From 923ed523e8088bdb494ca8f72fa1fe1caa2a4e6a Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Fri, 8 Mar 2013 00:32:12 +0100 Subject: haproxy-devel, ssl backend support, X-Forwarded-Proto, server states active/backup/disabled/inactive, certificate purpose show 'server certs' only. --- config/haproxy-devel/haproxy.inc | 40 +++++++++++----- config/haproxy-devel/haproxy_listeners_edit.php | 61 ++++++++++--------------- config/haproxy-devel/haproxy_pool_edit.php | 52 ++++++++++++++------- 3 files changed, 90 insertions(+), 63 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index fce05008..cd440eb0 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -322,7 +322,7 @@ function haproxy_find_acl($name) { } function write_backend($fd, $name, $pool, $frontend) { - if(!is_array($pool['ha_servers']['item'])) + if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes') return; fwrite ($fd, "backend " . $name . "\n"); @@ -408,15 +408,21 @@ function write_backend($fd, $name, $pool, $frontend) { $checkinter = ""; $a_servers = &$pool['ha_servers']['item']; - foreach($a_servers as $be) { - if (!$be['name']) - $be['name'] = $be['address']; - if($be['backup']) { - $isbackup = "backup"; - } else { - $isbackup = ""; + if (is_array($a_servers)) + { + foreach($a_servers as $be) { + if (!$be['status'] == "inactive") + continue; + + if (!$be['name']) + $be['name'] = $be['address']; + if(!$be['status'] || $be['status'] != 'active') { + $isbackup = $be['status']; + } else { + $isbackup = ""; + } + fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); } - fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n"); } fwrite ($fd, "\n"); } @@ -524,7 +530,7 @@ function haproxy_writeconf() { $a_pendingpl = array(); - // Construct and write out configuration file + // Construct and write out configuration for each "frontend" if(is_array($a_bind)) { foreach ($a_bind as $bind) { if (count($bind['config']) > 1) @@ -576,8 +582,10 @@ function haproxy_writeconf() { if($bind['httpclose']) fwrite ($fd, "\toption\t\t\thttpclose\n"); - if($bind['forwardfor']) + if($bind['forwardfor']) { fwrite ($fd, "\toption\t\t\tforwardfor\n"); + fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https\tif { ssl_fc }\n"); + } if($bind['max_connections']) fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); @@ -614,6 +622,15 @@ function haproxy_writeconf() { $a_pendingpl[$poolname]['frontend'] = $bconfig; } + if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) { + $aclname = "SNI_" . $poolname; + $cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true); + //$expr = "req_ssl_sni -i $cert_cn"; + $expr = "hdr(host) -i $cert_cn"; + fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n"); + fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n"); + } + foreach ($a_acl as $entry) { $acl = haproxy_find_acl($entry['expression']); if (!$acl) @@ -638,6 +655,7 @@ function haproxy_writeconf() { fwrite ($fd, "\n"); } } + // Construct and write out configuration for each "backend" if (is_array($a_pendingpl) && is_array($a_pools)) { foreach ($a_pendingpl as $pending) { foreach ($a_pools as $pool) { diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 32cf0020..c61954ac 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -64,6 +64,10 @@ function get_certificates_server($get_includeWebCert=false) { { if ($get_ca == false && is_webgui_cert($cert['refid'])) continue; + + $purpose = cert_get_purpose($cert['crt']); + if ($purpose['server'] != 'Yes') + continue; $selected = ""; $caname = ""; @@ -126,6 +130,9 @@ if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; +global $simplefields; +$simplefields = array('name','desc','status','secondary','type','forwardfor','httpclose','extaddr','backend_serverpool', + 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl'); if (isset($_POST['id'])) $id = $_POST['id']; @@ -136,27 +143,11 @@ if (isset($_GET['dup'])) $id = $_GET['dup']; if (isset($id) && $a_backend[$id]) { - $pconfig['name'] = $a_backend[$id]['name']; - $pconfig['desc'] = $a_backend[$id]['desc']; - $pconfig['status'] = $a_backend[$id]['status']; - $pconfig['secondary'] = $a_backend[$id]['secondary']; - - $pconfig['type'] = $a_backend[$id]['type']; - - $pconfig['forwardfor'] = $a_backend[$id]['forwardfor']; - $pconfig['httpclose'] = $a_backend[$id]['httpclose']; - - $pconfig['type'] = $a_backend[$id]['type']; - $pconfig['extaddr'] = $a_backend[$id]['extaddr']; - $pconfig['backend_serverpool'] = $a_backend[$id]['backend_serverpool']; - $pconfig['max_connections'] = $a_backend[$id]['max_connections']; - $pconfig['client_timeout'] = $a_backend[$id]['client_timeout']; - $pconfig['port'] = $a_backend[$id]['port']; $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); - $pconfig['ssloffloadcert'] = $a_backend[$id]['ssloffloadcert']; - $pconfig['dcertadv'] = $a_backend[$id]['dcertadv']; - $pconfig['ssloffload'] = $a_backend[$id]['ssloffload']; + + foreach($simplefields as $stat) + $pconfig[$stat] = $a_backend[$id][$stat]; } if (isset($_GET['dup'])) @@ -237,25 +228,11 @@ if ($_POST) { if($backend['name'] != "") $changedesc .= " modified '{$backend['name']}' pool:"; + foreach($simplefields as $stat) + update_if_changed($stat, $backend[$stat], $_POST[$stat]); - update_if_changed("name", $backend['name'], $_POST['name']); - update_if_changed("description", $backend['desc'], $_POST['desc']); - update_if_changed("status", $backend['status'], $_POST['status']); - update_if_changed("secondary", $backend['secondary'], $_POST['secondary']); - update_if_changed("type", $backend['type'], $_POST['type']); - update_if_changed("cookie_name", $backend['cookie_name'], $_POST['cookie_name']); - update_if_changed("forwardfor", $backend['forwardfor'], $_POST['forwardfor']); - update_if_changed("httpclose", $backend['httpclose'], $_POST['httpclose']); - update_if_changed("type", $backend['type'], $_POST['type']); - update_if_changed("port", $backend['port'], $_POST['port']); - update_if_changed("extaddr", $backend['extaddr'], $_POST['extaddr']); - update_if_changed("backend_serverpool", $backend['backend_serverpool'], $_POST['backend_serverpool']); - update_if_changed("max_connections", $backend['max_connections'], $_POST['max_connections']); - update_if_changed("client_timeout", $backend['client_timeout'], $_POST['client_timeout']); + update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); - update_if_changed("ssloffloadcert", $backend['ssloffloadcert'], $_POST['ssloffloadcert']); - update_if_changed("dcertadv", $backend['dcertadv'], $_POST['dcertadv']); - update_if_changed("ssloffload", $backend['ssloffload'], $_POST['ssloffload']); $backend['ha_acls']['item'] = $a_acl; if (isset($id) && $a_backend[$id]) { @@ -278,6 +255,12 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; +if (!$id) +{ + //default value for new items. + $pconfig['ssloffloadacl'] = "yes"; +} + $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); @@ -720,6 +703,12 @@ include("head.inc"); NOTE: choose the cert to use on this frontend. + + ACL for certificate CN + + onclick="updatevisibility();">Add ACL for certificate CommonName. + + Advanced ssl options diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 09474f02..5fb43b49 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -113,8 +113,9 @@ if ($_POST) { $server_name=$_POST['server_name'.$x]; $server_address=$_POST['server_address'.$x]; $server_port=$_POST['server_port'.$x]; + $server_ssl=$_POST['server_ssl'.$x]; $server_weight=$_POST['server_weight'.$x]; - $server_backup=$_POST['server_backup'.$x]; + $server_status=$_POST['server_status'.$x]; if ($server_address) { @@ -122,8 +123,9 @@ if ($_POST) { $server['name']=$server_name; $server['address']=$server_address; $server['port']=$server_port; + $server['ssl']=$server_ssl; $server['weight']=$server_weight; - $server['backup']=$server_backup; + $server['status']=$server_status; $a_servers[]=$server; if (preg_match("/[^a-zA-Z0-9\.\-_]/", $server_name)) @@ -257,12 +259,15 @@ row_helper(); rowname[2] = "server_port"; rowtype[2] = "textbox"; rowsize[2] = "5"; - rowname[3] = "server_weight"; - rowtype[3] = "textbox"; + rowname[3] = "server_ssl"; + rowtype[3] = "checkbox"; rowsize[3] = "5"; - rowname[4] = "server_backup"; - rowtype[4] = "checkbox"; + rowname[4] = "server_weight"; + rowtype[4] = "textbox"; rowsize[4] = "5"; + rowname[5] = "server_status"; + rowtype[5] = "select"; + rowsize[5] = "1"; @@ -295,16 +300,15 @@ row_helper(); - Server list - - - + Server list + - + + @@ -322,8 +326,9 @@ row_helper(); + - +
Name Address PortWeightSSLWeight Backup
+ + +
@@ -344,10 +349,18 @@ row_helper(); + - /> - + - +
@@ -473,14 +486,14 @@ row_helper(); Advanced settings
Connection timeoutConnection timeout size="64">
the time (in milliseconds) we give up if the connection does not complete within (default 30000).
Server timeoutServer timeout size="64">
the time (in milliseconds) we accept to wait for data from the server, or for the server to accept data (default 30000).
@@ -582,7 +595,7 @@ set by the 'retries' parameter.