From b9c747aa763690dea3a00be3fa55811f8665b465 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Mon, 4 Mar 2013 00:24:00 +0100 Subject: haproxy-devel, improvements (but 'breaks' parts current config) -moved the 'backend' config fields to page where they make more sense without "magic merging" of frontend settings.. -certificate can now be chosen from certificate manager certificates to find any 'config problems' run "haproxy -c -V -f /var/etc/haproxy.cfg" on a console/ssh session --- config/haproxy-devel/haproxy_listeners_edit.php | 447 ++++++++---------------- 1 file changed, 154 insertions(+), 293 deletions(-) (limited to 'config/haproxy-devel/haproxy_listeners_edit.php') diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index b0207421..0c39ac7f 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -33,6 +33,78 @@ require("guiconfig.inc"); require_once("haproxy.inc"); +function get_certificat_usage($refid) { + $usage = array(); + $cert = lookup_cert($refid); + if (is_cert_revoked($cert)) + $usage[] = "Revoked"; + if (is_webgui_cert($refid)) + $usage[] = "webConfigurator"; + if (is_user_cert($refid)) + $usage[] = "User Cert"; + if (is_openvpn_server_cert($refid)) + $usage[] = "OpenVPN Server"; + if (is_openvpn_client_cert($refid)) + $usage[] = "OpenVPN Client"; + if (is_ipsec_cert($cert['refid'])) + $usage[] = "IPsec Tunnel"; + if (is_captiveportal_cert($refid)) + $usage[] = "Captive Portal"; + + return $usage; +} + +/// This function (is intendet to) provides a uniform way to retrieve a list of use selectable certificates +function get_certificates_server($get_includeWebCert=false) { + global $config; + $certificates=array(); + $a_cert = &$config['cert']; + foreach ($a_cert as $cert) + { + if ($get_ca == false && is_webgui_cert($cert['refid'])) + continue; + + $selected = ""; + $caname = ""; + $inuse = ""; + $revoked = ""; + $ca = lookup_ca($cert['caref']); + if ($ca) + $caname = " (CA: {$ca['descr']})"; + if ($pconfig['certref'] == $cert['refid']) + $selected = "selected"; + if (cert_in_use($cert['refid'])) + $inuse = " *In Use"; + if (is_cert_revoked($cert)) + $revoked = " *Revoked"; + + $usagestr=""; + $usage = get_certificat_usage($cert['refid']); + foreach($usage as $use){ + $usagestr .= " " . $use; + } + if ($usagestr != "") + $usagestr = " (".trim($usagestr).")"; + + $certificates[$cert['refid']] = $cert['descr'] . $caname . $inuse . $revoked . $usagestr; + } + return $certificates; +} + +function echo_html_select($name, $keyvaluelist, $selected, $listEmptyMessage="") +{ + if (count($keyvaluelist)>0){ + echo ""; + } else { + echo $listEmptyMessage; + } +} + function haproxy_acl_select($mode) { global $a_acltypes; @@ -66,25 +138,11 @@ if (isset($id) && $a_backend[$id]) { $pconfig['name'] = $a_backend[$id]['name']; $pconfig['desc'] = $a_backend[$id]['desc']; $pconfig['status'] = $a_backend[$id]['status']; - $pconfig['connection_timeout'] = $a_backend[$id]['connection_timeout']; - $pconfig['server_timeout'] = $a_backend[$id]['server_timeout']; - $pconfig['retries'] = $a_backend[$id]['retries']; $pconfig['type'] = $a_backend[$id]['type']; - $pconfig['balance'] = $a_backend[$id]['balance']; $pconfig['forwardfor'] = $a_backend[$id]['forwardfor']; $pconfig['httpclose'] = $a_backend[$id]['httpclose']; - - $pconfig['stats_enabled'] = $a_backend[$id]['stats_enabled']; - $pconfig['stats_username'] = $a_backend[$id]['stats_username']; - $pconfig['stats_password'] = $a_backend[$id]['stats_password']; - $pconfig['stats_uri'] = $a_backend[$id]['stats_uri']; - $pconfig['stats_realm'] = $a_backend[$id]['stats_realm']; - $pconfig['stats_node_enabled'] = $a_backend[$id]['stats_node_enabled']; - $pconfig['stats_node'] = $a_backend[$id]['stats_node']; - $pconfig['stats_desc'] = $a_backend[$id]['stats_desc']; - $pconfig['stats_refresh'] = $a_backend[$id]['stats_refresh']; $pconfig['type'] = $a_backend[$id]['type']; $pconfig['extaddr'] = $a_backend[$id]['extaddr']; @@ -92,10 +150,9 @@ if (isset($id) && $a_backend[$id]) { $pconfig['max_connections'] = $a_backend[$id]['max_connections']; $pconfig['client_timeout'] = $a_backend[$id]['client_timeout']; $pconfig['port'] = $a_backend[$id]['port']; - $pconfig['svrport'] = $a_backend[$id]['svrport']; $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); - $pconfig['dcert'] = base64_decode($a_backend[$id]['dcert']); + $pconfig['ssloffloadcert'] = $a_backend[$id]['ssloffloadcert']; $pconfig['dcertadv'] = $a_backend[$id]['dcertadv']; $pconfig['ssloffload'] = $a_backend[$id]['ssloffload']; } @@ -112,39 +169,13 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; - if ($_POST['stats_enabled']) { - $reqdfields = explode(" ", "name connection_timeout server_timeout stats_username stats_password stats_uri stats_realm"); - $reqdfieldsn = explode(",", "Name,Connection timeout,Server timeout,Stats Username,Stats Password,Stats Uri,Stats Realm"); - } else { - $reqdfields = explode(" ", "name connection_timeout server_timeout"); - $reqdfieldsn = explode(",", "Name,Connection timeout,Server timeout"); - } - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); - - $reqdfields = explode(" ", "name type port max_connections client_timeout"); - $reqdfieldsn = explode(",", "Name,Type,Port,Max connections,Client timeout"); - + $reqdfields = explode(" ", "name type port max_connections"); + $reqdfieldsn = explode(",", "Name,Type,Port,Max connections"); do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['name'])) $input_errors[] = "The field 'Name' contains invalid characters."; - if (!is_numeric($_POST['connection_timeout'])) - $input_errors[] = "The field 'Connection timeout' value is not a number."; - - if (!is_numeric($_POST['server_timeout'])) - $input_errors[] = "The field 'Server timeout' value is not a number."; - - if (!$_POST['retries'] && is_numeric($_POST['retries'])) - $input_errors[] = "The field 'Retries' value is not a number."; - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_username'])) - $input_errors[] = "The field 'Stats Username' contains invalid characters."; - - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_password'])) - $input_errors[] = "The field 'Stats Password' contains invalid characters."; - if (!is_numeric($_POST['max_connections'])) $input_errors[] = "The field 'Max connections' value is not a number."; @@ -208,32 +239,18 @@ if ($_POST) { update_if_changed("name", $backend['name'], $_POST['name']); update_if_changed("description", $backend['desc'], $_POST['desc']); update_if_changed("status", $backend['status'], $_POST['status']); - update_if_changed("connection_timeout", $backend['connection_timeout'], $_POST['connection_timeout']); - update_if_changed("server_timeout", $backend['server_timeout'], $_POST['server_timeout']); - update_if_changed("retries", $backend['retries'], $_POST['retries']); update_if_changed("type", $backend['type'], $_POST['type']); - update_if_changed("balance", $backend['balance'], $_POST['balance']); update_if_changed("cookie_name", $backend['cookie_name'], $_POST['cookie_name']); update_if_changed("forwardfor", $backend['forwardfor'], $_POST['forwardfor']); update_if_changed("httpclose", $backend['httpclose'], $_POST['httpclose']); - update_if_changed("stats_enabled", $backend['stats_enabled'], $_POST['stats_enabled']); - update_if_changed("stats_username", $backend['stats_username'], $_POST['stats_username']); - update_if_changed("stats_password", $backend['stats_password'], $_POST['stats_password']); - update_if_changed("stats_uri", $backend['stats_uri'], $_POST['stats_uri']); - update_if_changed("stats_realm", $backend['stats_realm'], $_POST['stats_realm']); - update_if_changed("stats_node_enabled", $backend['stats_node_enabled'], $_POST['stats_node_enabled']); - update_if_changed("stats_node", $backend['stats_node'], $_POST['stats_node']); - update_if_changed("stats_desc", $backend['stats_desc'], $_POST['stats_desc']); - update_if_changed("stats_refresh", $backend['stats_refresh'], $_POST['stats_refresh']); update_if_changed("type", $backend['type'], $_POST['type']); update_if_changed("port", $backend['port'], $_POST['port']); - update_if_changed("svrport", $backend['svrport'], $_POST['svrport']); update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']); update_if_changed("backend_serverpool", $backend['backend_serverpool'], $_POST['backend_serverpool']); update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']); update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']); update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); - update_if_changed("dcert", $backend['dcert'], base64_encode($_POST['dcert'])); + update_if_changed("ssloffloadcert", $backend['ssloffloadcert'], $_POST['ssloffloadcert']); update_if_changed("dcertadv", $backend['dcertadv'], $_POST['dcertadv']); update_if_changed("ssloffload", $backend['ssloffload'], $_POST['ssloffload']); $backend['ha_acls']['item'] = $a_acl; @@ -263,7 +280,12 @@ include("head.inc"); ?> - + + + @@ -411,45 +433,35 @@ include("head.inc"); rowtype[2] = "textbox"; rowsize[2] = "35"; - function toggle_stats() { - var stats_enabled=document.getElementById('stats_enabled'); - var stats_realm_row=document.getElementById('stats_realm_row'); - var stats_username_row=document.getElementById('stats_username_row'); - var stats_password_row=document.getElementById('stats_password_row'); - var stats_uri_row=document.getElementById('stats_uri_row'); - var stats_node_enabled_row=document.getElementById('stats_node_enabled_row'); - var stats_node_row=document.getElementById('stats_node_row'); - var stats_desc_row=document.getElementById('stats_desc_row'); - var stats_refresh_row=document.getElementById('stats_refresh_row'); - - if (stats_enabled.checked) { - stats_realm_row.style.display=''; - stats_username_row.style.display=''; - stats_password_row.style.display=''; - stats_uri_row.style.display=''; - stats_node_enabled_row.style.display=''; - stats_node_row.style.display=''; - stats_desc_row.style.display=''; - stats_refresh_row.style.display=''; - } else { - stats_realm_row.style.display='none'; - stats_username_row.style.display='none'; - stats_password_row.style.display='none'; - stats_uri_row.style.display='none'; - stats_node_enabled_row.style.display='none'; - stats_node_row.style.display='none'; - stats_desc_row.style.display='none'; - stats_refresh_row.style.display='none'; + function setCSSdisplay(cssID, display) + { + var ss = document.styleSheets; + for (var i=0; i; var acl = [ ]; var mode = [ ]; - d = document; + d = document; type = d.getElementById("type").value; + + for (i = 0; i < 99; i++) { el = d.getElementById("acl_expression" + i); row = d.getElementById("aclrow" + i); @@ -465,6 +477,7 @@ include("head.inc"); } } } + updatevisibility(); } @@ -473,6 +486,7 @@ include("head.inc");

+ +

Edit haproxy listener
Server Port	- size="10" maxlength="10"> - The default server port. -
Type	@@ -619,7 +626,7 @@ include("head.inc"); - For more information about ACL's please see HAProxy Documentation Section 7 - Using ACL's + For more information about ACL's please see HAProxy Documentation Section 7 - Using ACL's

- >Round robin -	- Each server is used in turns, according to their weights. - This is the smoothest and fairest algorithm when the server's - processing time remains equally distributed. This algorithm - is dynamic, which means that server weights may be adjusted - on the fly for slow starts for instance. -
- >Static Round Robin -	- Each server is used in turns, according to their weights. - This algorithm is as similar to roundrobin except that it is - static, which means that changing a server's weight on the - fly will have no effect. On the other hand, it has no design - limitation on the number of servers, and when a server goes - up, it is always immediately reintroduced into the farm, once - the full map is recomputed. It also uses slightly less CPU to - run (around -1%). -
- >Least Connections -	- The server with the lowest number of connections receives the - connection. Round-robin is performed within groups of servers - of the same load to ensure that all servers will be used. Use - of this algorithm is recommended where very long sessions are - expected, such as LDAP, SQL, TSE, etc... but is not very well - suited for protocols using short sessions such as HTTP. This - algorithm is dynamic, which means that server weights may be - adjusted on the fly for slow starts for instance. -
>Source	- The source IP address is hashed and divided by the total - weight of the running servers to designate which server will - receive the request. This ensures that the same client IP - address will always reach the same server as long as no - server goes down or up. If the hash result changes due to the - number of running servers changing, many clients will be - directed to a different server. This algorithm is generally - used in TCP mode where no cookie may be inserted. It may also - be used on the Internet to provide a best-effort stickyness - to clients which refuse session cookies. This algorithm is - static, which means that changing a server's weight on the - fly will have no effect. -

SSL Offloading
Stats Password
Use Offloading	- size="64"> + onclick="updatevisibility();">Use Offloading + The SSL Offloading will reduce web servers load by encrypt data to users on internet and send it without encrytion to internal servers.
Stats Enable Node Name
Certificate	- > + No Certificates defined. Create one under System > Cert Manager.'); + ?> + NOTE: choose the cert to use on this frontend.
Stats Node
Advanced ssl options	- size="64"> - The node name is displayed in the stats and helps to differentiate which server in a cluster is actually serving clients. - Leave blank to use the system name. -
Stats Description	- size="64"> -
Stats Refresh	- size="10" maxlength="30"> - Specify the refresh rate of the stats page in seconds, or specified time unit (us, ms, s, m, h, d). + size="10" maxlength="64"> + + NOTE: Paste additional ssl options(without commas) to include on ssl listening options. + some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
Max connections	- size="10" maxlength="10"> -
Client timeout	- size="10" maxlength="10"> - the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (30000). -
Use 'forwardfor' option	- > - - The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which - contains the client's IP address. This is useful to let the final web server - know what the client address was (eg for statistics on domains) -
Use 'httpclose' option	- > - - The 'httpclose' option removes any 'Connection' header both ways, and - adds a 'Connection: close' header in each direction. This makes it easier to - disable HTTP keep-alive than the previous 4-rules block. -
Advanced pass thru	- <?php echo $pconfig['advanced']; ?> - - NOTE: paste text into this box that you would like to pass thru. -

SSL Offloading
Use Offloading	- > - - The SSL Offloading will reduce web servers load by encrypt data to users on internet and send it without encrytion to internal servers. -
cert	- <?php echo $pconfig['dcert']; ?> - - NOTE: paste cert and rsa key to use on this frontend. -
Advanced ssl options	- size="10" maxlength="64"> - - NOTE: Paste additional ssl options(without commas) to include on ssl listening options. - some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets -