- - - - - - - - @@ -357,7 +343,8 @@ function enable_change(enable_change) { @@ -367,6 +354,19 @@ function enable_change(enable_change) { + + + + + + + diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index bd0f93d5..09af1c5b 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -57,8 +57,6 @@ function haproxy_js_acl_select($mode) { return $seltext; } -$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; - if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); } @@ -445,7 +443,7 @@ $interfaces = haproxy_get_bindable_interfaces(); @@ -546,7 +544,8 @@ $interfaces = haproxy_get_bindable_interfaces(); @@ -597,7 +596,7 @@ $interfaces = haproxy_get_bindable_interfaces(); @@ -459,6 +496,7 @@ foreach($simplefields as $field){ @@ -494,7 +532,8 @@ foreach($simplefields as $field){ @@ -629,10 +668,10 @@ set by the 'retries' parameter. - + - - + + - + - + - + - + @@ -533,7 +529,7 @@ foreach($simplefields as $field){ -- cgit v1.2.3

Recalculate certificate chain.

- - -
- This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not - always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. -

General settings

- + +
NOTE: paste text into this box that you would like to pass thru in the global settings area.

Recalculate certificate chain.

+ + (Other changes on this page will be lost) +
+ This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not + always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. +

Configuration synchronization

External port

size="10" maxlength="500" /> -

The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443

The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,8000

Advanced pass thru

- + +
NOTE: paste text into this box that you would like to pass thru.

Advanced ssl options

- maxlength="64" /> + />
NOTE: Paste additional ssl options(without commas) to include on ssl listening options.
some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 9b64df87..86b325c1 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -308,6 +308,18 @@ foreach($simplefields as $field){ } } } + function toggleCSSdisplay(cssID) + { + var ss = document.styleSheets; + for (var i=0; i

Server list + + Toggle serverlist help. ">

+ + + +

+ Mode:	Active: server will be used normally + Backup: server is only used in load balancing when all other non-backup servers are unavailable + Disabled: server is marked down in maintenance mode + Inactive: server will not be available for use +
+ Name:	Used to as a name for the server in for example the stats EXAMPLE: MyWebServer +
+ Address:	IP or hostname(only resolved on start-up.) EXAMPLE: 192.168.1.22 , fe80::1000:2000:3000:4000%em0 , WebServer1.localdomain +
+ Port:	The port of the backend. EXAMPLE: 80 or 443 +
+ SSL:	Is the backend using SSL (commonly with port 443) +
+ Weight:	A weight between 0 and 256, this setting can be used when multiple servers on different hardware need to be balanced with with a different part the traffic. A server with weight 0 wont get new traffic. Default if empty: 1 +
+ Cookie:	the value of the cookie used to identify a server (only when cookie-persistence is enabled below) +
+ Advanced:	More advanced settings like rise,fall,error-limit,send-proxy and others can be configured here. For a full list of options see the HAProxy manual: Server and default-server options +

Transparent ClientIP

+ WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.
onclick='updatevisibility();' /> Use Client-IP to connect to backend servers.

@@ -479,7 +517,7 @@ foreach($simplefields as $field){ For proper workings this requires the reply's traffic to pass through pfSense by means of correct routing. (uses the option "source 0.0.0.0 usesrc clientip")

- Note : When this is enabled for a single backend HAProxy will run as 'root', which reduces security. + Note : When this is enabled for a single backend HAProxy will run as 'root' instead of chrooting to a lower privileged user, this reduces security in case of a a bit.

Backend pass thru

- + +
NOTE: paste text into this box that you would like to pass thru. Applied to the backend section.

Cookie persistence

Cookie Enabled

onclick='updatevisibility();' /> @@ -664,7 +703,7 @@ set by the 'retries' parameter.

Cookie Cachable

@@ -673,11 +712,11 @@ set by the 'retries' parameter.

Stick-table persistence

These options are used to make sure seperate requests from a single client go to the same backend. This can be required for servers that keep track of for example a shopping cart.

Stick tables

Date: Fri, 14 Mar 2014 20:40:03 +0100 Subject: haproxy-devel, support for port-aliasses, using htmlspecialchars where needed --- config/haproxy-devel/haproxy.inc | 92 ++++++++++++++++++++++++- config/haproxy-devel/haproxy_listeners.php | 4 +- config/haproxy-devel/haproxy_listeners_edit.php | 14 ++-- config/haproxy-devel/haproxy_pool_edit.php | 8 +-- 4 files changed, 102 insertions(+), 16 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index d039b55a..3dce7e4d 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -158,6 +158,88 @@ $a_sticky_type['stick_rdp_cookie'] = array('name' => 'Stick on RDP-cookie', 'descr' => "Uses a RDP-Cookie send by the mstsc client, note that not all clients send this.", 'cookiedescr' => 'EXAMPLE: msts or mstshash'); +if(!function_exists('group_ports')){ +// function group_ports() is present in pfSense 2.2 in util.inc +/* create ranges of sequential port numbers (200:215) and remove duplicates */ +function group_ports($ports) { + if (!is_array($ports) || empty($ports)) + return; + + $uniq = array(); + foreach ($ports as $port) { + if (is_portrange($port)) { + list($begin, $end) = explode(":", $port); + if ($begin > $end) { + $aux = $begin; + $begin = $end; + $end = $aux; + } + for ($i = $begin; $i <= $end; $i++) + if (!in_array($i, $uniq)) + $uniq[] = $i; + } else if (is_port($port)) { + if (!in_array($port, $uniq)) + $uniq[] = $port; + } + } + sort($uniq, SORT_NUMERIC); + + $result = array(); + foreach ($uniq as $idx => $port) { + if ($idx == 0) { + $result[] = $port; + continue; + } + + $last = end($result); + if (is_portrange($last)) + list($begin, $end) = explode(":", $last); + else + $begin = $end = $last; + + if ($port == ($end+1)) { + $end++; + $result[count($result)-1] = "{$begin}:{$end}"; + } else { + $result[] = $port; + } + } + + return $result; +} +} + +function haproxy_portoralias_to_list($port_or_alias) { + // input: a port or aliasname: 80 https MyPortAlias + // returns: a array of ports and portranges 80 443 8000:8010 + global $config; + $portresult = array(); + if (is_alias($port_or_alias)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $port_or_alias && preg_match("/port/i", $alias['type'])) { + $ports = explode(' ',$alias['address']); + foreach($ports as $port) { + $portresults = haproxy_portoralias_to_list($port); + $portresult = array_merge($portresult, $portresults); + } + return $portresult; + } + } + } + } else if (is_portrange($port_or_alias)) { + return (array)$port_or_alias; + } else if (is_port($port_or_alias)) { + if (getservbyname($port_or_alias, "tcp")) + return (array)getservbyname($port_or_alias, "tcp"); + if (getservbyname($port_or_alias, "udp")) + return (array)getservbyname($port_or_alias, "udp"); + return (array)$port_or_alias; + } + else + return null; +} + function haproxy_custom_php_deinstall_command() { exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); exec("rm /usr/local/pkg/haproxy*"); @@ -840,9 +922,13 @@ function haproxy_writeconf($configpath) { // Process and add bind directives for ports $ip = haproxy_interface_ip($bind['extaddr']); if ($ip){ - foreach($ports as $port) { - if($port) { - $listenip .= "\tbind\t\t\t$ip:{$port} {$ssl_info} {$advanced_bind}\n"; + foreach($ports as $alias_or_port) { + if($alias_or_port) { + $portsnumeric = group_ports(haproxy_portoralias_to_list($alias_or_port)); + foreach($portsnumeric as $portnumeric) { + $portnumeric = str_replace(":","-",$portnumeric); + $listenip .= "\tbind\t\t\t$ip:{$portnumeric} {$ssl_info} {$advanced_bind}\n"; + } } } } diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 2a1f12e6..f5d262e0 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -167,7 +167,7 @@ include("head.inc"); $acls = get_frontend_acls($frontend); $isaclset = ""; foreach ($acls as $acl) { - $isaclset .= " " . $acl['descr']; + $isaclset .= " " . htmlspecialchars($acl['descr']); } if ($frontend['ssloffloadacl']) $isaclset .= " " . "Certificate ACL"; @@ -178,7 +178,7 @@ include("head.inc"); echo " $\""$ "; $isadvset = ""; - if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; + if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: ".htmlspecialchars($frontend['advanced_bind'])."\r\n"; if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) echo " $\""$ "; diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 09af1c5b..39df82d1 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -149,8 +149,8 @@ if ($_POST) { $ports = split(",", $_POST['port'] . ","); foreach($ports as $port) - if ($port && !is_numeric($port)) - $input_errors[] = "The field 'Port' value is not a number."; + if ($port && !is_numeric($port) && !is_portoralias($port)) + $input_errors[] = "The field 'Port' value '".htmlspecialchars($port)."' is not a number or alias thereof."; if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) $input_errors[] = "The field 'Client timeout' value is not a number."; @@ -245,6 +245,8 @@ $interfaces = haproxy_get_bindable_interfaces(); .haproxy_primary{} .haproxy_secondary{display:none;} + + @@ -253,7 +255,6 @@ $interfaces = haproxy_get_bindable_interfaces(); -

Per server pass thru

- ' size="64" /> + ' size="64" />
NOTE: paste text into this box that you would like to pass thru. Applied to each 'server' line.

Backend pass thru

- +
NOTE: paste text into this box that you would like to pass thru. Applied to the backend section.