>40</size> </rowhelperfield> <rowhelperfield> <fielddescr>Port</fielddescr> @@ -202,8 +202,6 @@ </rowhelper> </field> </fields> - <custom_delete_php_command> - </custom_delete_php_command> <custom_php_resync_config_command> write_config("Snort pkg: saved changes to XMLRPC sync configuration.");snort_sync_on_changes(); </custom_php_resync_config_command> diff --git a/config/spamd/spamd.inc b/config/spamd/spamd.inc index 548a2934..13edb7ce 100644 --- a/config/spamd/spamd.inc +++ b/config/spamd/spamd.inc @@ -299,49 +299,6 @@ function remove_spaces($string) { return $string; } -function sync_spamd_config_to_backup() { - global $config; - if (is_array($config['installedpackages']['carpsettings']['config'])) { - foreach ($config['installedpackages']['carpsettings']['config'] as $carp) { - if ($carp['synchronizetoip'] != "") { - $synctoip = $carp['synchronizetoip']; - $password = $carp['password']; - if ($config['system']['username']) { - $username = $config['system']['username']; - } else { - $username = "admin"; - } - } - } - } - if ($synctoip and $password) { - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $params = array(XML_RPC_encode($password),XML_RPC_encode($xml)); - /* create files to sync array */ - $filetosync = array("/var/db/spamd", "/var/db/whitelist.txt"); - /* loop through files to sync list and sync them up */ - foreach ($filetosync as $f2s) { - $f2c_contents = file_get_contents($f2s); - xmlrpc_sync_file($url, $password, $f2s, $f2c_contents, $port); - } - /* signal remote process config reload */ - xmlrpc_exec_shell($url, $password, "/usr/bin/killall -HUP spamlogd", $port); - xmlrpc_exec_shell($url, $password, "/usr/bin/killall -HUP spamd", $port); - } -} - function custom_php_install_command() { global $config; system("touch /var/db/whitelist.txt"); diff --git a/config/tinydns/tinydns_xmlrpc_sync.php b/config/spamd/spamd.priv.inc index 0610e286..5a9c622b 100644 --- a/config/tinydns/tinydns_xmlrpc_sync.php +++ b/config/spamd/spamd.priv.inc @@ -1,9 +1,8 @@ <?php - -/* $Id$ */ /* - tinydns_xmlrcpc_sync.php - Copyright (C) 2006 Scott Ullrich + spamd.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -27,33 +26,21 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +global $priv_list; -/* NOTE: this file gets included from the pfSense filter.inc plugin process */ - -require_once("config.inc"); -require_once("/usr/local/pkg/tinydns.inc"); -require_once("service-utils.inc"); - -if($notnow) { +$priv_list['page-services-spamd'] = array(); +$priv_list['page-services-spamd']['name'] = "WebCfg - Services: spamd"; +$priv_list['page-services-spamd']['descr'] = "Allow access to spamd package GUI"; - /* disabled until Ticket #1318 can be fixed */ +$priv_list['page-services-spamd']['match'] = array(); +$priv_list['page-services-spamd']['match'][] = "pkg.php?xml=spamd.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg.php?xml=spamd_whitelist.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg.php?xml=spamd_settings.xml*"; - if(!$config) { - log_error("\$config is not enabled from tinydns_xmlrpc_sync.php!!"); - } else { - if($config['installedpackages']['carpsettings']['config']) - $password = $config['installedpackages']['carpsettings']['config'][0]['password']; - if($config['installedpackages']['carpsettings']['config']) - $syncip = $config['installedpackages']['carpsettings']['config'][0]['synchronizetoip']; - if($config['installedpackages']['carpsettings']['config']) - $syncxmlrpc = $config['installedpackages']['tinydns']['config'][0]['syncxmlrpc']; - /* option enabled? */ - if($syncxmlrpc) - if($syncip) - if($password) - tinydns_do_xmlrpc_sync($syncip, $password); - } +$priv_list['page-services-spamd']['match'][] = "pkg_edit.php?xml=spamd.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg_edit.php?xml=spamd_whitelist.xml*"; +$priv_list['page-services-spamd']['match'][] = "pkg_edit.php?xml=spamd_settings.xml*"; -} +$priv_list['page-services-spamd']['match'][] = "spamd_db.php*"; -?>
\ No newline at end of file +?> diff --git a/config/spamd/spamd.xml b/config/spamd/spamd.xml index 337aad00..7e11b9a9 100644 --- a/config/spamd/spamd.xml +++ b/config/spamd/spamd.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>spamdsources</name> - <version>1.1.6</version> + <version>1.1.7</version> <title>SpamD: External Sources</title> <include_file>/usr/local/pkg/spamd.inc</include_file> <backup_file>/var/db/spamd</backup_file> @@ -100,6 +100,10 @@ <item>https://packages.pfsense.org/packages/config/spamd/spamd.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/spamd/spamd.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/spamd/spamd_settings.xml</item> </additional_files_needed> @@ -180,6 +184,6 @@ custom_php_deinstall_command(); </custom_php_deinstall_command> <filter_rules_needed> - spamd_generate_rules(); + spamd_generate_rules </filter_rules_needed> </packagegui> diff --git a/config/squid3/31/squid.inc b/config/squid3/31/squid.inc index d565810c..df900e43 100644 --- a/config/squid3/31/squid.inc +++ b/config/squid3/31/squid.inc @@ -1854,8 +1854,8 @@ function squid_sync_on_changes() { $synctimeout = $squid_sync['synctimeout']; switch ($synconchanges){ case "manual": - if (is_array($squid_sync[row])){ - $rs=$squid_sync[row]; + if (is_array($squid_sync['row'])){ + $rs=$squid_sync['row']; } else{ log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); @@ -1863,8 +1863,8 @@ function squid_sync_on_changes() { } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['ipaddress']=$system_carp['synchronizetoip']; $rs[0]['username']=$system_carp['username']; $rs[0]['password']=$system_carp['password']; diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 0f71def8..57b49d5f 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -2314,8 +2314,8 @@ function squid_sync_on_changes() { $synctimeout = $squid_sync['synctimeout']; switch ($synconchanges){ case "manual": - if (is_array($squid_sync[row])){ - $rs=$squid_sync[row]; + if (is_array($squid_sync['row'])){ + $rs=$squid_sync['row']; } else{ log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); @@ -2323,8 +2323,8 @@ function squid_sync_on_changes() { } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['ipaddress']=$system_carp['synchronizetoip']; $rs[0]['username']=$system_carp['username']; $rs[0]['password']=$system_carp['password']; diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index f4be3ee3..973bbf05 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -452,9 +452,6 @@ function squid_restart_services() { function squid_install_command() { global $config, $g; - update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); - update_output_window("Checking if there is configuration to migrate... One moment please..."); - /* Set storage system for nanobsd */ if (!is_array($config['installedpackages']['squidcache'])) { $config['installedpackages']['squidcache'] = array(); @@ -515,7 +512,6 @@ function squid_deinstall_command() { squid_install_cron(false); /* kill all running services */ - update_output_window("Stopping and removing services..."); mwexec('/usr/local/etc/rc.d/sqp_monitor.sh stop'); mwexec("/bin/ps awux | /usr/bin/egrep -i '[s]quid -f|\([s]quid\)' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); mwexec("/bin/ps awux | /usr/bin/grep '[d]iskd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); @@ -542,8 +538,6 @@ function squid_deinstall_command() { $keep = ($squidsettings['keep_squid_data'] ? true : false); if (!$keep) { - update_output_window("Removing cache and logs ... One moment please..."); - update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); if (is_dir("{$cachedir}")) { if (substr($cachedir, 0, 11) === "/var/squid/") { mwexec_bg("/bin/rm -rf {$cachedir}"); @@ -558,7 +552,6 @@ function squid_deinstall_command() { log_error("[squid] Will NOT delete Squid log dir '{$logdir}' since it is not located under /var/squid. Delete manually if required."); } } - update_output_window("Removing remaining Squid directories ... One moment please..."); $dirs = array("/var/run/squid", "/var/squid"); foreach ($dirs as $dir) { if (is_dir("{$dir}")) { @@ -570,7 +563,6 @@ function squid_deinstall_command() { // remove antivirus integration features squid_antivirus_deinstall_command(); - update_output_window("Reloading filter..."); filter_configure(); /* Remove package settings from config if 'Keep Settings/Data' is disabled */ @@ -619,7 +611,6 @@ function squid_deinstall_command() { unset($config['installedpackages']['squidusers']); } } - update_output_window("Squid3 has been uninstalled."); } /* Migrate configuration from god knows which Squid package versions */ @@ -704,7 +695,6 @@ function squid_upgrade_config() { /* unset broken antivirus settings */ squid_antivirus_upgrade_config(); - update_output_window("Writing configuration... One moment please..."); write_config(); } @@ -2163,28 +2153,45 @@ function squid_generate_rules($type) { /* XMLRPC sync configuration */ function squid_sync_on_changes() { - global $config, $g; + global $config; + if (is_array($config['installedpackages']['squidsync']['config'])) { $squid_sync = $config['installedpackages']['squidsync']['config'][0]; $synconchanges = $squid_sync['synconchanges']; - $synctimeout = $squid_sync['synctimeout']; + $synctimeout = $squid_sync['synctimeout'] ?: '250'; switch ($synconchanges) { case "manual": if (is_array($squid_sync['row'])) { $rs = $squid_sync['row']; } else { - log_error("[squid] XMLRPC sync is enabled but there is no hosts to push on Squid config."); + log_error("[squid] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; $rs[0]['username'] = $system_carp['username']; $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[squid] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } } else { - log_error("[squid] XMLRPC sync is enabled but there is no system backup hosts to push Squid config."); + log_error("[squid] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; } break; @@ -2195,45 +2202,56 @@ function squid_sync_on_changes() { if (is_array($rs)) { log_error("[squid] XMLRPC sync is starting."); foreach ($rs as $sh) { - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($sh['username']) { - $username = $sh['username']; - } else { - $username = 'admin'; - } - if ($password && $sync_to_ip) { - squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + squid_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[squid] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } } } - log_error("[squid] XMLRPC sync is ending."); + log_error("[squid] XMLRPC sync completed."); } - } + } } /* Perform the actual XMLRPC sync */ -function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { +function squid_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if (!$username || !$password || !$sync_to_ip) { + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[squid] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - if (!$synctimeout) { - $synctimeout = 250; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - $xmlrpc_sync_neighbor = $sync_to_ip; - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* If port is empty let's rely on the protocol selection */ - if ($port == "") { - $port = $config['system']['webgui']['protocol'] == "http" ? "80" : "443"; - } - $synchronizetoip .= $sync_to_ip; + $url = "{$protocol}://{$sync_to_ip}"; /* XML will hold the sections to sync */ $xml = array(); @@ -2249,14 +2267,9 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $xml['squidauth'] = $config['installedpackages']['squidauth']; $xml['squidusers'] = $config['installedpackages']['squidusers']; /* Assemble XMLRPC payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); /* Set a few variables needed for sync */ - $url = $synchronizetoip; - log_error("[squid] Beginning XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -2267,14 +2280,14 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { /* Send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "[squid] Communication error occurred while attempting XMLRPC sync with {$url}:{$port}."; - log_error($error); + $error = "A communication error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[squid] {$error}"); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "[squid] An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[squid] {$error}"); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } else { log_error("[squid] XMLRPC sync successfully completed with {$url}:{$port}."); @@ -2285,25 +2298,21 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; $execcmd .= "squid_resync('yes');"; /* Assemble XMLRPC payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("[squid] XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "[squid] Communication error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + $error = "A communication error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[squid] {$error}"); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "[squid] An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[squid] {$error}"); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } else { log_error("[squid] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 4dc2c89a..fe8406e7 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -169,7 +169,6 @@ function squid_antivirus_deinstall_command() { mwexec("/bin/ps awux | /usr/bin/grep '[f]reshclam' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); /* clean up created PBI symlinks */ - update_output_window("Finishing package cleanup."); if (SQUID_LOCALBASE != '/usr/local') { $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); foreach ($ln_icap as $ln) { @@ -191,7 +190,6 @@ function squid_antivirus_deinstall_command() { $keep = ($squidsettings['keep_squid_data'] ? true : false); if (!$keep) { - update_output_window("Removing antivirus definitions and logs ... One moment please..."); $dirs = array("/var/run/c-icap", "/var/log/c-icap", "/var/log/clamav", "/var/run/clamav", "/var/db/clamav"); foreach ($dirs as $dir) { if (is_dir("{$dir}")) { @@ -218,7 +216,6 @@ function squid_antivirus_deinstall_command() { /* check if clamav/c_icap is enabled in rc.conf.local */ // XXX: This hasn't been used since 0.3.7; to be removed in future if (file_exists("/etc/rc.conf.local")) { - update_output_window("Removing antivirus services from /etc/rc.conf.local..."); $sample_file = file_get_contents("/etc/rc.conf.local"); $rcconf_local_m[0] = "@c_icap_enable(.*)\n@"; $rcconf_local_m[1] = "@clamav_clamd_enable(.*)\n@"; diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml index 139c73c3..1091fce8 100755 --- a/config/squid3/34/squid_reverse_sync.xml +++ b/config/squid3/34/squid_reverse_sync.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidsync</name> - <version>0.4.1</version> + <version>0.4.2</version> <title>Reverse Proxy Server: XMLRPC Sync</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -78,12 +78,18 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync Squid configuration changes</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Select a sync method for Squid.</description> + <description> + <![CDATA[ + Select a sync method for Squid Reverse Proxy.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> <option><name>Sync to host(s) defined below</name><value>manual</value></option> @@ -106,19 +112,45 @@ </options> </field> <field> - <fielddescr>Remote Server</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr>IP Address</fielddescr> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>20</size> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> </rowhelperfield> <rowhelperfield> - <fielddescr>Password (admin)</fielddescr> + <fielddescr>Admin Password</fielddescr> <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> </rowhelperfield> diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml index 2f86b7c6..a7670ff5 100755 --- a/config/squid3/34/squid_sync.xml +++ b/config/squid3/34/squid_sync.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidsync</name> - <version>0.4.1</version> + <version>0.4.2</version> <title>Proxy Server: XMLRPC Sync</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -94,12 +94,18 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync Squid configuration changes</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Select a sync method for Squid.</description> + <description> + <![CDATA[ + Select a sync method for Squid.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> <type>select</type> <required/> - <default_value>auto</default_value> + <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> <option><name>Sync to host(s) defined below</name><value>manual</value></option> @@ -122,19 +128,45 @@ </options> </field> <field> - <fielddescr>Remote Server</fielddescr> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr>IP Address</fielddescr> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>20</size> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> </rowhelperfield> <rowhelperfield> - <fielddescr>Password (admin)</fielddescr> + <fielddescr>Admin Password</fielddescr> <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> </rowhelperfield> diff --git a/config/squidGuard/squidguard.priv.inc b/config/squidGuard/squidguard.priv.inc new file mode 100644 index 00000000..a80c798b --- /dev/null +++ b/config/squidGuard/squidguard.priv.inc @@ -0,0 +1,55 @@ +<?php +/* + squidguard.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-squidguard'] = array(); +$priv_list['page-services-squidguard']['name'] = "WebCfg - Services: SquidGuard package"; +$priv_list['page-services-squidguard']['descr'] = "Allow access to SquidGuard package GUI"; +$priv_list['page-services-squidguard']['match'] = array(); + +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard_acl.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard_default.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard_dest.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard_sync.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard_time.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg.php?xml=squidguard_rewr.xml*"; + +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard_acl.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard_default.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard_dest.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard_sync.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard_time.xml*"; +$priv_list['page-services-squidguard']['match'][] = "pkg_edit.php?xml=squidguard_rewr.xml*"; + +$priv_list['page-services-squidguard']['match'][] = "squidguard_blacklist.php*"; +$priv_list['page-services-squidguard']['match'][] = "squidguard_log.php*"; + +?> diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml index e268fb7a..e7514f63 100644 --- a/config/squidGuard/squidguard.xml +++ b/config/squidGuard/squidguard.xml @@ -2,16 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <description>[<![CDATA[Describe your package here]]></description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ====================================================================================== */ +/* + squidguard.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2006-2013 Sergey Dvoriancev <dv_serg@mail.ru> + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidguardgeneral</name> - <version>1.4_7 pkg v.1.9.14</version> + <version>1.9.16</version> <title>Proxy filter SquidGuard: General settings</title> <include_file>/usr/local/pkg/squidguard.inc</include_file> <!-- Installation --> <menu> - <name>Proxy filter</name> + <name>SquidGuard Proxy Filter</name> <tooltiptext>Modify the proxy server's filter settings</tooltiptext> <section>Services</section> <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> @@ -62,57 +98,50 @@ </service> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_configurator.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_acl.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_default.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_dest.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_rewr.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_time.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_sync.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/squidGuard/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_log.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/squidGuard/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/squidguard_blacklist.php</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squidGuard/sgerror.php</item> </additional_files_needed> <fields> diff --git a/config/sshdcond/sshdcond.inc b/config/sshdcond/sshdcond.inc index 9c3a8bb9..7c1be614 100644 --- a/config/sshdcond/sshdcond.inc +++ b/config/sshdcond/sshdcond.inc @@ -37,8 +37,6 @@ function restart_sshd() { } function sshdcond_custom_php_install_command() { - global $g, $config; - /* We need to generate an outfile for our extra commands. The patched g_szSSHDFileGenerate php file then reads and appends that config. */ @@ -48,8 +46,6 @@ function sshdcond_custom_php_install_command() { } function sshdcond_custom_php_deinstall_command() { - global $g, $config; - /* Delete our config file. */ unlink_if_exists("/etc/ssh/sshd_extra"); @@ -59,7 +55,7 @@ function sshdcond_custom_php_deinstall_command() { } function sshdcond_custom_php_write_config() { - global $g, $config, $pkg_interface; + global $g, $config; /* Detect boot process, do nothing during boot. */ if (function_exists("platform_booting")) { @@ -113,71 +109,113 @@ function sshdcond_custom_php_write_config() { /* Uses XMLRPC to synchronize the changes to a remote node. */ function sshdcond_sync_on_changes() { - global $config, $g; - - /* Basically, this package was never configured */ - if (!is_array($config['installedpackages']['sshdcondsync'])) { - return; - } - /* Package is configured but XMLRPC sync is disabled */ - if (!isset($config['installedpackages']['sshdcondsync']['config'][0]['synconchanges'])) { - return; - } - /* Do XMLRPC sync */ - log_error("[sshdcond] xmlrpc sync is starting."); - foreach ($config['installedpackages']['sshdcondsync']['config'] as $rs) { - foreach($rs['row'] as $sh) { - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if ($password && $sync_to_ip) { - sshdcond_do_xmlrpc_sync($sync_to_ip, $password); + global $config; + + if (is_array($config['installedpackages']['sshdcondsync']['config'])) { + $sshdcond_sync = $config['installedpackages']['sshdcondsync']['config'][0]; + $synconchanges = $sshdcond_sync['synconchanges']; + $synctimeout = $sshdcond_sync['synctimeout'] ?: '150'; + switch ($synconchanges) { + case "manual": + if (is_array($sshdcond_sync['row'])) { + $rs = $sshdcond_sync['row']; + } else { + log_error("[sshdcond] XMLRPC sync is enabled but there are no hosts configured as replication targets."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[sshdcond] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } + } else { + log_error("[sshdcond] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)) { + log_error("[sshdcond] XMLRPC sync is starting."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + sshdcond_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[sshdcond] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } } + log_error("[sshdcond] XMLRPC sync completed."); } - } - log_error("[sshdcond] xmlrpc sync is ending."); + } } /* Do the actual XMLRPC sync. */ -function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) { +function sshdcond_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if (!$password) { + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[sshdcond] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } - if (!$sync_to_ip) { - return; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; } - $username='admin'; - $xmlrpc_sync_neighbor = $sync_to_ip; - if ($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* If port is empty, let's rely on the protocol selection. */ - if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") { - $port = "80"; - } else { - $port = "443"; - } - } - $synchronizetoip .= $sync_to_ip; + $url = "{$protocol}://{$sync_to_ip}"; - /* xml will hold the sections to sync. */ + /* XML will hold the sections to sync. */ $xml = array(); $xml['sshdcond'] = $config['installedpackages']['sshdcond']; /* Assemble XMLRPC payload. */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* Set a few variables needed for sync code; borrowed from filter.inc. */ - $url = $synchronizetoip; - log_error("Beginning sshdcond XMLRPC sync to {$url}:{$port}."); + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); + + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -185,20 +223,20 @@ function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) { if ($g['debug']) { $cli->setDebug(1); } - /* Send our XMLRPC message and timeout after 250 seconds. */ - $resp = $cli->send($msg, "250"); + /* Send our XMLRPC message and timeout after defined sync timeout value */ + $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting sshdcond XMLRPC sync with {$url}:{$port}."; - log_error($error); + $error = "A communications error occurred while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[sshdcond] {$error}"); file_notice("sync_settings", $error, "sshdcond Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting sshdcond XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + log_error("[sshdcond] {$error}"); file_notice("sync_settings", $error, "sshdcond Settings Sync", ""); } else { - log_error("sshdcond XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[sshdcond] XMLRPC sync successfully completed with {$url}:{$port}."); } /* Tell sshdcond to reload our settings on the destination sync host. */ @@ -206,28 +244,24 @@ function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) { $execcmd = "require_once('/usr/local/pkg/sshdcond.inc');\n"; $execcmd .= "sshdcond_custom_php_write_config();"; /* Assemble XMLRPC payload. */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("sshdcond XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); if (!$resp) { $error = "A communications error occurred while attempting sshdcond XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + log_error("[sshdcond] {$error}"); file_notice("sync_settings", $error, "sshdcond Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting sshdcond XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + log_error("[sshdcond] {$error}"); file_notice("sync_settings", $error, "sshdcond Settings Sync", ""); } else { - log_error("sshdcond XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[sshdcond] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } ?> diff --git a/config/sshdcond/sshdcond.priv.inc b/config/sshdcond/sshdcond.priv.inc new file mode 100644 index 00000000..fddb86c1 --- /dev/null +++ b/config/sshdcond/sshdcond.priv.inc @@ -0,0 +1,42 @@ +<?php +/* + sshdcond.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-sshdcond'] = array(); +$priv_list['page-services-sshdcond']['name'] = "WebCfg - Services: SSHDCond package"; +$priv_list['page-services-sshdcond']['descr'] = "Allow access to SSHDCond package GUI"; +$priv_list['page-services-sshdcond']['match'] = array(); + +$priv_list['page-services-sshdcond']['match'][] = "pkg.php?xml=sshdcond.xml*"; +$priv_list['page-services-sshdcond']['match'][] = "pkg.php?xml=sshdcond_sync.xml*"; + +$priv_list['page-services-sshdcond']['match'][] = "pkg_edit.php?xml=sshdcond.xml*"; +$priv_list['page-services-sshdcond']['match'][] = "pkg_edit.php?xml=sshdcond_sync.xml*"; + +?> diff --git a/config/sshdcond/sshdcond.xml b/config/sshdcond/sshdcond.xml index 11104e1d..f0e27c80 100644 --- a/config/sshdcond/sshdcond.xml +++ b/config/sshdcond/sshdcond.xml @@ -43,12 +43,10 @@ ]]> </copyright> <name>sshdcond</name> - <version>1.0.2</version> - <title>SSH Conditional</title> - <description>SSH Conditional blocks</description> + <version>1.0.6</version> + <title>Services: SSH Conditional Options</title> <savetext>Save</savetext> <include_file>/usr/local/pkg/sshdcond.inc</include_file> - <menu> <name>SSH Conditions</name> <tooltiptext>Configure SSH conditional exceptions</tooltiptext> @@ -61,6 +59,10 @@ <item>https://packages.pfsense.org/packages/config/sshdcond/sshdcond.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/sshdcond/sshdcond.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/sshdcond/sshdcond_sync.xml</item> </additional_files_needed> @@ -93,7 +95,6 @@ <field> <type>listtopic</type> <name>Conditional SSH Options</name> - <fieldname>temp</fieldname> </field> <field> <fielddescr>Enable</fielddescr> @@ -187,7 +188,4 @@ <custom_php_resync_config_command> sshdcond_custom_php_write_config(); </custom_php_resync_config_command> - <custom_php_command_before_form> - unset($_POST['temp']); - </custom_php_command_before_form> </packagegui> diff --git a/config/sshdcond/sshdcond_sync.xml b/config/sshdcond/sshdcond_sync.xml index 511df25b..f81f36b0 100755 --- a/config/sshdcond/sshdcond_sync.xml +++ b/config/sshdcond/sshdcond_sync.xml @@ -42,8 +42,8 @@ ]]> </copyright> <name>sshdcondsync</name> - <version>1.0.2</version> - <title>SSH Conditional - Sync</title> + <version>1.0.6</version> + <title>Services: SSH Conditional Options - Sync</title> <include_file>/usr/local/pkg/sshdcond.inc</include_file> <tabs> <tab> @@ -62,30 +62,74 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync configuration changes</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description> + <![CDATA[ + When enabled, this will sync all configuration settings to the Replication Targets.<br/><br/> + <b>Important:</b> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. This will result in a loop! + ]]> + </description> + <type>select</type> + <required/> + <default_value>disabled</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> </field> <field> - <fielddescr>Remote Server</fielddescr> + <fielddescr>XMLRPC Timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description><![CDATA[XMLRPC timeout in seconds. Default: 150]]></description> + <type>input</type> + <default_value>150</default_value> + <size>5</size> + </field> + <field> + <fielddescr>Replication Targets</fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server.</description> - <type>input</type> - <size>20</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>20</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> + <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> + <type>input</type> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> + <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> </rowhelper> </field> </fields> diff --git a/config/stunnel/stunnel.priv.inc b/config/stunnel/stunnel.priv.inc new file mode 100644 index 00000000..f9857583 --- /dev/null +++ b/config/stunnel/stunnel.priv.inc @@ -0,0 +1,42 @@ +<?php +/* + stunnel.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-stunnel'] = array(); +$priv_list['page-services-stunnel']['name'] = "WebCfg - Services: stunnel package"; +$priv_list['page-services-stunnel']['descr'] = "Allow access to stunnel package GUI"; +$priv_list['page-services-stunnel']['match'] = array(); + +$priv_list['page-services-stunnel']['match'][] = "pkg.php?xml=stunnel.xml*"; +$priv_list['page-services-stunnel']['match'][] = "pkg.php?xml=stunnel_certs.xml*"; + +$priv_list['page-services-stunnel']['match'][] = "pkg_edit.php?xml=stunnel.xml*"; +$priv_list['page-services-stunnel']['match'][] = "pkg_edit.php?xml=stunnel_certs.xml*"; + +?> diff --git a/config/stunnel/stunnel.xml b/config/stunnel/stunnel.xml index c8957ba8..b5dfd6bd 100644 --- a/config/stunnel/stunnel.xml +++ b/config/stunnel/stunnel.xml @@ -42,14 +42,10 @@ ]]> </copyright> <name>stunnel</name> - <version>5.20.2</version> + <version>5.20.3</version> <title>Services: Secure Tunnel</title> <menu> <name>STunnel</name> - <tooltiptext>The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. - It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. - It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. - It calls the underlying crypto libraries, so stunnel supports whatever cryptographic algorithms you compiled into your crypto package.</tooltiptext> <section>Services</section> <configfile>stunnel.xml</configfile> </menu> @@ -59,6 +55,10 @@ <item>https://packages.pfsense.org/packages/config/stunnel/stunnel.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/stunnel/stunnel.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/stunnel/stunnel_certs.xml</item> </additional_files_needed> diff --git a/config/sudo/sudo.priv.inc b/config/sudo/sudo.priv.inc new file mode 100644 index 00000000..01cb2224 --- /dev/null +++ b/config/sudo/sudo.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + sudo.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-system-sudo'] = array(); +$priv_list['page-system-sudo']['name'] = "WebCfg - System: sudo package"; +$priv_list['page-system-sudo']['descr'] = "Allow access to sudo package GUI"; +$priv_list['page-system-sudo']['match'] = array(); + +$priv_list['page-system-sudo']['match'][] = "pkg_edit.php?xml=sudo.xml*"; + +?> diff --git a/config/sudo/sudo.xml b/config/sudo/sudo.xml index 6124a641..e2b92cf1 100644 --- a/config/sudo/sudo.xml +++ b/config/sudo/sudo.xml @@ -1,4 +1,6 @@ <?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ @@ -42,7 +44,7 @@ <description>Sudo Command Control</description> <requirements>None</requirements> <name>sudo</name> - <version>0.2.7</version> + <version>0.2.8</version> <title>Sudo - Shell Command Privilege Delegation Utility</title> <include_file>/usr/local/pkg/sudo.inc</include_file> <menu> @@ -56,6 +58,10 @@ <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/sudo/sudo.inc</item> </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/sudo/sudo.priv.inc</item> + </additional_files_needed> <fields> <field> <type>listtopic</type> @@ -63,11 +69,14 @@ </field> <field> <type>info</type> - <description><![CDATA[ -User permission definitions for allowing the use of sudo by shell users to run commands as other users, such as root. -<br /><br />More information on the full command options may be found in the <a href="http://www.sudo.ws/sudoers.man.html">sudoers manual</a>. -<br /><br />By default the command is "ALL" meaning the user can run any commands. Leaving the commands field blank assumes "ALL". A comma-separated list of commands can be supplied to limit the user to individual binaries. Full paths to binaries must be used. - ]]></description> + <description> + <![CDATA[ + User permission definitions for allowing the use of sudo by shell users to run commands as other users, such as root.<br /><br /> + More information on the full command options may be found in the <a href="http://www.sudo.ws/sudoers.man.html">sudoers manual</a>.<br /><br /> + By default the command is "ALL" meaning the user can run any commands. Leaving the commands field blank assumes "ALL".<br /><br /> + A comma-separated list of commands can be supplied to limit the user to individual binaries. <strong>Full paths to binaries must be used.</strong> + ]]> + </description> </field> <field> <fielddescr>User Permissions</fielddescr> @@ -100,7 +109,7 @@ User permission definitions for allowing the use of sudo by shell users to run c <rowhelperfield> <fielddescr>Command List</fielddescr> <fieldname>cmdlist</fieldname> - <description>Commands the user may run. Comma-separated list, full paths preferred. Default: ALL</description> + <description>Commands the user may run. Comma-separated list, full paths required. Default: ALL</description> <type>input</type> <size>30</size> <value>ALL</value> diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 0180a4a2..bd7a181b 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -3304,7 +3304,7 @@ function suricata_sync_on_changes() { /* Do not attempt a package sync while booting up or installing package */ if ($g['booting'] || $g['suricata_postinstall'] == TRUE) { - log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + log_error("[suricata] Skipping XMLRPC sync when booting up or during package reinstallation."); return; } @@ -3318,17 +3318,18 @@ function suricata_sync_on_changes() { if (is_array($suricata_sync['row'])) { $rs = $suricata_sync['row']; } else { - log_error("[suricata] xmlrpc CARP sync is enabled but there are no hosts configured as replication targets."); + log_error("[suricata] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; $rs[0]['varsyncusername'] = $system_carp['username']; $rs[0]['varsyncpassword'] = $system_carp['password']; - $rs[0]['varsyncsuricatastart'] = "no"; + $rs[0]['varsyncsuricatastart'] = FALSE; + $rs[0]['varsyncdestinenable'] = FALSE; // XMLRPC sync is currently only supported over connections using the same protocol and port as this system if ($config['system']['webgui']['protocol'] == "http") { $rs[0]['varsyncprotocol'] = "http"; @@ -3338,11 +3339,13 @@ function suricata_sync_on_changes() { $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443'; } if ($system_carp['synchronizetoip'] == "") { - log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets."); + log_error("[suricata] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['varsyncdestinenable'] = TRUE; } } else { - log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets."); + log_error("[suricata] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; } break; @@ -3351,44 +3354,42 @@ function suricata_sync_on_changes() { break; } if (is_array($rs)) { - log_error("[suricata] Suricata pkg xmlrpc CARP sync is starting."); + log_error("[suricata] XMLRPC sync is starting."); foreach ($rs as $sh) { - if ($sh['varsyncsuricatastart']) { - $syncstartsuricata = $sh['varsyncsuricatastart']; - } else { - $syncstartsuricata = "OFF"; - } - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $port = $sh['varsyncport']; - $protocol = $sh['varsyncprotocol']; - $error = ''; - $success = TRUE; - if ($sh['varsyncusername']) { - $username = $sh['varsyncusername']; - } else { - $username = 'admin'; - } - if ($password == "") { - $error = "Password parameter is empty. "; - $success = FALSE; - } - if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { - $error .= "Misconfigured Replication Target IP Address. "; - $success = FALSE; - } - if (!is_port($port)) { - $error .= "Misconfigured Replication Target Port. "; - $success = FALSE; - } - if ($success) { - suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsuricata); - } else { - log_error("[suricata] Suricata pkg xmlrpc CARP sync aborted due to the following error(s): {$error}"); - return; + // Only sync enabled replication targets + if ($sh['varsyncdestinenable']) { + if ($sh['varsyncsuricatastart']) { + $syncstartsuricata = $sh['varsyncsuricatastart']; + } else { + $syncstartsuricata = "OFF"; + } + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $port = $sh['varsyncport']; + $protocol = $sh['varsyncprotocol']; + $error = ''; + $success = TRUE; + $username = $sh['varsyncusername'] ?: 'admin'; + if ($password == "") { + $error = "Password parameter is empty. "; + $success = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address. "; + $success = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $success = FALSE; + } + if ($success) { + suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsuricata); + } else { + log_error("[suricata] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } } } - log_error("[suricata] Suricata pkg xmlrpc CARP sync completed."); + log_error("[suricata] XMLRPC sync completed."); } } } @@ -3399,12 +3400,12 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc /* Do not attempt a package sync while booting up or installing package */ if ($g['booting'] || isset($g['suricata_postinstall'])) { - log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + log_error("[suricata] Skipping XMLRPC sync when booting up or during package reinstallation."); return; } if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { - log_error("[suricata] A required XMLRPC CARP sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); + log_error("[suricata] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } @@ -3428,25 +3429,25 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc $method = 'pfsense.exec_php'; $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending auto-SID conf files to {$url}:{$port}."); + log_error("[suricata] XMLRPC sync sending auto-SID conf files to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); $error = ""; if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } } if (!empty($sid_files) && $error == "") { - log_error("[suricata] Suricata pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); } /*************************************************/ @@ -3461,25 +3462,25 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc $method = 'pfsense.exec_php'; $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending IPREP files to {$url}:{$port}."); + log_error("[suricata] Suricata XMLRPC sync sending IPREP files to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); $error = ""; if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } } if (!empty($iprep_files) && $error == "") { - log_error("[suricata] Suricata pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); } /**************************************************/ @@ -3494,7 +3495,7 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc XML_RPC_encode($xml) ); - log_error("[suricata] Beginning Suricata pkg configuration XMLRPC sync to {$url}:{$port}."); + log_error("[suricata] Beginning package configuration XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -3503,30 +3504,30 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}."; + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } else { - log_error("[suricata] Suricata pkg configuration XMLRPC CARP sync successfully completed with {$url}:{$port}."); + log_error("[suricata] Package configuration XMLRPC sync successfully completed with {$url}:{$port}."); } $downloadrulescmd = ""; if ($syncdownloadrules == "yes") { - $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Update of downloaded rule sets requested...\"));\n"; + $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n"; $downloadrulescmd .= "\tinclude_once(\"/usr/local/pkg/suricata/suricata_check_for_rule_updates.php\");\n"; } $suricatastart = ""; if ($syncstartsuricata == "ON") { - $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Checking Suricata status...\"));\n"; + $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg sync: Checking Suricata status...\"));\n"; $suricatastart .= "\tif (!is_process_running(\"suricata\")) {\n"; - $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata not running. Sending a start command...\"));\n"; + $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg sync: Suricata not running. Sending a start command...\"));\n"; $suricatastart .= "\t\t\$sh_script = RCFILEPREFIX . \"suricata.sh\";\n"; $suricatastart .= "\t\tmwexec_bg(\"{\$sh_script} start\");\n\t}\n"; - $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata is running...\"));\n\t}\n"; + $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg sync: Suricata is running...\"));\n\t}\n"; } /*************************************************/ @@ -3546,14 +3547,14 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc \$pkg_interface = "console"; {$downloadrulescmd} unset(\$g["suricata_postinstall"]); - log_error(gettext("[suricata] XMLRPC pkg CARP sync: Generating suricata.yaml file using Master Host settings...")); + log_error(gettext("[suricata] XMLRPC pkg sync: Generating suricata.yaml file using Master Host settings...")); \$rebuild_rules = true; conf_mount_rw(); sync_suricata_package_config(); conf_mount_ro(); \$rebuild_rules = false; {$suricatastart} - log_error(gettext("[suricata] XMLRPC pkg CARP sync process on this host is complete...")); + log_error(gettext("[suricata] XMLRPC pkg sync process on this host is complete...")); \$pkg_interface = \$orig_pkg_interface; unset(\$g["suricata_sync_in_progress"]); return true; @@ -3574,21 +3575,21 @@ EOD; XML_RPC_encode($execcmd) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending reload configuration cmd set as a file to {$url}:{$port}."); + log_error("[suricata] XMLRPC sync sending reload configuration cmd set as a file to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } else { - log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } /*************************************************/ @@ -3600,19 +3601,19 @@ EOD; XML_RPC_encode($password), XML_RPC_encode($execcmd) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending {$url}:{$port} cmd to execute configuration reload."); + log_error("[suricata] XMLRPC sync sending {$url}:{$port} cmd to execute configuration reload."); $msg2 = new XML_RPC_Message($method, $params2); $resp = $cli->send($msg2, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } else { - log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index e2c4735c..7c7e9e80 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ </copyright> <description>Suricata IDS/IPS Package</description> <name>suricata</name> - <version>2.0.8 pkg v2.1.6</version> + <version>2.1.9</version> <title>Services: Suricata IDS</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <menu> diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index c4e438ba..81c7c503 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -86,6 +86,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_id'])) $pconfig['barnyard_sensor_id'] = "0"; + if (empty($pconfig['barnyard_xff_logging'])) + $pconfig['barnyard_xff_logging'] = "off"; + if (empty($pconfig['barnyard_xff_mode'])) + $pconfig['barnyard_xff_mode'] = "extra-data"; + if (empty($pconfig['barnyard_xff_deployment'])) + $pconfig['barnyard_xff_deployment'] = "reverse"; + if (empty($pconfig['barnyard_xff_header'])) + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; } if ($_POST['save']) { @@ -129,6 +137,9 @@ if ($_POST['save']) { $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer."); } + if (empty($_POST['barnyard_xff_header']) && $_POST['barnyard_xff_logging'] == "on") + $input_errors[] = gettext("The value for the X-Forwarded-For Header cannot be blank when X-Forwarded-For logging is enabled."); + // Validate inputs if MySQL database loggging enabled if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) @@ -172,11 +183,13 @@ if ($_POST['save']) { $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; $natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off'; + $natent['barnyard_xff_logging'] = $_POST['barnyard_xff_logging'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_xff_header']) $natent['barnyard_xff_header'] = $_POST['barnyard_xff_header']; else $natent['barnyard_xff_header'] = 'X-Forwarded-For'; if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); @@ -335,6 +348,56 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Logging"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_logging" id="barnyard_xff_logging" type="checkbox" value="on" <?php if ($pconfig['barnyard_xff_logging'] == "on") echo "checked"; ?> onClick="toggle_xff_log_options()"/> + <?php echo gettext("Enable logging of X-Forwarded-For IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> + </td> + </tr> + <tbody id="xff_options"> + <tr id="barnyard_xff_mode_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Mode"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_mode" id="barnyard_xff_mode" class="formselect"> + <?php + $xff_modes = array( "extra-data", "overwrite" ); + foreach ($xff_modes as $mode) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_mode']) + $selected = " selected"; + echo "<option value='{$mode}'{$selected}>" . $mode . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Operation Mode. Default is ") . "<strong>" . gettext("extra-data") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_deployment_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Deployment"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_deployment" id="barnyard_xff_deployment" class="formselect"> + <?php + $xff_deployments = array( "reverse", "forward" ); + foreach ($xff_deployments as $deployment) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_deployment']) + $selected = " selected"; + echo "<option value='{$deployment}'{$selected}>" . $deployment . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Deployment. Default is ") . "<strong>" . gettext("reverse") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_header_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Header"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_header" type="text" class="formfld unknown" id="barnyard_xff_header" + size="18" value="<?=htmlspecialchars($pconfig['barnyard_xff_header']); ?>"/> + <?php echo gettext("Enter header where actual IP address is reported. Default is ") . "<strong>" . + gettext("X-Forwarded-For") . "</strong>."; ?><br/><br/><?php echo gettext("If more than one IP address is present, the last one will be used.") ?> + </td> + </tr> + </tbody> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> </tr> <tr> @@ -600,6 +663,16 @@ function toggle_bro_ids() { document.getElementById("bro_ids_config_rows").style.display = ""; } +function toggle_xff_log_options() { + var endis = !(document.iform.barnyard_xff_logging.checked); + if (endis) { + document.getElementById("xff_options").style.display = "none"; + } + else { + document.getElementById("xff_options").style.display = ""; + } +} + function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. @@ -610,6 +683,10 @@ function enable_change(enable_change) { document.iform.barnyard_obfuscate_ip.disabled = endis; document.iform.barnyard_sensor_id.disabled = endis; document.iform.barnyard_sensor_name.disabled = endis; + document.iform.barnyard_xff_logging.disabled = endis; + document.iform.barnyard_xff_mode.disabled = endis; + document.iform.barnyard_xff_deployment.disabled = endis; + document.iform.barnyard_xff_header.disabled = endis; document.iform.barnyard_mysql_enable.disabled = endis; document.iform.barnyard_dbhost.disabled = endis; document.iform.barnyard_dbname.disabled = endis; @@ -636,6 +713,7 @@ toggle_mySQL(); toggle_syslog(); toggle_local_syslog(); toggle_bro_ids(); +toggle_xff_log_options(); enable_change(false); </script> diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 67334957..e245d71e 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -13,7 +13,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -43,7 +43,7 @@ require_once("service-utils.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); require_once("/usr/local/pkg/suricata/suricata_defs.inc"); -global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules; +global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules, $static_output; $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; @@ -264,7 +264,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $pkg_interface, $last_curl_error, $update_errors, $static_output; $suricatadir = SURICATADIR; $filename_md5 = basename($file_dst); @@ -301,7 +301,8 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { $suricata_err_msg = gettext("Server returned error code {$rc}."); if ($pkg_interface <> "console") { update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}")); + $static_output .= gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}"); + update_output_window($static_output); } log_error(gettext("[Suricata] {$desc} md5 download failed...")); log_error(gettext("[Suricata] Server returned error code {$rc}...")); @@ -333,7 +334,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $pkg_interface, $last_curl_error, $update_errors, $static_output; $suricatadir = SURICATADIR; $filename = basename($file_dst); @@ -354,8 +355,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { // Test integrity of the rules file. Turn off update if file has wrong md5 hash if ($file_md5 != trim(md5_file($file_dst))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file MD5 checksum failed...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("{$desc} file MD5 checksum failed!\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] {$desc} file download failed. Bad MD5 checksum...")); log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst))); log_error(gettext("[Suricata] Expected File MD5: {$file_md5}")); @@ -369,8 +372,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { return true; } else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file download failed...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("{$desc} file download failed!\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SURICATA_RULES_UPD_LOGFILE); if ($pkg_interface == "console") @@ -451,7 +456,8 @@ if ($emergingthreats == 'on') { if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting {$et_name} rules...")); - update_output_window(gettext("Installing {$et_name} rules...")); + $static_output .= gettext("Installing {$et_name} rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); @@ -509,7 +515,8 @@ if ($emergingthreats == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of {$et_name} rules completed...")); - update_output_window(gettext("Installation of {$et_name} rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/emerging"); @@ -525,7 +532,8 @@ if ($snortdownload == 'on') { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); + $static_output .= gettext("Installing Sourcefire VRT rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); @@ -549,7 +557,6 @@ if ($snortdownload == 'on') { /* extract base etc files */ if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); } exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -564,7 +571,8 @@ if ($snortdownload == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); } @@ -576,7 +584,8 @@ if ($snortcommunityrules == 'on') { if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort GPLv2 Community Rules...")); - update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); + $static_output .= gettext("Installing Snort GPLv2 Community Rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); @@ -599,7 +608,8 @@ if ($snortcommunityrules == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); - update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/community"); @@ -680,17 +690,20 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; if ($pkg_interface <> "console"){ update_status(gettext($tmp)); - update_output_window(gettext("Please wait while Suricata interface files are being updated...")); + $static_output .= $tmp; + update_output_window($static_output); } suricata_apply_customizations($value, $if_real); $tmp = "\t" . $tmp . "\n"; error_log($tmp, 3, SURICATA_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } } else { if ($pkg_interface <> "console") { - update_output_window(gettext("Warning: No interfaces configured for Suricata were found...")); - update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them...")); + $static_output .= gettext("Warning: No interfaces configured for Suricata were found!\nNo interfaces currently have Suricata configured and enabled on them."); + update_output_window($static_output); } error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, SURICATA_RULES_UPD_LOGFILE); } @@ -707,7 +720,6 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') { if ($pkg_interface <> "console") { update_status(gettext('Signaling Suricata to live-load the new set of rules...')); - update_output_window(gettext("Please wait ... the process should complete in a few seconds...")); } log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled...")); error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, SURICATA_RULES_UPD_LOGFILE); @@ -721,34 +733,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = else { if ($pkg_interface <> "console") { update_status(gettext('Restarting Suricata to activate the new set of rules...')); - update_output_window(gettext("Please wait ... restarting Suricata will take some time...")); + $static_output .= gettext("Restarting Suricata..."); + update_output_window($static_output); } error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); restart_service("suricata"); - if ($pkg_interface <> "console") - update_output_window(gettext("Suricata has restarted with your new set of rules...")); + if ($pkg_interface <> "console") { + $static_output .= gettext(" done.\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] Suricata has restarted with your new set of rules...")); error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, SURICATA_RULES_UPD_LOGFILE); } } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } // Remove old $tmpfname files if (is_dir("{$tmpfname}")) { if ($pkg_interface <> "console") { update_status(gettext("Cleaning up after rules extraction...")); - update_output_window(gettext("Removing {$tmpfname} directory...")); + $static_output .= gettext("Removing {$tmpfname} directory..."); + update_output_window($static_output); } rmdir_recursive("{$tmpfname}"); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } if ($pkg_interface <> "console") { update_status(gettext("The Rules update has finished...")); - update_output_window(""); + $static_output .= gettext("Rules update task complete.\n"); + update_output_window($static_output); } log_error(gettext("[Suricata] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SURICATA_RULES_UPD_LOGFILE); diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index 9467ea7c..4be8dc35 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -250,8 +250,11 @@ elseif ($_POST['ResetAll']) { $pconfig['flow_icmp_emerg_new_timeout'] = '10'; $pconfig['flow_icmp_emerg_established_timeout'] = '100'; - $pconfig['stream_memcap'] = '33554432'; + // The default 'stream_memcap' value must be calculated as follows: + // 216 * prealloc_sessions * number of threads = memory use in bytes + // 64 MB is a decent all-around default, but some setups need more. $pconfig['stream_prealloc_sessions'] = '32768'; + $pconfig['stream_memcap'] = '67108864'; $pconfig['reassembly_memcap'] = '67108864'; $pconfig['reassembly_depth'] = '1048576'; $pconfig['reassembly_to_server_chunk'] = '2560'; @@ -298,7 +301,7 @@ elseif ($_POST['save'] || $_POST['apply']) { if ($_POST['flow_icmp_emerg_new_timeout'] != "") { $natent['flow_icmp_emerg_new_timeout'] = $_POST['flow_icmp_emerg_new_timeout']; }else{ $natent['flow_icmp_emerg_new_timeout'] = "10"; } if ($_POST['flow_icmp_emerg_established_timeout'] != "") { $natent['flow_icmp_emerg_established_timeout'] = $_POST['flow_icmp_emerg_established_timeout']; }else{ $natent['flow_icmp_emerg_established_timeout'] = "100"; } - if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "33554432"; } + if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "67108864"; } if ($_POST['stream_prealloc_sessions'] != "") { $natent['stream_prealloc_sessions'] = $_POST['stream_prealloc_sessions']; }else{ $natent['stream_prealloc_sessions'] = "32768"; } if ($_POST['enable_midstream_sessions'] == "on") { $natent['enable_midstream_sessions'] = 'on'; }else{ $natent['enable_midstream_sessions'] = 'off'; } if ($_POST['enable_async_sessions'] == "on") { $natent['enable_async_sessions'] = 'on'; }else{ $natent['enable_async_sessions'] = 'off'; } @@ -764,8 +767,11 @@ if ($savemsg) { <input name="stream_memcap" type="text" class="formfld unknown" id="stream_memcap" size="9" value="<?=htmlspecialchars($pconfig['stream_memcap']);?>"> <?php echo gettext("Max memory to be used by stream engine. Default is ") . - "<strong>" . gettext("33,554,432") . "</strong>" . gettext(" bytes (32MB)"); ?><br/><br/> - <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine."); ?> + "<strong>" . gettext("67,108,864") . "</strong>" . gettext(" bytes (64MB)"); ?><br/><br/> + <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine. ");?><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("This number will likely need to be increased beyond the default value in systems with more than 4 processor cores. " . + "If Suricata fails to start and logs a memory allocation error, increase this value in 4 MB chunks until Suricata starts successfully."); ?> </td> </tr> <tr> diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 328702b9..3394ad4c 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files'])) else $pcap_log_max_files = "1000"; +// Unified2 Alert Log Settings if ($suricatacfg['barnyard_enable'] == 'on') $barnyard2_enabled = "yes"; else @@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id'])) else $unified2_sensor_id = "0"; +// Unified2 X-Forwarded-For logging options +if ($suricatacfg['barnyard_xff_logging'] == 'on') { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: yes"; + if (!empty($suricatacfg['barnyard_xff_mode'])) + $unified2_xff_output .= "\n mode: {$suricatacfg['barnyard_xff_mode']}"; + else + $unified2_xff_output .= "\n mode: extra-data"; + if (!empty($suricatacfg['barnyard_xff_deployment'])) + $unified2_xff_output .= "\n deployment: {$suricatacfg['barnyard_xff_deployment']}"; + else + $unified2_xff_output .= "\n deployment: reverse"; + if (!empty($suricatacfg['barnyard_xff_header'])) + $unified2_xff_output .= "\n header: {$suricatacfg['barnyard_xff_header']}"; + else + $unified2_xff_output .= "\n header: X-Forwarded-For"; +} +else { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: no"; +} + // EVE JSON log output settings if ($suricatacfg['enable_eve_log'] == 'on') $enable_eve_log = "yes"; @@ -494,7 +517,7 @@ else if (!empty($suricatacfg['stream_memcap'])) $stream_memcap = $suricatacfg['stream_memcap']; else - $stream_memcap = "33554432"; + $stream_memcap = "67108864"; if (!empty($suricatacfg['stream_prealloc_sessions'])) $stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions']; diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 013cde3e..26fbd12e 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -308,7 +308,7 @@ if ($input_errors) <td><input name="snort_rules_file" type="text" class="formfld unknown" id="snort_rules_file" size="52" value="<?=htmlspecialchars($pconfig['snort_rules_file']);?>"/><br/> <?php echo gettext("Enter the rules tarball filename (filename only, do not include the URL.)"); ?> - <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2962.tar.gz");?><br/><br/></td> + <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2976.tar.gz");?><br/><br/></td> </tr> <tr> <td valign="top" align="right"><span class="vexpl"><strong><?php echo gettext("Oinkmaster Code:"); ?></strong></span> </td> diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 4319182d..f188194d 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -372,7 +372,7 @@ if ($_POST["save"] && !$input_errors) { $natent['flow_icmp_emerg_new_timeout'] = '10'; $natent['flow_icmp_emerg_established_timeout'] = '100'; - $natent['stream_memcap'] = '33554432'; + $natent['stream_memcap'] = '67108864'; $natent['stream_prealloc_sessions'] = '32768'; $natent['reassembly_memcap'] = '67108864'; $natent['reassembly_depth'] = '1048576'; diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 2fd5f96e..4a4a489f 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -471,6 +471,26 @@ foreach ($rule as &$r) { $updated_cfg = true; } + /**********************************************************/ + /* Create interface Unified2 XFF log settings if not set */ + /**********************************************************/ + if (!isset($pconfig['barnyard_xff_logging'])) { + $pconfig['barnyard_xff_logging'] = "off"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_mode'])) { + $pconfig['barnyard_xff_mode'] = "extra-data"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_deployment'])) { + $pconfig['barnyard_xff_deployment'] = "reverse"; + $updated_cfg = true; + } + if (empty($pconfig['barnyard_xff_header'])) { + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index ea1d7b0a..42722d79 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -13,7 +13,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -50,7 +50,7 @@ require_once("functions.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); require("/usr/local/pkg/suricata/suricata_defs.inc"); -global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include; +global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include, $static_output; /**************************************** * Define any new constants here that * @@ -201,11 +201,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = /****************************************************************/ /* Do one-time settings migration for new version configuration */ - update_output_window(gettext("Please wait... migrating settings to new configuration...")); + $static_output .= gettext("\nMigrating settings to new configuration..."); + update_output_window($static_output); include('/usr/local/pkg/suricata/suricata_migrate_config.php'); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Suricata] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $suricata_gui_include = true; include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php'); @@ -219,7 +220,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $if_real = get_real_interface($suricatacfg['interface']); $suricata_uuid = $suricatacfg['uuid']; $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; - update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...")); + $static_output .= gettext("Generating YAML configuration file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "..."); + update_output_window($static_output); // Pull in the PHP code that generates the suricata.yaml file // variables that will be substituted further down below. @@ -238,6 +240,9 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = // create barnyard2.conf file for interface if ($suricatacfg['barnyard_enable'] == 'on') suricata_generate_barnyard2_conf($suricatacfg, $if_real); + + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } // create Suricata bootup file suricata.sh @@ -259,17 +264,21 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = } $rebuild_rules = false; - if ($pkg_interface <> "console") - update_output_window(gettext("Finished rebuilding Suricata configuration files...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("Finished rebuilding Suricata configuration from saved settings.\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] Finished rebuilding installation from saved settings...")); // Only try to start Suricata if not in reboot if (!$g['booting']) { if ($pkg_interface <> "console") { update_status(gettext("Starting Suricata using rebuilt configuration...")); - update_output_window(gettext("Please wait while Suricata is started...")); + $static_output .= gettext("Starting Suricata using the rebuilt configuration..."); + update_output_window($static_output); mwexec_bg("{$rcdir}suricata.sh start"); - update_output_window(gettext("Suricata is starting as a background task using the rebuilt configuration...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } else mwexec_bg("{$rcdir}suricata.sh start"); @@ -291,6 +300,7 @@ write_config("Suricata pkg v{$config['installedpackages']['package'][get_pkg_id( // Done with post-install, so clear flag unset($g['suricata_postinstall']); log_error(gettext("[Suricata] Package post-installation tasks completed...")); +update_status(""); return true; ?> diff --git a/config/suricata/suricata_sync.xml b/config/suricata/suricata_sync.xml index 28083d8d..c2f5ec83 100644 --- a/config/suricata/suricata_sync.xml +++ b/config/suricata/suricata_sync.xml @@ -1,56 +1,49 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> + <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -based on snortsync.xml developed as part -of pfSense (http://www.pfSense.com) -Copyright (C) 2013 Marcello Coutinho -based on pfblocker_sync.xml -All rights reserved. - -modified for use with Suricata package -Copyright (C) 2014 Bill Meeks -All rights reserved. - -Based on m0n0wall (http://m0n0.ch/wall) -Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. -All rights reserved. + suricata_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013 Marcello Coutinho + Copyright (C) 2014-2015 Bill Meeks + Copyright (C) 2015 ESF, LLC + All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. -1. Redistributions of source code MUST retain the above copyright notice, -this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -2. Redistributions in binary form MUST reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ -]]></copyright> - <description><![CDATA[Describe your package here]]></description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> +/* ====================================================================================== */ + ]]> + </copyright> <name>suricatasync</name> - <version>1.0</version> + <version>2.1.8</version> <title>Suricata: XMLRPC Sync</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <tabs> @@ -183,11 +176,11 @@ POSSIBILITY OF SUCH DAMAGE. </options> </rowhelperfield> <rowhelperfield> - <fielddescr>IP-Address</fielddescr> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>varsyncipaddress</fieldname> - <description><![CDATA[IP Address of the destination host.]]></description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>15</size> + <size>40</size> </rowhelperfield> <rowhelperfield> <fielddescr>Port</fielddescr> @@ -213,8 +206,6 @@ POSSIBILITY OF SUCH DAMAGE. </rowhelper> </field> </fields> - <custom_delete_php_command> - </custom_delete_php_command> <custom_php_resync_config_command> write_config("Suricata pkg: updating CARP sync info.");suricata_sync_on_changes(); </custom_php_resync_config_command> diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index a8b06ebe..82723958 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -54,6 +54,7 @@ outputs: filename: unified2.alert limit: {$unified2_log_limit} sensor-id: {$unified2_sensor_id} + {$unified2_xff_output} - http-log: enabled: {$http_log_enabled} diff --git a/config/syslog-ng/syslog-ng.priv.inc b/config/syslog-ng/syslog-ng.priv.inc new file mode 100644 index 00000000..96722a7b --- /dev/null +++ b/config/syslog-ng/syslog-ng.priv.inc @@ -0,0 +1,44 @@ +<?php +/* + syslog-ng.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-syslogng'] = array(); +$priv_list['page-services-syslogng']['name'] = "WebCfg - Services: syslog-ng package"; +$priv_list['page-services-syslogng']['descr'] = "Allow access to syslog-ng package GUI"; +$priv_list['page-services-syslogng']['match'] = array(); + +$priv_list['page-services-syslogng']['match'][] = "pkg.php?xml=syslog-ng.xml*"; +$priv_list['page-services-syslogng']['match'][] = "pkg.php?xml=syslog-ng_advanced.xml*"; + +$priv_list['page-services-syslogng']['match'][] = "pkg_edit.php?xml=syslog-ng.xml*"; +$priv_list['page-services-syslogng']['match'][] = "pkg_edit.php?xml=syslog-ng_advanced.xml*"; + +$priv_list['page-services-syslogng']['match'][] = "syslog-ng_log_viewer.php*"; + +?> diff --git a/config/syslog-ng/syslog-ng.xml b/config/syslog-ng/syslog-ng.xml index 9b0ccffc..81942926 100644 --- a/config/syslog-ng/syslog-ng.xml +++ b/config/syslog-ng/syslog-ng.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>Syslog-ng</name> - <version>1.0.8</version> + <version>1.1.1</version> <title>Services: Syslog-ng</title> <include_file>/usr/local/pkg/syslog-ng.inc</include_file> <menu> @@ -76,6 +76,10 @@ <item>https://packages.pfsense.org/packages/config/syslog-ng/syslog-ng.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/syslog-ng/syslog-ng.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/syslog-ng/syslog-ng_advanced.xml</item> </additional_files_needed> diff --git a/config/tftp2/tftp.inc b/config/tftp2/tftp.inc index 67054619..75ddaac8 100644 --- a/config/tftp2/tftp.inc +++ b/config/tftp2/tftp.inc @@ -50,10 +50,10 @@ function tftp_install_command() { // Restore backup if it exists if (file_exists($tftpbackup)) { - system("/usr/bin/tar xvpfz {$tftpbackup} -C /"); - system("/bin/chmod -R 0744 {$tftpdir}/*"); - unset($tftpbackup); + mwexec("/usr/bin/tar xvpfz {$tftpbackup} -C /"); + mwexec("/bin/chmod -R 0744 {$tftpdir}/*"); } + unset($tftpdir, $tftpbackup); } function tftp_deinstall_command() { @@ -68,11 +68,9 @@ function tftp_generate_rules($type) { return; } - // Open inetd.conf write handle + // Add tftpd daemon to inetd $inetd_fd = fopen("/var/etc/inetd.conf", "a+"); - // Add tftp daemon fwrite($inetd_fd, "tftp\t\tdgram\tudp\twait\t\troot\t/usr/libexec/tftpd\ttftpd /tftpboot\n"); - // Close file handle fclose($inetd_fd); if (!empty($config['installedpackages']['tftpd']['config'][0]['tftpdinterface'])) { diff --git a/config/tftp2/tftp.priv.inc b/config/tftp2/tftp.priv.inc new file mode 100644 index 00000000..14691924 --- /dev/null +++ b/config/tftp2/tftp.priv.inc @@ -0,0 +1,38 @@ +<?php +/* + tftp.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-tftp'] = array(); +$priv_list['page-services-tftp']['name'] = "WebCfg - Services: TFTP package"; +$priv_list['page-services-tftp']['descr'] = "Allow access to TFTP package GUI"; +$priv_list['page-services-tftp']['match'] = array(); + +$priv_list['page-services-tftp']['match'][] = "tftp_files.php*"; + +?> diff --git a/config/tftp2/tftp.xml b/config/tftp2/tftp.xml index 2a526a4c..33fb9c3d 100644 --- a/config/tftp2/tftp.xml +++ b/config/tftp2/tftp.xml @@ -43,7 +43,7 @@ ]]> </copyright> <name>tftp Settings</name> - <version>2.0</version> + <version>2.2.2</version> <title>TFTP: Settings</title> <include_file>/usr/local/pkg/tftp.inc</include_file> <menu> @@ -56,23 +56,21 @@ <service> <name>tftp</name> <executable>inetd</executable> - <description>TFTP daemon</description> + <description>TFTP Daemon</description> </service> - <tabs> - <tab> - <text>Files</text> - <url>tftp_files.php</url> - </tab> - </tabs> <configpath>installedpackages->$packagename</configpath> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/tftp2/tftp.inc</item> - </additional_files_needed> + </additional_files_needed> + <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/tftp2/tftp.priv.inc</item> + </additional_files_needed> <additional_files_needed> <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/tftp2/tftp_files.php</item> - </additional_files_needed> + </additional_files_needed> <custom_php_install_command> tftp_install_command(); </custom_php_install_command> diff --git a/config/tftp2/tftp_files.php b/config/tftp2/tftp_files.php index eebe4c5e..0352f4a0 100644 --- a/config/tftp2/tftp_files.php +++ b/config/tftp2/tftp_files.php @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); +require_once("util.inc"); require_once("/usr/local/pkg/tftp.inc"); $pconfig['tftpdinterface'] = explode(",", $config['installedpackages']['tftpd']['config'][0]['tftpdinterface']); @@ -43,7 +44,7 @@ if (($_GET['a'] == "download") && $_GET['t'] == "backup") { conf_mount_rw(); $filename = $backup_filename; $download_dir = $backup_dir; - system("tar -czC / -f {$backup_path} tftpboot"); + mwexec("/usr/bin/tar -czC / -f {$backup_path} tftpboot"); conf_mount_ro(); } @@ -73,8 +74,8 @@ if ($_GET['a'] == "other") { if (file_exists($backup_path)) { //echo "The file $filename exists"; conf_mount_rw(); - system("tar -xpzC / -f {$backup_path}"); - system("chmod -R 744 {$files_dir}/*"); + mwexec("/usr/bin/tar -xpzC / -f {$backup_path}"); + mwexec("/bin/chmod -R 744 {$files_dir}/*"); header( 'Location: tftp_files.php?savemsg=Backup+has+been+restored.' ) ; conf_mount_ro(); } else { @@ -100,7 +101,7 @@ if (($_POST['submit'] == "Upload") && is_uploaded_file($_FILES['ulfile']['tmp_na conf_mount_rw(); move_uploaded_file($_FILES['ulfile']['tmp_name'], "{$files_dir}/{$_FILES['ulfile']['name']}"); $savemsg = "Uploaded file to {$files_dir}/" . htmlentities($_FILES['ulfile']['name']); - system('chmod -R 744 {$files_dir}/*'); + mwexec('/bin/chmod -R 744 {$files_dir}/*'); unset($_POST['txtCommand']); conf_mount_ro(); } @@ -122,7 +123,7 @@ include("head.inc"); <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<p class="pgtitle">TFTP: Files</p> +<p class="pgtitle">TFTP: Settings/Files</p> <?php $savemsg = $_GET["savemsg"]; @@ -137,7 +138,7 @@ if ($savemsg) { <?php $tab_array = array(); - $tab_array[] = array(gettext("Files"), false, "tftp_files.php"); + $tab_array[] = array(gettext("TFTP"), false, "tftp_files.php"); display_top_tabs($tab_array); ?> @@ -145,14 +146,16 @@ if ($savemsg) { </table> <table width="100%" border="0" cellpadding="0" cellspacing="0"> +<tr><td> +<div id="mainarea"> + <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> - <td class="tabcont"> - <table width="100%" border="0" cellpadding="6" cellspacing="0"> + <td colspan="2" class="listtopic">TFTP Daemon Interfaces</td> + </tr> <tr> + <td width="22%" class="vncell">Select TFTP Daemon Interface(s).</td> <td width="78%" class="vtable"> <form action="tftp_files.php" method="post" enctype="multipart/form-data" name="frmInterfaces" onsubmit=""> - <p><span class="vexpl"><strong>TFTP Daemon Interfaces</strong></span></p> - <?=gettext("Choose the interfaces where you want the TFTP daemon to accept connections.");?><br/><br/> <select name="tftpdinterface[]" multiple="multiple" class="formselect" size="3"> <?php $ifdescs = get_configured_interface_with_descr(); @@ -164,70 +167,46 @@ if ($savemsg) { echo "\t\t\t<option value=\"{$ifent}\"{$selected}>" . $ifdesc . "</option>\n"; } ?> - </select><br /> - <input name="submit" type="submit" class="button" id="save" value="Save" /> + </select><br /><br /> + <span class="vexpl"> + Choose the interfaces where you want the TFTP Daemon to accept connections.<br/> + <strong>Hint:</strong> If you simply need to (re)start tftpd/inetd, just use the Save button without making any changes here.<br /><br /> + </span> + <input name="submit" type="submit" class="formbtns" id="save" value="Save" title="Save settings" /> </form> </td> </tr> <tr> - <td> - <p><span class="vexpl"><span class="red"><strong>TFTP files</strong></span><br /> - Trivial File Transport Protocol is a very simple file transfer protocol.<br /> - Use the file upload to add files to the /tftpboot directory.<br /> - Click on the file from the file list below to download it.<br /> - </span></p> - </td> + <td colspan="2" class="listtopic">TFTP Files Upload</td> </tr> - </table> - <br /> - <div id="niftyOutter"> - <form action="tftp_files.php" method="post" enctype="multipart/form-data" name="frmUpload" onsubmit=""> - <table> - <tr> - <td align="right">File to upload:</td> - <td valign="top" class="label"> - <input name="ulfile" type="file" class="button" id="ulfile" /> - </td> - </tr> - <tr> - <td valign="top"> </td> - <td valign="top" class="label"> - <input name="submit" type="submit" class="button" id="upload" value="Upload" /> - </td> - </tr> - </table> - </form> - </div> - <br /><br /> - - <table width='690' cellpadding='0' cellspacing='0' border='0'> <tr> - <td width='80%'> - <strong>Backup / Restore</strong><br /> - The 'Backup' button compresses /tftpboot/ to /root/backup/tftp.bak.tgz; after that it presents the backup for download.<br /> - If the backup file does not exist in /root/backup/tftp.bak.tgz then the 'Restore' button will be hidden.<br /> - Use Diagnostics -> Command -> File to upload: to browse to the file and then click on upload.<br /> - After that, backup will be ready to be restored.<br /><br /> - </td> - <td width='20%' valign='middle' align='right'> - <input type="button" value="Backup" onclick="document.location.href='tftp_files.php?a=download&t=backup'" /> - <?php - if (file_exists('/root/backup/tftp.bak.tgz')) { - echo "<input type='button' value='Restore' onclick=\"document.location.href='tftp_files.php?a=other&t=restore';\" />\n"; - } - ?> + <td width="22%" class="vncell">Use the file upload to add files to the /tftpboot directory.</td> + <td width="78%" class="vtable"> + <form action="tftp_files.php" method="post" enctype="multipart/form-data" name="frmUpload" onsubmit=""> + <span class="vexpl">1. Select file to upload: </span> + <input name="ulfile" type="file" class="formbtns" id="ulfile" title="Select file to upload" /> + <br /> + <span class="vexpl">2. Upload the selected file: </span> + <input name="submit" type="submit" class="formbtns" id="upload" value="Upload" title="Upload file" /> + </form> </td> </tr> - </table> - <br /><br /> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> - <td width="25%" class="listhdrr">File Name (download)</td> - <td width="50%" class="listhdr">Last Modified</td> - <td width="50%" class="listhdr">Size</td> + <td colspan="3" class="listtopic">TFTP Files Download</td> </tr> + <tr> + <td colspan="3" class="vexpl">Click on the file from the file list below to download it.</td> + </tr> + <tr> + <td colspan="3"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td width="25%" class="listhdrr">File Name (download)</td> + <td width="50%" class="listhdr">Last Modified</td> + <td width="50%" class="listhdr">Size</td> + </tr> <?php if ($handle = opendir('/tftpboot')) { @@ -267,13 +246,37 @@ if ($handle = opendir('/tftpboot')) { } ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list"></td> + </tr> + </table> + </td> + </tr> + <tr> - <td class="list" colspan="3"></td> - <td class="list"></td> + <td colspan="2" class="listtopic">TFTP Backup / Restore</td> </tr> - </table> - </td> + <tr> + <td width="22%" class="vncell">Use the file upload to add files to the /tftpboot directory.</td> + <td width="78%" class="vtable"> + <span class="vexpl"><strong>Backup:</strong> 'Backup' button compresses /tftpboot/ to /root/backup/tftp.bak.tgz; after that it presents the backup for download.<br /> + <strong>Restore:</strong> If the backup file does not exist in /root/backup/tftp.bak.tgz then the 'Restore' button will be hidden. + To 'Restore' a previously downloaded backup, use <a href="diag_backup.php" title="Upload file">Diagnostics -> Command Prompt -> File to upload</a> to browse to the file and then click on upload.<br /> + After that, backup will be ready to be restored.<br /><br /> + </span> + <input type="button" value="Backup" title="Create backup" onclick="document.location.href='tftp_files.php?a=download&t=backup'" /> + <?php + if (file_exists('/root/backup/tftp.bak.tgz')) { + echo "<input type='button' value='Restore' title='Restore backup' onclick=\"document.location.href='tftp_files.php?a=other&t=restore';\" />\n"; + } + ?> + </td> </tr> + </table> + +</div> +</td></tr> </table> </div> diff --git a/config/tinc/tinc.priv.inc b/config/tinc/tinc.priv.inc new file mode 100644 index 00000000..d8b45c5b --- /dev/null +++ b/config/tinc/tinc.priv.inc @@ -0,0 +1,44 @@ +<?php +/* + tinc.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-vpn-tinc'] = array(); +$priv_list['page-vpn-tinc']['name'] = "WebCfg - VPN: tinc package"; +$priv_list['page-vpn-tinc']['descr'] = "Allow access to tinc package GUI"; +$priv_list['page-vpn-tinc']['match'] = array(); + +$priv_list['page-vpn-tinc']['match'][] = "pkg.php?xml=tinc.xml*"; +$priv_list['page-vpn-tinc']['match'][] = "pkg.php?xml=tinc_hosts.xml*"; + +$priv_list['page-vpn-tinc']['match'][] = "pkg_edit.php?xml=tinc.xml*"; +$priv_list['page-vpn-tinc']['match'][] = "pkg_edit.php?xml=tinc_hosts.xml*"; + +$priv_list['page-vpn-tinc']['match'][] = "status_tinc.php*"; + +?> diff --git a/config/tinc/tinc.xml b/config/tinc/tinc.xml index 89d1e8ce..0f71e03d 100644 --- a/config/tinc/tinc.xml +++ b/config/tinc/tinc.xml @@ -42,8 +42,8 @@ </copyright> <description>A self-contained VPN solution designed to connect multiple sites together in a secure way.</description> <name>tinc</name> - <version>1.2.2</version> - <title>VPN: tinc - Config</title> + <version>1.2.4</version> + <title>VPN: Tinc: Settings</title> <include_file>/usr/local/pkg/tinc.inc</include_file> <configpath>['installedpackages']['package']['$packagename']['config']</configpath> <menu> @@ -53,7 +53,7 @@ <url>/pkg_edit.php?xml=tinc.xml</url> </menu> <menu> - <name>tinc VPN</name> + <name>Tinc VPN</name> <section>Status</section> <url>/status_tinc.php</url> </menu> @@ -65,7 +65,7 @@ </service> <tabs> <tab> - <text>Config</text> + <text>Settings</text> <url>/pkg_edit.php?xml=tinc.xml</url> <active/> </tab> @@ -79,6 +79,10 @@ <item>https://packages.pfsense.org/packages/config/tinc/tinc.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/tinc/tinc.priv.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/tinc/tinc_hosts.xml</item> </additional_files_needed> @@ -119,7 +123,7 @@ <fieldname>localip</fieldname> <description> <![CDATA[ - IP Address of local tunnel interface.<br /> + IP address of local tunnel interface.<br /> This is often the same IP as your routers LAN address. (Example: 192.168.2.1) ]]> </description> @@ -143,7 +147,7 @@ <fieldname>vpnnetmask</fieldname> <description> <![CDATA[ - This is the Netmask that defines what traffic is routed to the VPNs tunnel interface.<br /> + This is the netmask that defines what traffic is routed to the VPNs tunnel interface.<br /> It is usually broader then your local netmask. (Example: 255.255.0.0) ]]> </description> diff --git a/config/tinc/tinc_hosts.xml b/config/tinc/tinc_hosts.xml index b521d4a2..a10c1a9e 100644 --- a/config/tinc/tinc_hosts.xml +++ b/config/tinc/tinc_hosts.xml @@ -41,13 +41,13 @@ ]]> </copyright> <name>tinchosts</name> - <version>1.2.2</version> - <title>VPN: tinc - Hosts</title> + <version>1.2.4</version> + <title>VPN: Tinc: Hosts</title> <include_file>/usr/local/pkg/tinc.inc</include_file> <configpath>['installedpackages']['package']['$packagename']['config']</configpath> <tabs> <tab> - <text>Config</text> + <text>Settings</text> <url>/pkg_edit.php?xml=tinc.xml</url> </tab> <tab> @@ -75,7 +75,6 @@ <fieldname>connect</fieldname> <type>checkbox</type> </columnitem> - </adddeleteeditpagefields> <fields> <field> @@ -107,7 +106,7 @@ <type>checkbox</type> </field> <field> - <fielddescr>RSA public key</fielddescr> + <fielddescr>RSA Public Key</fielddescr> <fieldname>cert_pub</fieldname> <description> <![CDATA[ diff --git a/config/tinydns/tinydns.inc b/config/tinydns/tinydns.inc index 3bf64777..5e61fc05 100644 --- a/config/tinydns/tinydns.inc +++ b/config/tinydns/tinydns.inc @@ -1,11 +1,10 @@ <?php - -/* $Id$ */ /* tinydns.inc + part of pfSense (https://www.pfSense.org/) Copyright (C) 2006, 2007, 2008, 2009 Scott Ullrich - Parts Copyright (C) 2007 Goffredo Andreone - part of pfSense + Copyright (C) 2007 Goffredo Andreone + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,7 +28,6 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - if(!function_exists("filter_configure")) require_once("filter.inc"); @@ -208,6 +206,35 @@ function tinydns_custom_php_deinstall_command() { conf_mount_ro(); } +function tinydns_upgrade_config() { + /* Remove obsolete XMLRPC sync configuration */ + if (is_array($config['installedpackages']['tinydnssync']['config'])) { + if (isset($config['installedpackages']['tinydnssync']['config'][0]['ipaddress'])) { + unset($config['installedpackages']['tinydnssync']['config'][0]['ipaddress']); + } + if (isset($config['installedpackages']['tinydnssync']['config'][0]['ipaddress2'])) { + unset($config['installedpackages']['tinydnssync']['config'][0]['ipaddress2']); + } + if (isset($config['installedpackages']['tinydnssync']['config'][0]['ipaddress3'])) { + unset($config['installedpackages']['tinydnssync']['config'][0]['ipaddress3']); + } + if (isset($config['installedpackages']['tinydnssync']['config'][0]['password'])) { + unset($config['installedpackages']['tinydnssync']['config'][0]['password']); + } + if (isset($config['installedpackages']['tinydnssync']['config'][0]['password2'])) { + unset($config['installedpackages']['tinydnssync']['config'][0]['password2']); + } + if (isset($config['installedpackages']['tinydnssync']['config'][0]['password3'])) { + unset($config['installedpackages']['tinydnssync']['config'][0]['password3']); + } + } + if (is_array($config['installedpackages']['tinydns']['config'])) { + if (isset($config['installedpackages']['tinydns']['config'][0]['syncxmlrpc'])) { + unset($config['installedpackages']['tinydns']['config'][0]['syncxmlrpc']); + } + } +} + function tinydns_custom_php_changeip_command() { global $g, $config; conf_mount_rw(); @@ -232,10 +259,18 @@ function tinydns_custom_php_changeip_command() { if(!is_dir("{$g['varrun_path']}/service")) exec("/bin/mkdir -p {$g['varrun_path']}/service"); - exec("/usr/sbin/pw useradd Gtinydns"); - exec("/usr/sbin/pw useradd Gdnslog"); - exec("/usr/sbin/pw useradd Gdnscache"); - exec("/usr/sbin/pw useradd Gaxfrdns"); + if (!exec("/usr/sbin/pw usershow Gtinydns")) { + exec("/usr/sbin/pw useradd Gtinydns"); + } + if (!exec("/usr/sbin/pw usershow Gdnslog")) { + exec("/usr/sbin/pw useradd Gdnslog"); + } + if (!exec("/usr/sbin/pw usershow Gdnscache")) { + exec("/usr/sbin/pw useradd Gdnscache"); + } + if (!exec("/usr/sbin/pw usershow Gaxfrdns")) { + exec("/usr/sbin/pw useradd Gaxfrdns"); + } exec("/bin/rm -r {$g['varetc_path']}/dnscache*"); exec("/bin/rm -r {$g['varrun_path']}/service/dnscache*"); @@ -259,21 +294,14 @@ function tinydns_custom_php_changeip_command() { foreach ($interfaces as $dnsidx => $dnsif) { $dnscacheif = convert_friendly_interface_to_real_interface_name($dnsif); $dnscacheip = find_interface_ip($dnscacheif); - if (intval($config['version']) >= 6) - $ipmask = find_interface_subnet($dnscacheif); - else - $ipmask = $config['interfaces'][$dnsif]['subnet']; - - if (intval($config['version']) <= 8) { - if (is_ipaddr($ipaddress)) - $arr = tinydns_get_ip_subnet_arpa($ipaddress, $ipmask); - } else { - if (is_ipaddrv4($ipaddress)) { - $arr = tinydns_get_ip_subnet_arpa($ipaddress, $ipmask); - } elseif (is_ipaddrv6($ipaddress)) { - $arr = tinydns_get_ip6_subnet_arpa($ipaddress, $ipmask); - } + $ipmask = find_interface_subnet($dnscacheif); + + if (is_ipaddrv4($ipaddress)) { + $arr = tinydns_get_ip_subnet_arpa($ipaddress, $ipmask); + } elseif (is_ipaddrv6($ipaddress)) { + $arr = tinydns_get_ip6_subnet_arpa($ipaddress, $ipmask); } + $dnsuserip = $arr[0]; //exec("/bin/mkdir -p {$g['varetc_path']}/dnscache{$dnsidx}"); exec("/usr/local/bin/dnscache-conf Gdnscache Gdnslog {$g['varetc_path']}/dnscache{$dnsidx} {$dnscacheip}"); @@ -305,7 +333,7 @@ function tinydns_custom_php_changeip_command() { exec("{$svc_path} -xk {$g['varetc_path']}/dnscache{$dnsidx}"); } } else { - $interfaces = explode(",", $$config['installedpackages']['tinydns']['config'][0]['interface']); + $interfaces = explode(",", $config['installedpackages']['tinydns']['config'][0]['interface']); foreach ($interfaces as $dnsidx => $dnsif) { if(is_dir("{$g['varetc_path']}/dnscache{$dnsidx}")) dnscache_use_root_servers($dnsidx); @@ -517,10 +545,7 @@ function tinydns_create_zone_file() { foreach ($interfaces as $dnsif) { $dnsrif = convert_friendly_interface_to_real_interface_name($dnsif); $dnsrip = find_interface_ip($dnsrif); - if (intval($config['version']) >= 6) - $ipmask = find_interface_subnet($dnsrif); - else - $ipmask = $config['interfaces'][$dnsif]['subnet']; + $ipmask = find_interface_subnet($dnsrif); $dhcpdfqdn = "{$dhcpdhostname}.{$dhcpddomain}"; tinydns_complete_soa_record($fd, $dnsrip, $ipmask, $dhcpdhostname, $dhcpddomain); } @@ -544,10 +569,7 @@ function tinydns_create_zone_file() { $dnsrif = convert_friendly_interface_to_real_interface_name($dnsif); $dnsrip = find_interface_ip($dnsrif); - if (intval($config['version']) >= 6) - $ipmask = find_interface_subnet($dnsrif); - else - $ipmask = $config['interfaces'][$dnsif]['subnet']; + $ipmask = find_interface_subnet($dnsrif); $dhcpdfqdn = "{$dhcpdhostname}.{$dhcpddomain}"; tinydns_complete_soa_record($fd, $dnsrip, $ipmask, $dhcpdhostname, $dhcpddomain); @@ -606,15 +628,10 @@ function tinydns_create_zone_file() { if($record_data) { fwrite($fd, $record_data . "\n"); if ($domain['rdns'] || ($domain['recordtype'] == 'PTR')) { - if (intval($config['version']) <= 8) { - if (is_ipaddr($ipaddress)) - $rip = tinydns_get_ip_subnet_arpa($ipaddress, 32); - } else { - if (is_ipaddrv4($ipaddress)) { - $rip = tinydns_get_ip_subnet_arpa($ipaddress, 32); - } elseif (is_ipaddrv6($ipaddress)) { - $rip = tinydns_get_ip6_subnet_arpa($ipaddress, 128); - } + if (is_ipaddrv4($ipaddress)) { + $rip = tinydns_get_ip_subnet_arpa($ipaddress, 32); + } elseif (is_ipaddrv6($ipaddress)) { + $rip = tinydns_get_ip6_subnet_arpa($ipaddress, 128); } if($rip) @@ -651,95 +668,146 @@ function tinydns_create_zone_file() { function tinydns_sync_on_changes() { global $g, $config; - log_error("[tinydns] tinydns_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['tinydnssync']['config'][0]['synconchanges']; - if(!$synconchanges) - return; - $sync_hosts = $config['installedpackages']['tinydnssync']['config']; - $previous_ip = ""; - $x=0; - $sh = $config['installedpackages']['tinydnssync']['config'][0]; - for($x=1; $x<5; $x++) { - if($x > 1) - $counter = $x; - else - $counter = ""; - $sync_to_ip = ""; - $password = ""; - if($sh['ipaddress' . $counter]) { - $sync_to_ip = $sh['ipaddress' . $counter]; - $password = $sh['password' . $counter]; + + /* XMLRPC sync */ + if (is_array($config['installedpackages']['tinydnssync']['config'])) { + $tinydns_sync = $config['installedpackages']['tinydnssync']['config'][0]; + $synconchanges = $tinydns_sync['synconchanges']; + $synctimeout = $tinydns_sync['synctimeout'] ?: '250'; + switch ($synconchanges) { + case "manual": + if (is_array($tinydns_sync['row'])) { + $rs = $tinydns_sync['row']; + } else { + log_error("[tinydns] XMLRPC sync is enabled but there are no hosts configured as replication targets."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + $rs[0]['syncdestinenable'] = FALSE; + + // XMLRPC sync is currently only supported over connections using the same protocol and port as this system + if ($config['system']['webgui']['protocol'] == "http") { + $rs[0]['syncprotocol'] = "http"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '80'; + } else { + $rs[0]['syncprotocol'] = "https"; + $rs[0]['syncport'] = $config['system']['webgui']['port'] ?: '443'; + } + if ($system_carp['synchronizetoip'] == "") { + log_error("[tinydns] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } else { + $rs[0]['syncdestinenable'] = TRUE; + } + } else { + log_error("[tinydns] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; + default: + return; + break; } - if($password && $sync_to_ip) - tinydns_do_xmlrpc_sync($sync_to_ip, $password); - } - tinydns_create_zone_file(); - if ($config['installedpackages']['tinydns']['config'][0]['enableipmonitoring']) { - tinydns_setup_ping_items(); - } - log_error("[tinydns] tinydns_xmlrpc_sync.php is ending."); + if (is_array($rs)) { + log_error("[tinydns] XMLRPC sync is starting."); + foreach ($rs as $sh) { + // Only sync enabled replication targets + if ($sh['syncdestinenable']) { + $sync_to_ip = $sh['ipaddress']; + $port = $sh['syncport']; + $username = $sh['username'] ?: 'admin'; + $password = $sh['password']; + $protocol = $sh['syncprotocol']; + + $error = ''; + $valid = TRUE; + + if ($password == "") { + $error = "Password parameter is empty. "; + $valid = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address or Hostname. "; + $valid = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $valid = FALSE; + } + if ($valid) { + tinydns_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout); + } else { + log_error("[tinydns] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } + } + } + log_error("[tinydns] tinydns_xmlrpc_sync.php is ending."); + } + } } -function tinydns_do_xmlrpc_sync($sync_to_ip, $password) { +/* Do the actual XMLRPC sync. */ +function tinydns_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $password, $synctimeout) { global $config, $g; - if(!$password) + /* Detect boot process, do nothing during boot. */ + if (function_exists("platform_booting")) { + if (platform_booting()) { + return; + } + } elseif ($g['booting']) { return; + } - if(!$sync_to_ip) + if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { + log_error("[tinydns] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; + } - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") - $port = "80"; - else - $port = "443"; - } - $synchronizetoip .= $sync_to_ip; + // Take care of IPv6 literal address + if (is_ipaddrv6($sync_to_ip)) { + $sync_to_ip = "[{$sync_to_ip}]"; + } - /* xml will hold the sections to sync */ + $url = "{$protocol}://{$sync_to_ip}"; + + /* XML will hold the sections to sync. */ $xml = array(); $xml['tinydnsdomains'] = $config['installedpackages']['tinydnsdomains']; + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($xml)); - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("Beginning TinyDNS XMLRPC sync to {$url}:{$port}."); + /* Set a few variables needed for sync code */ $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - if($g['debug']) + $cli->setCredentials($username, $password); + if ($g['debug']) { $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); - if(!$resp) { - $error = "A communications error occured while attempting tinydns XMLRPC sync with {$url}:{$port}."; - log_error($error); + } + /* Send our XMLRPC message and timeout after defined sync timeout value */ + $resp = $cli->send($msg, $synctimeout); + if (!$resp) { + $error = "A communications error occured while attempting XMLRPC sync with {$url}:{$port}."; + log_error("[tinydns] {$error}"); file_notice("sync_settings", $error, "tinydns Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting tinydns XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[tinydns] {$error}"); file_notice("sync_settings", $error, "tinydns Settings Sync", ""); } else { - log_error("tinydns XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[tinydns] XMLRPC sync successfully completed with {$url}:{$port}."); } - /* tell tinydns to reload our settings on the destionation sync host. */ + /* Tell tinydns to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('functions.inc');\n"; $execcmd .= "require_once('/usr/local/pkg/tinydns.inc');\n"; @@ -749,31 +817,27 @@ function tinydns_do_xmlrpc_sync($sync_to_ip, $password) { $execcmd .= "tinydns_setup_ping_items();\n"; } - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); + /* Assemble XMLRPC payload. */ + $params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd)); - log_error("tinydns XMLRPC reload data {$url}:{$port}."); + log_error("[tinydns] XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); - if(!$resp) { - $error = "A communications error occured while attempting tinydns XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; - log_error($error); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if (!$resp) { + $error = "A communications error occured while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error("[tinydns] {$error}"); file_notice("sync_settings", $error, "tinydns Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting tinydns XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("[tinydns] {$error}"); file_notice("sync_settings", $error, "tinydns Settings Sync", ""); } else { - log_error("tinydns XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[tinydns] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } - } /* formats data as a tinydns data row item */ @@ -789,18 +853,15 @@ function tinydns_get_rowline_data($recordip, $recordtype, $ttl, $hostname, $rdns /* Note that some of these are simplistic versions of TinyDNS record handling. Uber-users can always do "raw" entries... */ case "SOA": // .fqdn:ip:x:ttl:timestamp:lo - if (intval($config['version']) <= 8) { - $record_data = ".{$hostname}::{$recordip}{$ttl_string}"; + if (is_ipaddrv6($hostname)) { + list($rip, $rmask) = explode("/", $hostname); + $rmask = empty($rmask) ? 128 : $rmask; + $ip6_arpa = tinydns_get_ip6_subnet_arpa($rip, $rmask); + $record_data = ".{$ip6_arpa[1]}::{$recordip}{$ttl_string}"; } else { - if (is_ipaddrv6($hostname)) { - list($rip, $rmask) = explode("/", $hostname); - $rmask = empty($rmask) ? 128 : $rmask; - $ip6_arpa = tinydns_get_ip6_subnet_arpa($rip, $rmask); - $record_data = ".{$ip6_arpa[1]}::{$recordip}{$ttl_string}"; - } else { - $record_data = ".{$hostname}::{$recordip}{$ttl_string}"; - } + $record_data = ".{$hostname}::{$recordip}{$ttl_string}"; } + break; case "NS": // &serious.panic.mil:1.8.248.6:a @@ -832,17 +893,11 @@ function tinydns_get_rowline_data($recordip, $recordtype, $ttl, $hostname, $rdns case "PTR": /* "^" creates "PTR" record only to allow reverse DNS */ // ^fqdn:p:ttl:timestamp:lo - - if (intval($config['version']) <= 8) { - if (is_ipaddr($recordip)) - $record_data = "^{$hostname}:{$recordip}{$ttl_string}"; - } else { - if (is_ipaddrv4($recordip)) { - $record_data = "^{$hostname}:{$recordip}{$ttl_string}"; - } elseif (is_ipaddrv6($recordip)) { - $ip6_arpa = tinydns_get_ip6_subnet_arpa($recordip, 128); - $record_data = "^{$ip6_arpa[1]}:{$hostname}{$ttl_string}"; - } + if (is_ipaddrv4($recordip)) { + $record_data = "^{$hostname}:{$recordip}{$ttl_string}"; + } elseif (is_ipaddrv6($recordip)) { + $ip6_arpa = tinydns_get_ip6_subnet_arpa($recordip, 128); + $record_data = "^{$ip6_arpa[1]}:{$hostname}{$ttl_string}"; } break; case "A": @@ -1016,15 +1071,10 @@ function tinydns_complete_soa_record($fd, $ip, $ipmask, $nsname, $domain) { global $config; $fqdn = "{$nsname}.{$domain}"; - if (intval($config['version']) <= 8) { - if (is_ipaddr($ipaddress)) - $rip = tinydns_get_ip_subnet_arpa($ipaddress, $ipmask); - } else { - if (is_ipaddrv4($ipaddress)) { - $rip = tinydns_get_ip_subnet_arpa($ipaddress, $ipmask); - } elseif (is_ipaddrv6($ipaddress)) { - $rip = tinydns_get_ip6_subnet_arpa($ipaddress, $ipmask); - } + if (is_ipaddrv4($ipaddress)) { + $rip = tinydns_get_ip_subnet_arpa($ipaddress, $ipmask); + } elseif (is_ipaddrv6($ipaddress)) { + $rip = tinydns_get_ip6_subnet_arpa($ipaddress, $ipmask); } $soa = ".{$domain}::{$fqdn}"; @@ -1181,53 +1231,20 @@ function tinydns_dnscache_forwarding_servers($index) { global $g, $config; exec("echo 1 > {$g['varetc_path']}/dnscache{$index}/env/FORWARDONLY"); - if(is_dir("{$g['varetc_path']}/dnscache{$index}/root/servers/")) + if (is_dir("{$g['varetc_path']}/dnscache{$index}/root/servers/")) { exec("rm -R {$g['varetc_path']}/dnscache/root/servers/"); + } exec("/bin/mkdir -p {$g['varetc_path']}/dnscache{$index}/root/servers/"); - if (intval($config['version']) >= 6) - if (!empty(glob("{$g['varetc_path']}/nameserver_*"))) { - exec("/bin/cat {$g['varetc_path']}/nameserver_* > {$g['varetc_path']}/dnscache{$index}/root/servers/@"); - } else { - $fw = fopen("{$g['varetc_path']}/dnscache{$index}/root/servers/@", "w"); - if (! $fw) { - printf("Error: cannot open dnscache/root/servers/@ in tinydns_register_forwarding_servers().\n"); - return 1; - } - fwrite($fw, $config['system']['dnsserver'][0]); - fclose($fw); - } - else { - $fr = fopen("{$g['varetc_path']}/resolv.conf.dnscache", "r"); - if (! $fr) { - printf("Error: cannot open resolv.conf.dnscache in tinydns_register_forwarding_servers().\n"); - return 1; - } - $lip = strlen("nameserver") + 1; - $j = 0; - $iprecords = ""; - while (!feof($fr)) { - $routers = fgets($fr, 4096); - $discard = ($routers[0] == "\n"); - if(!$discard) { - if ($routerip = strstr($routers,"nameserver")) { - $routerip = substr($routerip,$lip); - if($routerip) { - $j += 1; - $routera = "{$routerip}"; - $iprecords .= $routera; - } - } - } - } - fclose($fr); - $fr = fopen("{$g['varetc_path']}/dnscache{$index}/root/servers/@", "w"); - if (! $fr) { - printf("Error: cannot write to {$g['varetc_path']}/dnscache{$index}/root/servers/@ in tinydns_dnscache_forwarding_servers().\n"); + if (!empty(glob("{$g['varetc_path']}/nameserver_*"))) { + exec("/bin/cat {$g['varetc_path']}/nameserver_* > {$g['varetc_path']}/dnscache{$index}/root/servers/@"); + } else { + $fw = fopen("{$g['varetc_path']}/dnscache{$index}/root/servers/@", "w"); + if (!$fw) { + printf("Error: cannot open dnscache/root/servers/@ in tinydns_register_forwarding_servers().\n"); return 1; } - if($iprecords) - fwrite($fr, $iprecords); - fclose($fr); + fwrite($fw, $config['system']['dnsserver'][0]); + fclose($fw); } } diff --git a/config/tinydns/tinydns.xml b/config/tinydns/tinydns.xml index 55ee3269..bbb1cfa2 100644 --- a/config/tinydns/tinydns.xml +++ b/config/tinydns/tinydns.xml @@ -44,7 +44,7 @@ ]]> </copyright> <name>tinydns</name> - <version>1.0</version> + <version>1.0.6.24</version> <title>DNS Server: Settings</title> <aftersaveredirect>/pkg_edit.php?xml=tinydns.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/tinydns.inc</include_file> @@ -59,13 +59,13 @@ <rcfile>svscan.sh</rcfile> <executable>svscan</executable> <description>Daemontools service directory watcher</description> - </service> + </service> <service> <name>DNS Server</name> <rcfile>tinydns.sh</rcfile> <executable>tinydns</executable> <description>TinyDNS DNS Server</description> - </service> + </service> <tabs> <tab> <text>Settings</text> @@ -99,10 +99,6 @@ <item>https://packages.pfsense.org/packages/config/tinydns/tinydns.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/pf/</prefix> - <item>https://packages.pfsense.org/packages/config/tinydns/tinydns_xmlrpc_sync.php</item> - </additional_files_needed> - <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/tinydns/tinydns_domains.xml</item> </additional_files_needed> @@ -149,8 +145,7 @@ <field> <type>listtopic</type> <name>Binding IP Address</name> - <fieldname>temp</fieldname> - </field> + </field> <field> <fielddescr>IP Address</fielddescr> <fieldname>ipaddress</fieldname> @@ -160,8 +155,7 @@ <field> <type>listtopic</type> <name>Recursive DNS Resolver</name> - <fieldname>temp</fieldname> - </field> + </field> <field> <fielddescr>Enable recursive DNS responder</fielddescr> <fieldname>enableforwarding</fieldname> @@ -197,7 +191,6 @@ <field> <type>listtopic</type> <name>IP Monitoring</name> - <fieldname>temp</fieldname> </field> <field> <fielddescr>Enable IP monitoring</fielddescr> @@ -213,19 +206,7 @@ </field> <field> <type>listtopic</type> - <name>Sync TinyDNS settings via XMLRPC</name> - <fieldname>temp</fieldname> - </field> - <field> - <fielddescr>XMLRPC Sync</fielddescr> - <fieldname>syncxmlrpc</fieldname> - <description>Sync TinyDNS configuration to backup firewalls</description> - <type>checkbox</type> - </field> - <field> - <type>listtopic</type> <name>Zone transfers</name> - <fieldname>temp</fieldname> </field> <field> <fielddescr>Hosts allowed to perform DNS Zone Transfers - Note: this requires TCP port 53 firewall permit rule!</fielddescr> @@ -245,7 +226,7 @@ <description>Enter the DNS zone that this IP address is allowed to transfer (ex: domain.com)</description> <type>input</type> <size>20</size> - </rowhelperfield> + </rowhelperfield> </rowhelper> </field> </fields> @@ -254,7 +235,7 @@ tinydns_custom_php_install_command(); tinydns_create_zone_file(); tinydns_setup_ping_items(); - tinydns_sync_on_changes(); + tinydns_sync_on_changes(); </custom_delete_php_command> <custom_php_validation_command> tinydns_validate(); @@ -264,26 +245,24 @@ tinydns_custom_php_install_command(); tinydns_create_zone_file(); tinydns_setup_ping_items(); - tinydns_sync_on_changes(); + tinydns_sync_on_changes(); </custom_add_php_command> <custom_php_resync_config_command> tinydns_custom_php_changeip_command(); tinydns_custom_php_install_command(); tinydns_create_zone_file(); tinydns_setup_ping_items(); - tinydns_sync_on_changes(); + tinydns_sync_on_changes(); </custom_php_resync_config_command> <custom_php_install_command> tinydns_custom_php_install_command(); - tinydns_sync_on_changes(); + tinydns_upgrade_config(); </custom_php_install_command> <custom_php_deinstall_command> tinydns_custom_php_deinstall_command(); - tinydns_sync_on_changes(); </custom_php_deinstall_command> <custom_php_command_before_form> <![CDATA[ - unset($_POST['temp']); if (!is_process_running("svscan")) { $savemsg = "NOTE: svscan is not running. Please <a href='/status_services.php?mode=restartservice&service=svscan'>start svscan</a> to bring up the DNS Server"; } diff --git a/config/tinydns/tinydns_dhcp_filter.php b/config/tinydns/tinydns_dhcp_filter.php index 85f5f8e7..5b245d7f 100644 --- a/config/tinydns/tinydns_dhcp_filter.php +++ b/config/tinydns/tinydns_dhcp_filter.php @@ -1,10 +1,10 @@ <?php -/* $Id$ */ /* tinydns_dhcp_filter.php + part of pfSense (https://www.pfSense.org/) Copyright (C) 2006 Scott Ullrich - Parts Copyright (C) 2007 Goffredo Andreone <GAndreone@imapro.com> - part of pfSense + Copyright (C) 2007 Goffredo Andreone + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -39,21 +39,17 @@ require("/usr/local/pkg/tinydns.inc"); require("guiconfig.inc"); +$closehead = false; $pgtitle = "TinyDNS: DHCP Domains"; include("head.inc"); -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); -if ($pf_version < 2.0) - $one_two = true; - ?> +<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> +</head> + <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> -<?php if($one_two): ?> -<p class="pgtitle"><?=$pgtitle?></font></p> -<?php endif; ?> - <?php if ($savemsg) print_info_box($savemsg); ?> <div id="mainlevel"> @@ -64,7 +60,7 @@ if ($pf_version < 2.0) $tab_array[] = array(gettext("Add/Edit Record"), false, "/tinydns_filter.php"); $tab_array[] = array(gettext("Failover Status"), false, "/tinydns_status.php"); $tab_array[] = array(gettext("Logs"), false, "/tinydns_view_logs.php"); - $tab_array[] = array(gettext("Zone Sync"), false, "/tinydns_xmlrpc_sync.php"); + $tab_array[] = array(gettext("Zone Sync"), false, "/pkg_edit.php?xml=tinydns_sync.xml"); $tab_array[] = array(gettext("New domain wizard"), false, "/wizard.php?xml=new_zone_wizard.xml"); display_top_tabs($tab_array); ?> @@ -124,6 +120,5 @@ while ($startofrecord < $datalen ){ </table> </div> <?php include("fend.inc"); ?> -<meta http-equiv="refresh" content="60;url=<?php print $_SERVER['SCRIPT_NAME']; ?>"> </body> </html> diff --git a/config/tinydns/tinydns_sync.xml b/config/tinydns/tinydns_sync.xml index 5fe8ac77..2f7da455 100644 --- a/config/tinydns/tinydns_sync.xml +++ b/config/tinydns/tinydns_sync.xml @@ -2,48 +2,48 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> + <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - tinydns_sync.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2008 Scott Ullrich - All rights reserved. - */ -/* ========================================================================== */ + tinydns_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2008 Scott Ullrich + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>tinydnssync</name> - <version>1.0</version> - <title>TinyDNS: Manual Sync</title> + <version>1.0.6.24</version> + <title>TinyDNS: XMLRPC Sync</title> <include_file>/usr/local/pkg/tinydns.inc</include_file> <tabs> <tab> @@ -76,71 +76,89 @@ <fields> <field> <type>listtopic</type> - <fieldname>temp</fieldname> - <name>Enable DNS zone sync</name> + <name>DNS zone synchronization</name> </field> <field> - <fielddescr>Enable DNS zone synchronization</fielddescr> + <fielddescr>Enable synchronization</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> - </field> - <field> - <type>listtopic</type> - <name>Sync host #1</name> - <fieldname>temp</fieldname> - </field> - <field> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP address of the first TinyDNS sync host.</description> - <type>input</type> - </field> - <field> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Admin password of the first TinyDNS sync host.</description> - <type>password</type> + <description> + <![CDATA[ + Select a sync method for TinyDNS.<br/><br/> + <strong>Important:</strong> While using "Sync to host(s) defined below", only sync from host A to B, A to C but <strong>do not</strong> enable XMLRPC sync <b>to</b> A. + This will result in a loop! + ]]> + </description> + <type>select</type> + <required/> + <default_value>disabled</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> </field> <field> - <type>listtopic</type> - <name>Sync host #2</name> - <fieldname>temp</fieldname> - </field> - <field> - <fielddescr>IP Address 2</fielddescr> - <fieldname>ipaddress2</fieldname> - <description>IP address of the second TinyDNS sync host. (optional)</description> - <type>input</type> - </field> - <field> - <fielddescr>Password 2</fielddescr> - <fieldname>password2</fieldname> - <description>Admin password of the second TinyDNS sync host.</description> - <type>password</type> - </field> - <field> - <type>listtopic</type> - <name>Sync host #3</name> - <fieldname>temp</fieldname> - </field> - <field> - <fielddescr>IP Address 3</fielddescr> - <fieldname>ipaddress3</fieldname> - <description>IP address of the third TinyDNS sync host. (optional)</description> - <type>input</type> + <fielddescr>Sync Timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>XMLRPC timeout in seconds.</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>250 seconds (Default)</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>30 seconds</name><value>30</value></option> + </options> </field> <field> - <fielddescr>Password 3</fielddescr> - <fieldname>password3</fieldname> - <description>Admin password of the third TinyDNS sync host.</description> - <type>password</type> + <fielddescr>Replication Targets</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>syncdestinenable</fieldname> + <description><![CDATA[Enable this host as a replication target]]></description> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Protocol</fielddescr> + <fieldname>syncprotocol</fieldname> + <description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address/Hostname</fielddescr> + <fieldname>ipaddress</fieldname> + <description><![CDATA[IP address or hostname of the destination host.]]></description> + <type>input</type> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Port</fielddescr> + <fieldname>syncport</fieldname> + <description><![CDATA[Choose the sync port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Admin Password</fielddescr> + <fieldname>password</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> </field> </fields> <custom_php_resync_config_command> tinydns_sync_on_changes(); </custom_php_resync_config_command> - <custom_php_command_before_form> - unset($_POST['temp']); - </custom_php_command_before_form> -</packagegui>
\ No newline at end of file +</packagegui> |