From 6479eab976d425ae2f8d3eb988a4f79d701001a5 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Sun, 19 Jul 2015 17:14:03 +0200 Subject: haproxy-1_5, haproxy-devel, bump binary versions to 1.5.14 / 1.6-dev2. Also copy fixes made -devel to the -1_5 package. --- config/haproxy1_5/pkg/haproxy.inc | 208 ++++++++++++- config/haproxy1_5/pkg/haproxy_utils.inc | 44 ++- config/haproxy1_5/pkg/haproxy_utils.inc.bak | 460 ---------------------------- 3 files changed, 224 insertions(+), 488 deletions(-) delete mode 100644 config/haproxy1_5/pkg/haproxy_utils.inc.bak (limited to 'config/haproxy1_5/pkg') diff --git a/config/haproxy1_5/pkg/haproxy.inc b/config/haproxy1_5/pkg/haproxy.inc index 793c5c28..eceef783 100644 --- a/config/haproxy1_5/pkg/haproxy.inc +++ b/config/haproxy1_5/pkg/haproxy.inc @@ -345,10 +345,12 @@ function haproxy_custom_php_deinstall_command() { update_output_window($static_output); $static_output .= "HAProxy, deleting haproxy webgui\n"; update_output_window($static_output); - exec("rm /usr/local/etc/rc.d/haproxy.sh"); + unlink_if_exists("/usr/local/etc/rc.d/haproxy.sh"); + unlink_if_exists("/etc/rc.haproxy_ocsp.sh"); $static_output .= "HAProxy, installing cron job if needed\n"; update_output_window($static_output); haproxy_install_cron(false); + haproxy_install_cronjob(false, '/etc/rc.haproxy_ocsp.sh'); $static_output .= "HAProxy, running haproxy_custom_php_deinstall_command() DONE\n"; update_output_window($static_output); } @@ -362,6 +364,12 @@ function haproxy_custom_php_install_command() { update_output_window($static_output); conf_mount_rw(); + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version == "2.1" || $pf_version == "2.2") + $haproxy_binary = "/usr/pbi/haproxy-devel-" . php_uname("m") . "/sbin/haproxy"; + else + $haproxy_binary = "/usr/local/sbin/haproxy"; + $static_output .= "HAProxy, create '/usr/local/etc/rc.d/haproxy.sh'\n"; update_output_window($static_output); $haproxy = << + +EOD; + // removing the \r prevents the "No input file specified." error.. + $haproxy_ocsp = str_replace("\r\n","\n", $haproxy_ocsp); + $fd = fopen("/etc/rc.haproxy_ocsp.sh", "w"); + fwrite($fd, $haproxy_ocsp); + fclose($fd); + chmod("/etc/rc.haproxy_ocsp.sh", 0755); $static_output .= "HAProxy, update configuration\n"; update_output_window($static_output); @@ -447,6 +480,51 @@ EOD; update_output_window($static_output); } +function haproxy_install_cronjob($should_install, $script, $interval = 60, $parameters = "") { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['command'], $script)) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['minute'] = "*/{$interval}"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "$script $parameters"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("haproxy, install cron job"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config("haproxy, remove cron job"); + } + configure_cron(); + } + break; + } +} + function haproxy_install_cron($should_install) { global $config, $g; if($g['booting']==true) @@ -879,24 +957,108 @@ function haproxy_write_certificate_crl($filename, $crlid, $append = false) { unset($crl); } -function haproxy_write_certificate_fullchain($filename, $certid, $append = false) { +function haproxy_write_certificate_fullchain($filename, $certid, $append = false, $skiproot = true) { $cert = haproxy_lookup_cert($certid); $certcontent = base64_decode($cert['crt']); if (isset($cert['prv'])) $certcontent .= "\r\n".base64_decode($cert['prv']); + $ca = $cert; + while(!empty($ca['caref'])) { + $ca = lookup_ca($ca['caref']); + if ($ca) { + if ($skiproot && (cert_get_subject($ca['crt']) == cert_get_issuer($ca['crt']))) + break; + $certcontent .= "\r\n" . base64_decode($ca['crt']); + } else + break; + } + $flags = $append ? FILE_APPEND : 0; + file_put_contents($filename, $certcontent, $flags); + unset($certcontent); + unset($cert); +} + +function haproxy_write_certificate_issuer($filename, $certid) { + $cert = haproxy_lookup_cert($certid); $certchaincontent = ca_chain($cert); if ($certchaincontent != "") { $certcontent .= "\r\n" . $certchaincontent; } unset($certchaincontent); - $flags = $append ? FILE_APPEND : 0; - file_put_contents($filename, $certcontent, $flags); + file_put_contents($filename, $certcontent, 0); unset($certcontent); unset($cert); } +function haproxy_uses_ocsp() { + global $config; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_frontends)) + return false; + + $configpath = "{$g['varetc_path']}/haproxy"; + foreach ($a_frontends as $frontend) { + if ($frontend['sslocsp'] == 'yes') { + return true; + } + } + return false; +} + +function haproxy_getocspurl($filename) { + return exec("openssl x509 -noout -ocsp_uri -in $filename", $output, $err); +} + +function haproxy_updateocsp_one($socketupdate, $filename, $name) { + if (file_exists("{$filename}.ocsp")) { + // If the .ocsp file exists we want to use ocsp + syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}.. "); + $ocsp_url = haproxy_getocspurl($filename); + $ocsp_host = parse_url($ocsp_url, PHP_URL_HOST); + if (empty($ocsp_url)) { + // If cert does not have a ocsp_uri, it cannot be updated.. + syslog(LOG_ERR, "HAProxy OCSP ERROR Cert does not have a ocsp_uri"); + } else { + $retval = exec("openssl ocsp -issuer {$filename}.issuer -verify_other {$filename}.issuer -cert {$filename} -url {$ocsp_url} -header Host {$ocsp_host} -respout {$filename}.ocsp 2>&1", $output, $err); + if ($socketupdate) { + $ocspresponse = base64_encode(file_get_contents("{$filename}.ocsp")); + $r = haproxy_socket_command("set ssl ocsp-response $ocspresponse"); + if ($r[0] == "OCSP Response updated!\n") + syslog(LOG_NOTICE, "HAProxy OCSP socket update successful for frontend {$name}..result: ".$retval); + else { + syslog(LOG_ERR, "HAProxy OCSP ERROR while performing haproxy socket update OCSP response for: {$name}"); + } + } else { + syslog(LOG_NOTICE, "HAProxy Retrieving OCSP for frontend {$name}..result: ".$retval); + } + } + } +} + +function haproxy_updateocsp($socketupdate = true) { + global $config, $g; + $a_frontends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if (!is_array($a_frontends)) + return true; + + $configpath = "{$g['varetc_path']}/haproxy"; + foreach ($a_frontends as $frontend) { + $filename = "$configpath/{$frontend['name']}.pem"; + haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']); + + $subfolder = "$configpath/{$frontend['name']}"; + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + foreach($certs as $cert){ + $filename = "$subfolder/{$cert['ssl_certificate']}.pem"; + haproxy_updateocsp_one($socketupdate, $filename, $frontend['name']); + } + } + } +} + function haproxy_writeconf($configpath) { global $config; global $aliastable; @@ -993,14 +1155,29 @@ function haproxy_writeconf($configpath) { //ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem $filename = "$configpath/{$frontend['name']}.pem"; $ssl_crt = " crt $filename"; + haproxy_write_certificate_fullchain($filename, $frontend['ssloffloadcert']); + if ($frontend['sslocsp'] == 'yes') { + if (!empty(haproxy_getocspurl($filename))) { + haproxy_write_certificate_issuer($filename . ".issuer", $frontend['ssloffloadcert']); + touch($filename . ".ocsp");//create initial empty file. this will trigger updates, and inform haproxy it 'should' be using ocsp + } + } + $subfolder = "$configpath/{$frontend['name']}"; $certs = $frontend['ha_certificates']['item']; if (is_array($certs)){ if (count($certs) > 0){ @mkdir($subfolder, 0755, true); foreach($certs as $cert){ - haproxy_write_certificate_fullchain("$subfolder/{$cert['ssl_certificate']}.pem", $cert['ssl_certificate']); + $filenamefoldercert = "$subfolder/{$cert['ssl_certificate']}.pem"; + haproxy_write_certificate_fullchain($filenamefoldercert, $cert['ssl_certificate']); + if ($frontend['sslocsp'] == 'yes') { + if (!empty(haproxy_getocspurl($filenamefoldercert))) { + haproxy_write_certificate_issuer($filenamefoldercert . ".issuer", $cert['ssl_certificate']); + touch($filenamefoldercert . ".ocsp"); + } + } } $ssl_crt .= " crt $subfolder"; } @@ -1344,11 +1521,6 @@ function haproxy_writeconf($configpath) { haproxy_do_xmlrpc_sync(); } } - - if (isset($a_global['carpdev'])) - haproxy_install_cron(true); - else - haproxy_install_cron(false); } function haproxy_is_running() { @@ -1560,8 +1732,18 @@ function haproxy_check_run($reload) { $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; - if ($reload) + if ($reload) { haproxy_writeconf($configpath); + haproxy_updateocsp(false); + + if (isset($a_global['carpdev'])) + haproxy_install_cron(true); + else + haproxy_install_cron(false); + + $useocsp = haproxy_uses_ocsp(); + haproxy_install_cronjob($useocsp, '/etc/rc.haproxy_ocsp.sh', 120); + } if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc b/config/haproxy1_5/pkg/haproxy_utils.inc index d8c4faf4..ec72b986 100644 --- a/config/haproxy1_5/pkg/haproxy_utils.inc +++ b/config/haproxy1_5/pkg/haproxy_utils.inc @@ -36,24 +36,38 @@ require_once("config.inc"); class haproxy_utils { public static $pf_version; - public function query_dns($host, $querytype="A,AAAA", $dnsserver = "127.0.0.1") { + public function query_dns($host, $querytype="A,AAAA") { $result = array(); - $host = trim($host, " \t\n\r\0\x0B[];\"'"); - $host_esc = escapeshellarg($host); $types = explode(',',$querytype); + $recordtype = 0; foreach($types as $type){ - $resolved = gethostbyname($host); - if($resolved) { - $resolved = array(); - if (haproxy_utils::$pf_version < '2.2') - exec("/usr/bin/dig {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - else - exec("/usr/bin/drill {$host_esc} $type @$dnsserver | /usr/bin/grep {$host_esc} | /usr/bin/grep -v ';' | /usr/bin/awk '{ print $5 }'", $resolved); - foreach($resolved as $item) { - $newitem = array(); - $newitem["typeid"] = $type; - $newitem["data"] = $item; - $result[] = $newitem; + switch ($type) { + case 'A': + $recordtype = DNS_A; + break; + case 'AAAA': + $recordtype = DNS_AAAA; + break; + } + if ($recordtype != 0) { + //query one type at a time, querying multiple types in one call dns_get_record fails if one is not present.. + $errreporting = error_reporting(); + error_reporting($errreporting & ~E_WARNING);// dns_get_record throws a warning if nothing is resolved.. + $dnsresult = dns_get_record($host, $recordtype); + error_reporting($errreporting); + if (is_array($dnsresult)) { + foreach($dnsresult as $item) { + $newitem["typeid"] = $item['type']; + switch ($item['type']) { + case 'A': + $newitem["data"] = $item['ip']; + break; + case 'AAAA': + $newitem["data"] = $item['ipv6']; + break; + } + $result[] = $newitem; + } } } } diff --git a/config/haproxy1_5/pkg/haproxy_utils.inc.bak b/config/haproxy1_5/pkg/haproxy_utils.inc.bak deleted file mode 100644 index 26c77b45..00000000 --- a/config/haproxy1_5/pkg/haproxy_utils.inc.bak +++ /dev/null @@ -1,460 +0,0 @@ - $ifdetail) { - if (!isset($ifdetail['enable'])) - continue; - if (!isset($ifdetail['ipaddr'])) - continue; - $descr = $ifdetail['descr']; - if (!$descr){ - if ($if == "wan" && !$ifdetail['descr']) - $descr = "WAN"; - else if ($if == "lan" && !$ifdetail['descr']) - $descr = "LAN"; - else - $descr = $if; - } - $item = array(); - $item['ip'] = get_interface_ip($if); - $item['name'] = "$descr address (IPv4)"; - $bindable[$if.'_ipv4'] = $item; - } - } - if (in_array('carp',$interfacetypes)){ - $carplist = get_configured_carp_interface_list(); - foreach ($carplist as $carpif => $carpip){ - if (is_ipaddrv4($carpip)){ - $item = array(); - $item['ip'] = $carpip; - $item['name'] = $carpip." (".get_vip_descr($carpip).")"; - $bindable[$carpip] = $item; - } - } - - } - if (in_array('ipalias',$interfacetypes)){ - $aliaslist = get_configured_ip_aliases_list(); - foreach ($aliaslist as $aliasip => $aliasif){ - if (is_ipaddrv4($aliasip)){ - $item = array(); - $item['ip'] = $aliasip; - $item['name'] = $aliasip." (".get_vip_descr($aliasip).")"; - $bindable[$aliasip.'_ipv4'] = $item; - } - } - } - } - if (!isset($config['system']['ipv6allow'])) - return $bindable;// skip adding the IPv6 addresses if those are not 'allowed' - - if (in_array("ipv6",$ipverions)){ - if (in_array('any',$interfacetypes)){ - $item = array(); - $item[ip] = '::'; - $item[name] = 'any (IPv6)'; - $bindable['any_ipv6'] = $item; - } - if (in_array('localhost',$interfacetypes)){ - $item = array(); - $item[ip] = '::1'; - $item[name] = 'localhost (IPv6)'; - $bindable['localhost_ipv6'] = $item; - } - if (in_array('real',$interfacetypes)){ - foreach($config['interfaces'] as $if => $ifdetail) { - if (!isset($ifdetail['enable'])) - continue; - if (!isset($ifdetail['ipaddrv6'])) - continue; - $descr = $ifdetail['descr']; - if (!$descr){ - if ($if == "wan" && !$ifdetail['descr']) - $descr = "WAN"; - else if ($if == "lan" && !$ifdetail['descr']) - $descr = "LAN"; - else - $descr = $if; - } - $item = array(); - $item['ip'] = get_interface_ipv6($if); - $item['name'] = "$descr address (IPv6)"; - $bindable[$if.'_ipv6'] = $item; - } - } - if (in_array('carp',$interfacetypes)){ - $carplist = get_configured_carp_interface_list(); - foreach ($carplist as $carpif => $carpip){ - if (is_ipaddrv6($carpip)){ - $item = array(); - $item['ip'] = $carpip; - $item['name'] = $carpip." (".get_vip_descr($carpip).")"; - $bindable[$carpip] = $item; - } - } - - } - if (in_array('ipalias',$interfacetypes)){ - $aliaslist = get_configured_ip_aliases_list(); - foreach ($aliaslist as $aliasip => $aliasif){ - if (is_ipaddrv6($aliasip)){ - $item = array(); - $item['ip'] = $aliasip; - $item['name'] = $aliasip." (".get_vip_descr($aliasip).")"; - $bindable[$aliasip] = $item; - } - } - } - } - return $bindable; -} - -function haproxy_get_cert_extensions($crt){ - $cert = openssl_x509_parse(base64_decode($crt['crt'])); - return $cert['extensions']; -} - -function haproxy_get_cert_authoritykeyidentifier($cert) -{ - $certextension = haproxy_get_cert_extensions($cert); - $lines = preg_split('/[\n]+/',$certextension['authorityKeyIdentifier']); - return substr($lines[0],6);// cut off the starting string 'keyid:' -} -function haproxy_get_cert_subjectKeyIdentifier($cert) -{ - $certextension = haproxy_get_cert_extensions($cert); - $lines = preg_split('/[\n]+/',$certextension['subjectKeyIdentifier']); - return $lines[0]; -} - -function haproxy_cert_signed_by($cert, $signedbycert) { - // checks if $cert was signed by $signedbycert - // this does NOT validate a proper signature but only checks if the extension properties match. - $authoritykeyid = haproxy_get_cert_authoritykeyidentifier($cert); - $subjectid = haproxy_get_cert_subjectKeyIdentifier($signedbycert); - return $authoritykeyid == $subjectid; -} - -function haproxy_recalculate_certifcate_chain(){ - // and set "selfsigned" for certificates that where used to sign themselves - // recalculate the "caref" for all certificates where it is currently unkown. - - $allcertificates = haproxy_get_certificates('ca,server,user',true); - $items_recalculated = 0; - foreach($allcertificates as &$cert){ - $recalculate=false; - if (!isset($cert['selfsigned'])){ - if (!isset($cert['caref'])) - $recalculate=true; - else { - $ca = lookup_ca($cert['caref']); - if (!$ca) - $recalculate=true; - } - } - if ($recalculate){ - foreach($allcertificates as &$signedbycert){ - if(haproxy_cert_signed_by($cert, $signedbycert)){ - if ($cert['refid'] == $signedbycert['refid']){ - $cert['selfsigned'] = true; - } else { - $cert['caref'] = $signedbycert['refid']; - } - $items_recalculated++; - } - } - } - } - if ($items_recalculated > 0) - write_config("Services: HAProxy: Recalculated $items_recalculated certificate chains."); - return $items_recalculated; -} - -function get_certificat_usage($refid) { - $usage = array(); - $cert = lookup_cert($refid); - if (is_cert_revoked($cert)) - $usage[] = "*Revoked"; - if (is_webgui_cert($refid)) - $usage[] = "webConfigurator"; - if (is_user_cert($refid)) - $usage[] = "User Cert"; - if (is_openvpn_server_cert($refid)) - $usage[] = "OpenVPN Server"; - if (is_openvpn_client_cert($refid)) - $usage[] = "OpenVPN Client"; - if (is_ipsec_cert($refid)) - $usage[] = "IPsec Tunnel"; - if (function_exists("is_captiveportal_cert")) - if (is_captiveportal_cert($refid)) - $usage[] = "Captive Portal"; - return $usage; -} - -function haproxy_get_certificate_descriptivename($cert) { - $usage = get_certificat_usage($cert['crt']); - foreach($usage as $use){ - $usagestr .= " " . $use; - } - if ($usagestr != "") - $usagestr = " (".trim($usagestr).")"; - - $purpose = cert_get_purpose($cert['crt']); - $certserverpurpose = $purpose['server'] == 'Yes' ? " [Server cert]" : ""; - - $caname = ""; - $ca = lookup_ca($cert['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - - return $cert['descr'] . $caname . $certserverpurpose . $usagestr; -} - -function haproxy_get_certificates($type = 'server,user', $get_includeWebCert=false) { - // $type one or multiple of these separated by a comma: ca,server,user - // $get_includeWebCert if the webgui certificate may be included. - - // This function (is intended to) provide a uniform way to retrieve a list of server certificates - global $config; - $type = ",$type,"; - $certificates = array(); - if (strpos($type,',server,') !== false || strpos($type,',user,') !== false ) { - if (is_array($config['cert'])) { - $a_cert = &$config['cert']; - foreach ($a_cert as $cert) { - $purpose = cert_get_purpose($cert['crt']); - - $ok = false; - $ok |= stristr($type,',server,') && $purpose['server'] == 'Yes'; - $ok |= stristr($type,',user,') && $purpose['server'] != 'Yes'; - if (!$ok) - continue; - //if ($get_includeWebCert == false && is_webgui_cert($cert['refid'])) - if ($get_includeWebCert == false && $cert['descr'] == "def web cert") - continue; - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); - } - } - } - if (strpos($type,',ca,') !== false) { - if (is_array($config['ca'])) { - $a_cert = &$config['ca']; - foreach ($a_cert as $cert) { - $certificates[$cert['refid']]['name'] = haproxy_get_certificate_descriptivename($cert); - } - } - } - uasort($certificates, haproxy_compareByName); - return $certificates; -} - -function haproxy_get_crls() { - global $config; - $certificates=array(); - if (is_array($config['crl'])) { - foreach ($config['crl'] as $crl) { - $caname = ""; - $ca = lookup_ca($crl['caref']); - if ($ca) - $caname = " (CA: {$ca['descr']})"; - - $certificates[$crl['refid']]['name'] = $crl['descr'] . $caname; - } - } - uasort($certificates, haproxy_compareByName); - return $certificates; -} - -function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName, $includeitems) { - $offset = str_repeat(' ',$nestID); - $itemName = "item$nestID"; - echo "{$offset}$nodeName = {};\n"; - if (is_array($items)) - foreach ($items as $key => $item) - { - if (in_array($path.'/'.$key, $includeitems)) - $subpath = $path.'/'.$key; - else - $subpath = $path.'/*'; - if (in_array($subpath, $includeitems) || in_array($path.'/*', $includeitems)) { - if (is_array($item)) { - $subNodeName = "item$nestID"; - phparray_to_javascriptarray_recursive($nestID+1, $subpath, $items[$key], $subNodeName, $includeitems); - echo "{$offset}{$nodeName}['{$key}'] = $itemName;\n"; - } else { - $item = json_encode($item); - echo "{$offset}{$nodeName}['$key'] = $item;\n"; - } - } - } -} -function phparray_to_javascriptarray($items, $javaMapName, $includeitems) { - phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems); -} - -function haproxy_html_select_options($keyvaluelist, $selected="") { - $result = ""; - foreach($keyvaluelist as $key => $desc){ - $selectedhtml = $key == $selected ? "selected" : ""; - if ($desc['deprecated'] && $key != $selected){ - continue; - } - $name = htmlspecialchars($desc['name']); - $result .= ""; - } - return $result; -} - -function haproxy_js_select_options($keyvaluelist, $selected="") { - $result = ""; - foreach($keyvaluelist as $key => $desc){ - $selectedhtml = $key == $selected ? "selected" : ""; - if ($desc['deprecated'] && $key != $selected){ - continue; - } - $name = htmlspecialchars($desc['name']); - $result .= "