From 56b0123f775788eb53610b7ab463e4852dbafa3c Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Tue, 23 Sep 2014 20:54:44 +0200 Subject: haproxy-devel, fix template certificate generation on 2.2, fix certificate acl's, log pid's on restart to syslog --- config/haproxy-devel/haproxy.inc | 44 ++++++++++++++++++-------- config/haproxy-devel/haproxy_utils.inc | 56 +++++++++++++++++++++------------- 2 files changed, 65 insertions(+), 35 deletions(-) diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 0b8a5a12..a4e9ba06 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -1417,15 +1417,29 @@ function haproxy_check_run($reload) { } else mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if (file_exists('/var/run/haproxy.pid')){ + $old_pid = file_get_contents('/var/run/haproxy.pid'); + } else + $old_pid = 'none'; + if (haproxy_is_running()) { if (isset($a_global['terminate_on_reload'])) $sf_st = "-st";//terminate old process as soon as the new process is listening else $sf_st = "-sf";//finish serving existing connections exit when done, and the new process is listening + + syslog(LOG_NOTICE, "haproxy: reload old pid:$old_pid"); exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid $sf_st `cat /var/run/haproxy.pid` 2>&1", $output, $errcode); } else { + syslog(LOG_NOTICE, "haproxy: starting old pid:$old_pid"); exec("/usr/local/sbin/haproxy -f {$configpath}/haproxy.cfg -p /var/run/haproxy.pid -D 2>&1", $output, $errcode); } + if (file_exists('/var/run/haproxy.pid')){ + $new_pid = file_get_contents('/var/run/haproxy.pid'); + } else + $new_pid = 'none'; + syslog(LOG_NOTICE, "haproxy: started new pid:$new_pid"); + foreach($output as $line) $haproxy_run_message .= "
" . htmlspecialchars($line) . "\n"; } else { @@ -1617,17 +1631,17 @@ function get_frontend_acls($frontend) { $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); $aclname = "SNI_" . $poolname; - if (isset($frontend['ssloffloadacl']) || isset($frontend['ssloffloadaclnondefault'])) { + if (ifset($frontend['ssloffloadacl']) == 'yes' || ifset($frontend['ssloffloadaclnondefault']) == 'yes') { $cert = lookup_cert($frontend['ssloffloadcert']); $cert_cn = cert_get_cn($cert['crt']); $descr = haproxy_escape_acl_name($cert['descr']); unset($cert); $acl_item = array(); - if (isset($frontend['ssloffloadacl']) && isset($frontend['ssloffloadaclnondefault'])) { + if (ifset($frontend['ssloffloadacl']) == 'yes' && ifset($frontend['ssloffloadaclnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL match regex: ^{$cert_cn}(:([0-9]){1,5})?$"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => "^{$cert_cn}(:([0-9]){1,5})?$"); - } elseif (isset($frontend['ssloffloadaclnondefault'])) { + } elseif (ifset($frontend['ssloffloadaclnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL starts with: {$cert_cn}:"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_starts_with', 'value' => $cert_cn.":"); } else { @@ -1636,7 +1650,7 @@ function get_frontend_acls($frontend) { } $result[] = $acl_item; } - if (isset($frontend['ssloffloadacladditional']) || isset($frontend['ssloffloadacladditionalnondefault'])) { + if (ifset($frontend['ssloffloadacladditional']) == 'yes' || ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') { $certs = $frontend['ha_certificates']['item']; if (is_array($certs)){ foreach($certs as $certref){ @@ -1646,10 +1660,10 @@ function get_frontend_acls($frontend) { unset($cert); $acl_item = array(); - if (isset($frontend['ssloffloadacladditional']) && isset($frontend['ssloffloadacladditionalnondefault'])) { + if (ifset($frontend['ssloffloadacladditional']) == 'yes' && ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL match regex: ^{$cert_cn}(:([0-9]){1,5})?$"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_regex', 'value' => "^({$cert_cn}(($)|(:.*)))"); - } elseif (isset($frontend['ssloffloadacladditionalnondefault'])) { + } elseif (ifset($frontend['ssloffloadacladditionalnondefault']) == 'yes') { $acl_item['descr'] = "Certificate ACL starts with: {$cert_cn}:"; $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_starts_with', 'value' => $cert_cn.":"); } else { @@ -1721,13 +1735,17 @@ function haproxy_find_create_certificate($certificatename) { $cert = array(); $cert['refid'] = uniqid(); $cert['descr'] = gettext($certificatename); - mwexec("/usr/local/bin/openssl genrsa 1024 > {$g['tmp_path']}/ssl.key"); - mwexec("/usr/local/bin/openssl req -new -x509 -nodes -sha256 -days 2000 -key {$g['tmp_path']}/ssl.key > {$g['tmp_path']}/ssl.crt"); - $crt = file_get_contents("{$g['tmp_path']}/ssl.crt"); - $key = file_get_contents("{$g['tmp_path']}/ssl.key"); - unlink("{$g['tmp_path']}/ssl.key"); - unlink("{$g['tmp_path']}/ssl.crt"); - cert_import($cert, $crt, $key); + + $new_cert = array(); + $dn = array( + "organizationName" => "haproxy-pfsense", + "commonName" => "haproxy-pfsense" + ); + $new_cert = array(); + ca_create($new_cert, 1024, 2000, $dn); + $crt = base64_decode($new_cert['crt']); + $prv = base64_decode($new_cert['prv']); + cert_import($cert, $crt, $prv); $a_cert[] = $cert; return $cert; } diff --git a/config/haproxy-devel/haproxy_utils.inc b/config/haproxy-devel/haproxy_utils.inc index a5fb7c64..37c1d623 100644 --- a/config/haproxy-devel/haproxy_utils.inc +++ b/config/haproxy-devel/haproxy_utils.inc @@ -33,6 +33,12 @@ require_once("config.inc"); +if(!function_exists('ifset')){ + function ifset(&$var, $default = ''){ + return isset($var) ? $var : $default; + }; +} + function haproxy_compareByName($a, $b) { return strcasecmp($a['name'], $b['name']); } @@ -291,24 +297,28 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal $type = ",$type,"; $certificates = array(); if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) { - $a_cert = &$config['cert']; - foreach ($a_cert as $cert) { - $purpose = cert_get_purpose($cert['crt']); - - $ok = false; - $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; - $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; - if (!$ok) - continue; - if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) - continue; - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + if (is_array($config['cert'])) { + $a_cert = &$config['cert']; + foreach ($a_cert as $cert) { + $purpose = cert_get_purpose($cert['crt']); + + $ok = false; + $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; + $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; + if (!$ok) + continue; + if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) + continue; + $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + } } } if (strpos($type,',ca,') !== false) { - $a_cert = &$config['ca']; - foreach ($a_cert as $cert) { - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + if (is_array($config['ca'])) { + $a_cert = &$config['ca']; + foreach ($a_cert as $cert) { + $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); + } } } uasort($certificates, haproxy_compareByName); @@ -318,13 +328,15 @@ function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=fal function haproxy_get_crls() { global $config; $certificates=array(); - foreach ($config['crl'] as $crl) { - $caname = ""; - $ca = lookup_ca($crl['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - - $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; + if (is_array($config['crl'])) { + foreach ($config['crl'] as $crl) { + $caname = ""; + $ca = lookup_ca($crl['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + + $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; + } } uasort($certificates, haproxy_compareByName); return $certificates; -- cgit v1.2.3