From e1a963c1f543873630b104d244151ed70c0b9da7 Mon Sep 17 00:00:00 2001
From: PiBa-NL <pba_2k3@yahoo.com>
Date: Sat, 9 Mar 2013 01:06:56 +0100
Subject: haproxy-devel, small bugfixes.. maintain ssl checkbox selection, dont
 use httpcheck for ssl backends, use req_ssl_hello_type for https with SNI
 acl's.

---
 config/haproxy-devel/haproxy.inc                | 39 ++++++++++++++++++++-----
 config/haproxy-devel/haproxy_listeners_edit.php | 18 ++++++++++--
 config/haproxy-devel/haproxy_pool_edit.php      |  4 +--
 3 files changed, 49 insertions(+), 12 deletions(-)

(limited to 'config/haproxy-devel')

diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index cd440eb0..e246b8e0 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -63,7 +63,7 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP',
 				'mode' => '', 'syntax' => 'src');
 if ($haproxy_sni_ssloffloading) {
 	$a_acltypes[] = array('name' => 'ssl_sni_matches',  'descr' => 'Server Name Indication TLS extension matches', 
-					'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\r\ntcp-request content accept if { req_ssl_hello_type 1 }");
+					'mode' => 'https', 'syntax' => 'req_ssl_sni -i', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }");
 }
 
 function haproxy_custom_php_deinstall_command() {
@@ -324,7 +324,20 @@ function haproxy_find_acl($name) {
 function write_backend($fd, $name, $pool, $frontend) {
 	if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes')
 		return;
+		
+	$a_servers = &$pool['ha_servers']['item'];
 
+	unset($sslserverpresent);
+	if (is_array($a_servers))
+	{
+		foreach($a_servers as $be) {
+			if (!$be['status'] == "inactive")
+				continue;
+			if ($be['ssl'])
+				$sslserverpresent = true;
+		}
+	}
+	
 	fwrite ($fd, "backend " . $name . "\n");
 	if($pool['cookie_name'] && strtolower($frontend['type']) == "http")
 		fwrite ($fd, "\tcookie\t\t\t" . $pool['cookie_name'] . " insert indirect\n");
@@ -333,7 +346,7 @@ function write_backend($fd, $name, $pool, $frontend) {
 	if(strtolower($frontend['type']) == "https") {
 		$backend_type = "tcp";
 		$httpchk = "ssl-hello-chk";
-	} else { 
+	} else {
 		$backend_type = $frontend['type'];
 		$httpchk = "httpchk";
 	}
@@ -378,7 +391,9 @@ function write_backend($fd, $name, $pool, $frontend) {
 		$uri = $pool['monitor_uri'];
 	else
 		$uri = "/";
-	fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
+		
+	if (!$sslserverpresent)
+		fwrite ($fd, "\toption\t\t\t{$httpchk} HEAD " . $uri . " HTTP/1.0\n");
 
 	if ($pool['advanced_backend']) {
 		$adv_be	= explode("\n", base64_decode($pool['advanced_backend']));
@@ -407,7 +422,6 @@ function write_backend($fd, $name, $pool, $frontend) {
 	else
 		$checkinter = "";
 
-	$a_servers = &$pool['ha_servers']['item'];
 	if (is_array($a_servers))
 	{
 		foreach($a_servers as $be) {
@@ -421,7 +435,8 @@ function write_backend($fd, $name, $pool, $frontend) {
 			} else {
 				$isbackup = "";
 			}
-			fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . " $cookie " . " $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
+			$ssl = ($backend_type == "http" && $be['ssl'] == 'yes') ? ' ssl' : "";
+			fwrite ($fd, "\tserver\t\t\t" . $be['name'] . " " . $be['address'].":" . $be['port'] . "$ssl $cookie $checkinter $isbackup weight " . $be['weight'] . "{$advanced_txt}\n");
 		}
 	}
 	fwrite ($fd, "\n");
@@ -486,7 +501,7 @@ function haproxy_writeconf() {
 			}
 
 			//check ssl info
-			if ($backend['ssloffload']){
+			if (strtolower($backend['type']) == "http" && $backend['ssloffload']){
 				//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
 				$ssl_crt=" crt /var/etc/{$backend['name']}.{$backend['port']}.crt";
 				$cert = lookup_cert($backend['ssloffloadcert']);
@@ -497,6 +512,9 @@ function haproxy_writeconf() {
 				$ssl_crt="";
 				unlink_if_exists("var/etc/{$backend['name']}.{$backend['port']}.crt");
 			}
+			
+			if ($backend['extaddr']=='localhost')
+				$backend['extaddr'] = "127.0.0.1";
 
 			$bname = $backend['extaddr'] . ":" . $backend['port'];
 			if (!is_array($a_bind[$bname])) {
@@ -538,6 +556,8 @@ function haproxy_writeconf() {
 			else
 				$frontendinfo = "frontend {$bind['name']}\n";
 
+			$advancedextra = array();
+			
 			// Prepare ports for processing by splitting
 			$portss = "{$bind['port']},";
 			$ports = split(",", $portss);
@@ -622,7 +642,7 @@ function haproxy_writeconf() {
 					$a_pendingpl[$poolname]['frontend'] = $bconfig;
 				}
 
-				if ($bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
+				if (strtolower($bind['type']) == "http" && $bconfig['ssloffload'] && $bconfig['ssloffloadacl']) {
 					$aclname = "SNI_" . $poolname;
 					$cert_cn = cert_get_cn($bconfig['ssloffloadcert'] ,true);
 					//$expr = "req_ssl_sni -i $cert_cn";
@@ -648,10 +668,15 @@ function haproxy_writeconf() {
 					$aclname = $i . "_" . $entry['name'];
 					fwrite ($fd, "\tacl\t\t\t" . $aclname . "\t" . $expr . "\n");
 					fwrite ($fd, "\tuse_backend\t\t" . $poolname . " if " . $aclname . "\n");
+					
+					if ($acl['advancedoptions'] != '')
+						$advancedextra[$acl['syntax']] = $acl['advancedoptions']."\n";
 					$i++;
 				}
 
 			}
+			foreach($advancedextra as $extra)
+				fwrite ($fd, "\t".$extra."\n");
 			fwrite ($fd, "\n");
 		}
 	}
diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php
index c61954ac..3139250c 100644
--- a/config/haproxy-devel/haproxy_listeners_edit.php
+++ b/config/haproxy-devel/haproxy_listeners_edit.php
@@ -33,6 +33,16 @@
 require("guiconfig.inc");
 require_once("haproxy.inc");
 
+/* Compatibility function for pfSense 2.0 */
+if (!function_exists("cert_get_purpose")) {	
+	function cert_get_purpose(){
+		$result = array();
+		$result['server'] = "Yes";
+		return $result;
+	}
+}
+/**/
+
 function get_certificat_usage($refid) {
 	$usage = array();
 	$cert = lookup_cert($refid);
@@ -55,7 +65,7 @@ function get_certificat_usage($refid) {
 	return $usage;
 }
 
-/// This function (is intendet to) provides a uniform way to retrieve a list of use selectable certificates
+// This function (is intended to) provides a uniform way to retrieve a list of server certificates
 function get_certificates_server($get_includeWebCert=false) {
 	global $config;
 	$certificates=array();
@@ -64,7 +74,7 @@ function get_certificates_server($get_includeWebCert=false) {
 	{
 		if ($get_ca == false && is_webgui_cert($cert['refid']))
 			continue;
-			
+
 		$purpose = cert_get_purpose($cert['crt']);
 		if ($purpose['server'] != 'Yes')
 			continue;
@@ -496,7 +506,8 @@ include("head.inc");
 			<td width="78%" class="vtable" colspan="2">
 				<input id="secondary" name="secondary" type="checkbox" value="yes" <?php if ($pconfig['secondary']=='yes') echo "checked"; ?> onclick="updatevisibility();">secondary backend</checkbox><br/>
 				Use this setting to configure multiple backends/accesslists for a single frontend.<br/>
-				All settings of which only 1 can exist will be hidden. And 
+				All settings of which only 1 can exist will be hidden.<br/>
+				The frontend settings will be merged into 1 set of frontend configuration.
 			</td>
 		</tr>
 		<tr align="left">
@@ -513,6 +524,7 @@ include("head.inc");
 			  <td width="78%" class="vtable">
 				<select name="extaddr" class="formfld">
 					<option value="" <?php if (!$pconfig['extaddr']) echo "selected"; ?>>Interface address</option>
+					<option value="localhost" <?php if ('localhost' == $pconfig['extaddr']) echo "selected"; ?>>Localhost</option>
 				<?php
 					if (is_array($config['virtualip']['vip'])):
 						foreach ($config['virtualip']['vip'] as $sn): 
diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php
index 5fb43b49..f244d3df 100644
--- a/config/haproxy-devel/haproxy_pool_edit.php
+++ b/config/haproxy-devel/haproxy_pool_edit.php
@@ -326,7 +326,7 @@ row_helper();
 			<td class="vtable listlr"><?=$server['name']; ?></td>
 			<td class="vtable listr"><?=$server['address']; ?></td>
 			<td class="vtable listr"><?=$server['port']; ?></td>
-			<td class="vtable listr"><?=$server['ssl']; ?></td>
+			<td class="vtable listr"><?=$server['ssl']=='yes'?'yes':'no'; ?></td>
 			<td class="vtable listr"><?=$server['weight']; ?></td>
 			<td class="vtable listr"><?=$server['status']; ?></td>
 			<td class="list">
@@ -350,7 +350,7 @@ row_helper();
 				<td class="vtable">
 				  <input name="server_port<?=$counter;?>" id="server_port<?=$counter;?>" type="text" value="<?=$server['port']; ?>" size="5"/></td>
 				<td class="vtable">
-				  <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="<?=$server['ssl']; ?>" size="5"/></td>
+				  <input name="server_ssl<?=$counter;?>" id="server_ssl<?=$counter;?>" type="checkbox" value="yes" <?=$server['ssl']=='yes'?"checked":""; ?> size="5"/></td>
 				<td class="vtable">
 				  <input name="server_weight<?=$counter;?>" id="server_weight<?=$counter;?>" type="text" value="<?=$server['weight']; ?>" size="5"/></td>
 				<td class="vtable">
-- 
cgit v1.2.3