From 923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a Mon Sep 17 00:00:00 2001
From: PiBa-NL <pba_2k3@yahoo.com>
Date: Fri, 8 Mar 2013 00:32:12 +0100
Subject: haproxy-devel, ssl backend support, X-Forwarded-Proto, server states
 active/backup/disabled/inactive, certificate purpose show 'server certs'
 only.

---
 config/haproxy-devel/haproxy.inc                | 40 +++++++++++-----
 config/haproxy-devel/haproxy_listeners_edit.php | 61 ++++++++++---------------
 config/haproxy-devel/haproxy_pool_edit.php      | 52 ++++++++++++++-------
 3 files changed, 90 insertions(+), 63 deletions(-)

diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index fce05008..cd440eb0 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -322,7 +322,7 @@ function haproxy_find_acl($name) {
 }
 
 function write_backend($fd, $name, $pool, $frontend) {
-	if(!is_array($pool['ha_servers']['item']))
+	if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes')
 		return;
 
 	fwrite ($fd, "backend " . $name . "\n");
@@ -408,15 +408,21 @@ function write_backend($fd, $name, $pool, $frontend) {
 		$checkinter = "";
 
 	$a_servers = &$pool['ha_servers']['item'];
-	foreach($a_servers as $be) {
-		if (!$be['name'])
-			$be['name'] = $be['address'];
-		if($be['backup']) {
-			$isbackup = "backup";
-		} else {
-			$isbackup = "";
+	if (is_array($a_servers))
+	{
+		foreach($a_servers as $be) {
+			if (!$be['status'] == "inactive")
+				continue;
+			
+			if (!$be['name'])
+				$be['name'] = $be['address'];
+			if(!$be['status'] || $be['status'] != 'active') {
+				$isbackup = $be['status'];
+			} else {
+				$isbackup = "";
+			}
+			fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
 		}
-		fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
 	}
 	fwrite ($fd, "\n");
 }
@@ -524,7 +530,7 @@ function haproxy_writeconf() {
 	
 	$a_pendingpl = array();
 
-	// Construct and write out configuration file
+	// Construct and write out configuration for each "frontend"
 	if(is_array($a_bind)) {
 		foreach ($a_bind as $bind) {
 			if (count($bind['config']) > 1)
@@ -576,8 +582,10 @@ function haproxy_writeconf() {
 			if($bind['httpclose']) 
 				fwrite ($fd, "\toption\t\t\thttpclose\n");
 
-			if($bind['forwardfor']) 
+			if($bind['forwardfor']) {
 				fwrite ($fd, "\toption\t\t\tforwardfor\n");
+				fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https\tif { ssl_fc }\n");
+			}
 
 			if($bind['max_connections'])
 				fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n");
@@ -614,6 +622,15 @@ function haproxy_writeconf() {
 					$a_pendingpl[$poolname]['frontend'] = $bconfig;
 				}
 
+				if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
+					$aclname = "SNI_" . $poolname;
+					$cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true);
+					//$expr = "req_ssl_sni -i $cert_cn";
+					$expr = "hdr(host) -i $cert_cn";
+					fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n");
+					fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n");
+				}
+				
 				foreach ($a_acl as $entry) {
 					$acl = haproxy_find_acl($entry['expression']);
 					if (!$acl)
@@ -638,6 +655,7 @@ function haproxy_writeconf() {
 			fwrite ($fd, "\n");
 		}
 	}
+	// Construct and write out configuration for each "backend"
 	if (is_array($a_pendingpl) && is_array($a_pools)) {
 		foreach ($a_pendingpl as $pending) {
 			foreach ($a_pools as $pool) {
diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php
index 32cf0020..c61954ac 100644
--- a/config/haproxy-devel/haproxy_listeners_edit.php
+++ b/config/haproxy-devel/haproxy_listeners_edit.php
@@ -64,6 +64,10 @@ function get_certificates_server($get_includeWebCert=false) {
 	{
 		if ($get_ca == false && is_webgui_cert($cert['refid']))
 			continue;
+			
+		$purpose = cert_get_purpose($cert['crt']);
+		if ($purpose['server'] != 'Yes')
+			continue;
 
 		$selected = "";
 		$caname = "";
@@ -126,6 +130,9 @@ if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) {
 $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item'];
 $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
 
+global $simplefields;
+$simplefields = array('name','desc','status','secondary','type','forwardfor','httpclose','extaddr','backend_serverpool',
+	'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl');
 
 if (isset($_POST['id']))
 	$id = $_POST['id'];
@@ -136,27 +143,11 @@ if (isset($_GET['dup']))
 	$id = $_GET['dup'];
 
 if (isset($id) && $a_backend[$id]) {
-	$pconfig['name'] = $a_backend[$id]['name'];
-	$pconfig['desc'] = $a_backend[$id]['desc'];
-	$pconfig['status'] = $a_backend[$id]['status'];
-	$pconfig['secondary'] = $a_backend[$id]['secondary'];	
-	
-	$pconfig['type'] = $a_backend[$id]['type'];
-
-	$pconfig['forwardfor'] = $a_backend[$id]['forwardfor'];
-	$pconfig['httpclose'] = $a_backend[$id]['httpclose'];
-	
-	$pconfig['type'] = $a_backend[$id]['type'];
-	$pconfig['extaddr'] = $a_backend[$id]['extaddr'];	
-	$pconfig['backend_serverpool'] = $a_backend[$id]['backend_serverpool'];	
-	$pconfig['max_connections'] = $a_backend[$id]['max_connections'];	
-	$pconfig['client_timeout'] = $a_backend[$id]['client_timeout'];	
-	$pconfig['port'] = $a_backend[$id]['port'];	
 	$pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item'];	
 	$pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']);
-	$pconfig['ssloffloadcert'] = $a_backend[$id]['ssloffloadcert'];
-	$pconfig['dcertadv'] = $a_backend[$id]['dcertadv'];
-	$pconfig['ssloffload'] = $a_backend[$id]['ssloffload'];
+	
+	foreach($simplefields as $stat)
+		$pconfig[$stat] = $a_backend[$id][$stat];
 }
 
 if (isset($_GET['dup']))
@@ -237,25 +228,11 @@ if ($_POST) {
 		if($backend['name'] != "")
 			$changedesc .= " modified '{$backend['name']}' pool:";
 		
+		foreach($simplefields as $stat)
+			update_if_changed($stat, $backend[$stat], $_POST[$stat]);
 
-		update_if_changed("name", $backend['name'], $_POST['name']);
-		update_if_changed("description", $backend['desc'], $_POST['desc']);
-		update_if_changed("status", $backend['status'], $_POST['status']);
-		update_if_changed("secondary", $backend['secondary'], $_POST['secondary']);
-		update_if_changed("type", $backend['type'], $_POST['type']);
-		update_if_changed("cookie_name", $backend['cookie_name'], $_POST['cookie_name']);
-		update_if_changed("forwardfor", $backend['forwardfor'], $_POST['forwardfor']);
-		update_if_changed("httpclose", $backend['httpclose'], $_POST['httpclose']);
-		update_if_changed("type", $backend['type'], $_POST['type']);
-		update_if_changed("port", $backend['port'], $_POST['port']);
-		update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']);
-		update_if_changed("backend_serverpool", $backend['backend_serverpool'], $_POST['backend_serverpool']);
-		update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']);
-		update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']);
+		
 		update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced']));
-		update_if_changed("ssloffloadcert", $backend['ssloffloadcert'], $_POST['ssloffloadcert']);
-		update_if_changed("dcertadv", $backend['dcertadv'], $_POST['dcertadv']);
-		update_if_changed("ssloffload", $backend['ssloffload'], $_POST['ssloffload']);
 		$backend['ha_acls']['item'] = $a_acl;
 
 		if (isset($id) && $a_backend[$id]) {
@@ -278,6 +255,12 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
 if(strstr($pfSversion, "1.2"))
 	$one_two = true;
 
+if (!$id)
+{
+	//default value for new items.
+	$pconfig['ssloffloadacl'] = "yes";
+}
+
 $pgtitle = "HAProxy: Frontend: Edit";
 include("head.inc");
 
@@ -720,6 +703,12 @@ include("head.inc");
 				NOTE: choose the cert to use on this frontend.
 			</td>
 		</tr>
+		<tr class="haproxy_ssloffloading_enabled" align="left">
+			<td width="22%" valign="top" class="vncell">ACL for certificate CN</td>
+			<td width="78%" class="vtable" colspan="2">
+				<input id="ssloffloadacl" name="ssloffloadacl" type="checkbox" value="yes" <?php if ($pconfig['ssloffloadacl']=='yes') echo "checked";?> onclick="updatevisibility();">Add ACL for certificate CommonName.</input>
+			</td>
+		</tr>
 		<tr class="haproxy_ssloffloading_enabled" align="left">
 			<td width="22%" valign="top" class="vncell">Advanced ssl options</td>
 			<td width="78%" class="vtable" colspan="2">
diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php
index 09474f02..5fb43b49 100644
--- a/config/haproxy-devel/haproxy_pool_edit.php
+++ b/config/haproxy-devel/haproxy_pool_edit.php
@@ -113,8 +113,9 @@ if ($_POST) {
 		$server_name=$_POST['server_name'.$x];
 		$server_address=$_POST['server_address'.$x];
 		$server_port=$_POST['server_port'.$x];
+		$server_ssl=$_POST['server_ssl'.$x];
 		$server_weight=$_POST['server_weight'.$x];
-		$server_backup=$_POST['server_backup'.$x];
+		$server_status=$_POST['server_status'.$x];
 
 		if ($server_address) {
 
@@ -122,8 +123,9 @@ if ($_POST) {
 			$server['name']=$server_name;
 			$server['address']=$server_address;
 			$server['port']=$server_port;
+			$server['ssl']=$server_ssl;
 			$server['weight']=$server_weight;
-			$server['backup']=$server_backup;
+			$server['status']=$server_status;
 			$a_servers[]=$server;
 
 			if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name))
@@ -257,12 +259,15 @@ row_helper();
 	rowname[2] = "server_port";
 	rowtype[2] = "textbox";
 	rowsize[2] = "5";
-	rowname[3] = "server_weight";
-	rowtype[3] = "textbox";
+	rowname[3] = "server_ssl";
+	rowtype[3] = "checkbox";
 	rowsize[3] = "5";
-	rowname[4] = "server_backup";
-	rowtype[4] = "checkbox";
+	rowname[4] = "server_weight";
+	rowtype[4] = "textbox";
 	rowsize[4] = "5";
+	rowname[5] = "server_status";
+	rowtype[5] = "select";
+	rowsize[5] = "1";
 </script>
 <?php include("fbegin.inc"); ?>
 <?php if ($input_errors) print_input_errors($input_errors); ?>
@@ -295,16 +300,15 @@ row_helper();
 			</td>
 		</tr>
 		<tr align="left">
-			<td class="vncellreq" colspan="3">Server list</td>
-		</tr>
-		<tr>
-			<td width="78%" class="vtable" colspan="2" valign="top">
+			<td class="vncell" colspan="3"><strong>Server list</strong>
+			
 			<table class="" width="100%" cellpadding="0" cellspacing="0" id='servertable'>
 	                <tr>
 	                  <td width="30%" class="listhdrr">Name</td>
 	                  <td width="30%" class="listhdrr">Address</td>
 	                  <td width="18%" class="listhdrr">Port</td>
-	                  <td width="18%" class="listhdrr">Weight</td>
+	                  <td width="5%" class="listhdrr">SSL</td>
+	                  <td width="8%" class="listhdrr">Weight</td>
 	                  <td width="5%" class="listhdr">Backup</td>
 	                  <td width="4%" class=""></td>
 			</tr>
@@ -322,8 +326,9 @@ row_helper();
 			<td class="vtable listlr"><?=$server['name']; ?></td>
 			<td class="vtable listr"><?=$server['address']; ?></td>
 			<td class="vtable listr"><?=$server['port']; ?></td>
+			<td class="vtable listr"><?=$server['ssl']; ?></td>
 			<td class="vtable listr"><?=$server['weight']; ?></td>
-			<td class="vtable listr"><?=$server['backup']; ?></td>
+			<td class="vtable listr"><?=$server['status']; ?></td>
 			<td class="list">
 			  <table border="0" cellspacing="0" cellpadding="1"><tr>
 			  <td valign="middle">
@@ -344,10 +349,18 @@ row_helper();
 				  <input name="server_address<?=$counter;?>" id="server_address<?=$counter;?>" type="text" value="<?=$server['address']; ?>" size="30"/></td>
 				<td class="vtable">
 				  <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td>
+				<td class="vtable">
+				  <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="<?=$server['ssl']; ?>" size="5"/></td>
 				<td class="vtable">
 				  <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td>
 				<td class="vtable">
-				  <input name="server_backup<?=$counter;?>" id="server_backup<?=$counter;?>" type="checkbox" value="yes" <?php if ($server['backup']=='yes') echo "checked"; ?>/></td>
+				<select name="server_status<?=$counter;?>" id="server_status<?=$counter;?>">
+				  <option value="active"  <?php if($server['status']=='active') echo "SELECTED";?>>active</option>
+				  <option value="backup" <?php  if($server['status']=='backup') echo "SELECTED";?>>backup</option>
+				  <option value="disabled" <?php  if($server['status']=='disabled') echo "SELECTED";?>>disabled</option>
+				  <option value="inactive" <?php  if($server['status']=='inactive') echo "SELECTED";?>>inactive</option>
+				</select>
+				</td>
 				<td class="list">
 			         <table border="0" cellspacing="0" cellpadding="1"><tr>
 			         <td valign="middle">
@@ -473,14 +486,14 @@ row_helper();
 			<td colspan="2" valign="top" class="listtopic">Advanced settings</td>
 		</tr>
 		<tr align="left">
-			<td width="22%" valign="top" class="vncellreq">Connection timeout</td>
+			<td width="22%" valign="top" class="vncell">Connection timeout</td>
 			<td width="78%" class="vtable" colspan="2">
 				<input name="connection_timeout" type="text" <?if(isset($pconfig['connection_timeout'])) echo "value=\"{$pconfig['connection_timeout']}\"";?> size="64">
 				<div>the time (in milliseconds) we give up if the connection does not complete within (default 30000).</div>
 			</td>
 		</tr>
 		<tr align="left">
-			<td width="22%" valign="top" class="vncellreq">Server timeout</td>
+			<td width="22%" valign="top" class="vncell">Server timeout</td>
 			<td width="78%" class="vtable" colspan="2">
 				<input name="server_timeout" type="text" <?if(isset($pconfig['server_timeout'])) echo "value=\"{$pconfig['server_timeout']}\"";?> size="64">
 				<div>the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (default 30000).</div>
@@ -582,7 +595,7 @@ set by the 'retries' parameter.</div>
 <br>
 <?php include("fend.inc"); ?>
 <script type="text/javascript">
-	field_counter_js = 5;
+	field_counter_js = 6;
 	rows = 1;
 	totalrows =  <?php echo $counter; ?>;
 	loaded =  <?php echo $counter; ?>;
@@ -594,6 +607,13 @@ set by the 'retries' parameter.</div>
 <?php
 
 function row_helper() {
+	$options = <<<EOD
+  <option value='active' SELECTED>active</option>"+
+"  <option value='backup'>backup</option>"+
+"  <option value='disabled'>disabled</option>"+
+"  <option value='inactive'>inactive</option>
+EOD;
+
 	echo <<<EOF
 <script type="text/javascript">
 // Global Variables
-- 
cgit v1.2.3