From cec43bb753d271b84aa6610315fdc02f784895c4 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Sun, 8 Feb 2015 00:53:11 +0100 Subject: haproxy-devel, 0.18, make sure frontend without acl's is last 'default' even when system acl is added --- config/haproxy-devel/haproxy.inc | 21 ++++++++++++++++----- pkg_config.10.xml | 2 +- pkg_config.8.xml | 2 +- pkg_config.8.xml.amd64 | 2 +- 4 files changed, 19 insertions(+), 8 deletions(-) diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index a7394cf3..fd4262a5 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -1147,6 +1147,7 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $config_acls = ""; $config_usebackends = ""; + $config_usedefaultbackends = ""; $transparent_clientip = false; foreach ($bind['config'] as $frontend) { @@ -1171,11 +1172,13 @@ function haproxy_writeconf($configpath) { $backend = haproxy_find_backend($frontend['backend_serverpool']); $transparent_clientip = $backend["transparent_clientip"] == 'yes'; + $allowfordefaultbackend = true; $ipv = array(); if ($transparent_clientip) { if ($useipv4 && $useipv6) { $ipv["ipv4"]['acl'] = " src_is_ipv4 "; $ipv["ipv6"]['acl'] = " !src_is_ipv4 "; + $allowfordefaultbackend = false; // transparent backend must always match client-ip which is ipv4 v.s. ipv6 specific so there cannot be a default. } else if ($useipv6) $ipv["ipv6"]['acl'] = " "; else @@ -1217,10 +1220,12 @@ function haproxy_writeconf($configpath) { $a_pendingpl[$poolname]['frontend'] = $bind; $a_pendingpl[$poolname]['ipversion'] = $ipversion; } - + $canbedefaultbackend = false; // Write this out once, and must be before any backend config text if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { - $default_backend = $poolname; + $canbedefaultbackend = true; + if ($allowfordefaultbackend) + $default_backend = $poolname; } foreach ($a_acl_combine as $a_usebackend) { @@ -1281,12 +1286,17 @@ function haproxy_writeconf($configpath) { $y++; } - if (count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once. + $systemacl = trim("{$certacl}{$ipversionoptions['acl']}"); + if (!empty($systemacl) && count($useracls) == 0) $useracls[] = ""; // add empty item to enter foreach loop at least once when a system acl is pressent. foreach($useracls as $useracl) { $backendacl = ""; - $backendacl .= "|| {$useracl}{$certacl}{$ipversionoptions['acl']}"; + $backendacl .= "|| {$useracl}{$systemacl}"; $backendacl = substr($backendacl, 3); - $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; + if ($canbedefaultbackend) { + // makes sure these come last even though systemacl's might have been added. + $config_usedefaultbackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; + } else + $config_usebackends .= "\tuse_backend\t\t" . $poolname . " if " . $backendacl . "\n"; } } } @@ -1302,6 +1312,7 @@ function haproxy_writeconf($configpath) { // Write backends after advanced options so custom use_backend rules can be applied first. fwrite ($fd, $config_usebackends); + fwrite ($fd, $config_usedefaultbackends); if ($default_backend) fwrite ($fd, "\tdefault_backend\t\t" . $default_backend . "\n"); diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 17e43831..3dcefea6 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -152,7 +152,7 @@ Supports ACLs for smart backend switching.]]> http://haproxy.1wt.eu/ Services - 1.5.9 pkg v 0.17 + 1.5.9 pkg v 0.18 Release 2.2 https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 5c705921..9d574b48 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -166,7 +166,7 @@ Supports ACLs for smart backend switching.]]> http://haproxy.1wt.eu/ Services - 1.5.3 pkg v 0.17 + 1.5.3 pkg v 0.18 Release 2.1 https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index a7b17520..e8f9f410 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -153,7 +153,7 @@ Supports ACLs for smart backend switching.]]> http://haproxy.1wt.eu/ Services - 1.5.3 pkg v 0.17 + 1.5.3 pkg v 0.18 Release 2.1 https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.xml -- cgit v1.2.3