From 16e49a1c9ceddcb81dd5b8800c1627394bb3311e Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Wed, 27 Mar 2013 01:08:40 +0100 Subject: advanced bind options, extended username/password characters+escaping, change deprecated options to current equivalents, changed nbproc default to 1, for better (default settings) compatibility with other options. --- config/haproxy-devel/haproxy.inc | 42 +++++++++++++++++-------- config/haproxy-devel/haproxy_global.php | 7 +++-- config/haproxy-devel/haproxy_listeners_edit.php | 14 +++++++-- config/haproxy-devel/haproxy_pool_edit.php | 29 ++++++++++++----- 4 files changed, 67 insertions(+), 25 deletions(-) (limited to 'config') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index a8fc1497..f949bf98 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -360,11 +360,11 @@ function write_backend($fd, $name, $pool, $frontend) { if(!$pool['connection_timeout']) $pool['connection_timeout'] = 30000; - fwrite ($fd, "\tcontimeout\t\t" . $pool['connection_timeout'] . "\n"); + fwrite ($fd, "\ttimeout connect\t\t" . $pool['connection_timeout'] . "\n"); if(!$pool['server_timeout']) $pool['server_timeout'] = 30000; - fwrite ($fd, "\tsrvtimeout\t\t" . $pool['server_timeout'] . "\n"); + fwrite ($fd, "\ttimeout server\t\t" . $pool['server_timeout'] . "\n"); if(!$pool['retries']) $pool['retries'] = 3; @@ -375,10 +375,13 @@ function write_backend($fd, $name, $pool, $frontend) { if($pool['stats_uri']) fwrite ($fd, "\tstats\t\t\turi ".$pool['stats_uri']."\n"); if($pool['stats_realm']) - fwrite ($fd, "\tstats\t\t\trealm " . $pool['stats_realm'] . "\n"); + fwrite ($fd, "\tstats\t\t\trealm " . haproxy_escapestring($pool['stats_realm']) . "\n"); else fwrite ($fd, "\tstats\t\t\trealm .\n"); - fwrite ($fd, "\tstats\t\t\tauth " . $pool['stats_username'].":". $pool['stats_password']."\n"); + fwrite ($fd, "\tstats\t\t\tauth " . haproxy_escapestring($pool['stats_username']).":". haproxy_escapestring($pool['stats_password'])."\n"); + + if($pool['stats_admin']=='yes') + fwrite ($fd, "\tstats\t\t\tadmin if TRUE" . "\n"); if($pool['stats_node_enabled']=='yes') fwrite ($fd, "\tstats\t\t\tshow-node " . $pool['stats_node'] . "\n"); @@ -477,8 +480,6 @@ function haproxy_writeconf() { if(is_array($a_global)) { fwrite ($fd, "global\n"); - if($a_global['advanced']) - fwrite ($fd, "\t" . base64_decode($a_global['advanced']) . "\n"); fwrite ($fd, "\tmaxconn\t\t\t".$a_global['maxconn']."\n"); if($a_global['remotesyslog']) fwrite ($fd, "\tlog\t\t\t{$a_global['remotesyslog']}\t{$a_global['logfacility']}\t{$a_global['loglevel']}\n"); @@ -488,10 +489,18 @@ function haproxy_writeconf() { if($a_global['nbproc']) $numprocs = $a_global['nbproc']; else - $numprocs = trim(`/sbin/sysctl kern.smp.cpus | cut -d" " -f2`); + $numprocs ="1"; fwrite ($fd, "\tnbproc\t\t\t$numprocs\n"); fwrite ($fd, "\tchroot\t\t\t/var/empty\n"); fwrite ($fd, "\tdaemon\n"); + + // Keep the advanced options on the bottom of the global settings, to allow additional sections to be easely added + if($a_global['advanced']) { + $adv = explode("\n", base64_decode($a_global['advanced'])); + foreach($adv as $adv_line) { + fwrite($fd, "\t" . $adv_line . "\n"); + } + } fwrite ($fd, "\n"); } @@ -548,6 +557,7 @@ function haproxy_writeconf() { $b['client_timeout'] = $backend['client_timeout']; $b['advanced'] = $backend['advanced']; $b['ssloffload'] = $backend['ssloffload']; + $b['advanced_bind'] = $backend['advanced_bind']; } if ($ssl_crt != "") { @@ -577,6 +587,7 @@ function haproxy_writeconf() { $portss = "{$bind['port']},"; $ports = split(",", $portss); $ssl_info = $bind['ssl_info']; + $advanced_bind = $bind['advanced_bind']; // Initialize variable $listenip = ""; @@ -584,11 +595,11 @@ function haproxy_writeconf() { foreach($ports as $port) { if($port) { if($bind['extaddr'] == "any") - $listenip .= "\tbind\t\t\t0.0.0.0:{$port} {$ssl_info}\n"; + $listenip .= "\tbind\t\t\t0.0.0.0:{$port} {$ssl_info} {$advanced_bind}\n"; elseif($bind['extaddr']) - $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port} {$ssl_info}\n"; + $listenip .= "\tbind\t\t\t{$bind['extaddr']}:{$port} {$ssl_info} {$advanced_bind}\n"; else - $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port} {$ssl_info}\n"; + $listenip .= "\tbind\t\t\t" . get_current_wan_address('wan') . ":{$port} {$ssl_info} {$advanced_bind}\n"; } } @@ -632,7 +643,7 @@ function haproxy_writeconf() { if(!$bind['client_timeout']) $bind['client_timeout'] = 30000; - fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n"); + fwrite ($fd, "\ttimeout client\t\t" . $bind['client_timeout'] . "\n"); // Combine the rest of the listener configs @@ -1026,9 +1037,14 @@ function phparray_to_javascriptarray_recursive($nestID, $path, $items, $nodeName } } -function phparray_to_javascriptarray($items, $javaMapName, $includeitems) -{ +function phparray_to_javascriptarray($items, $javaMapName, $includeitems) { phparray_to_javascriptarray_recursive(1,'',$items, $javaMapName, $includeitems); } +function haproxy_escapestring($configurationsting) { + $result = str_replace('\\', '\\\\', $configurationsting); + $result = str_replace(' ', '\\ ', $result); + return str_replace('#', '\\#', $result); +} + ?> diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 8e2949fd..c906cda0 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -227,7 +227,9 @@ function enable_change(enable_change) {
- Defaults to number of cores/processors installed if left blank ( detected). + Defaults to 1 if left blank ( CPU core(s) detected).
+ Note : Consider leaving this value empty or 1 because in multi-process mode (nbproc > 1) memory is not shared between the processes, which could result in random behaviours for several options like ACL's, sticky connections and some others.
+ For more information about the "nbproc" option please see HAProxy Documentation @@ -235,7 +237,8 @@ function enable_change(enable_change) { Remote syslog host - +
+ To log to the local pfSense systemlog fill the host with the value /var/run/log, however if a lot of messages are generated logging is likely to be incomplete. (Also currently no informational logging gets shown in the systemlog.) diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index afd424c7..2e943e96 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -144,7 +144,7 @@ $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; global $simplefields; $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', - 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl'); + 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','advanced_bind'); if (isset($_POST['id'])) $id = $_POST['id']; @@ -707,10 +707,18 @@ include("head.inc"); disable HTTP keep-alive than the previous 4-rules block. + + Bind pass thru + + size="64"> +
+ NOTE: paste text into this box that you would like to pass behind the bind option. + + Advanced pass thru - +
NOTE: paste text into this box that you would like to pass thru. @@ -752,7 +760,7 @@ include("head.inc"); onclick="updatevisibility();">Add ACL for certificate CommonName. - + Advanced ssl options size="10" maxlength="64"> diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 446c8e35..3ed0b799 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -48,7 +48,7 @@ if (isset($_GET['dup'])) $id = $_GET['dup']; global $simplefields; -$simplefields = array("retries","balance","connection_timeout","server_timeout", "stats_enabled","stats_username","stats_password","stats_uri","stats_realm","stats_node_enabled","stats_node","stats_desc","stats_refresh"); +$simplefields = array("retries","balance","connection_timeout","server_timeout", "stats_enabled","stats_username","stats_password","stats_uri","stats_realm","stats_admin","stats_node_enabled","stats_node","stats_desc","stats_refresh"); if (isset($id) && $a_pools[$id]) { $pconfig['name'] = $a_pools[$id]['name']; @@ -97,10 +97,12 @@ if ($_POST) { if ($_POST['retries'] !== "" && !is_numeric($_POST['retries'])) $input_errors[] = "The field 'Retries' value is not a number."; - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_username'])) + // the colon ":" is invalid in the username, other than that pretty much any character can be used. + if (preg_match("/[^a-zA-Z0-9!-\/;-~ ]/", $_POST['stats_username'])) $input_errors[] = "The field 'Stats Username' contains invalid characters."; - if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['stats_password'])) + // the colon ":" can also be used in the password + if (preg_match("/[^a-zA-Z0-9!-~ ]/", $_POST['stats_password'])) $input_errors[] = "The field 'Stats Password' contains invalid characters."; /* Ensure that our pool names are unique */ @@ -256,7 +258,7 @@ row_helper(); rowsize[0] = "30"; rowname[1] = "server_address"; rowtype[1] = "textbox"; - rowsize[1] = "30"; + rowsize[1] = "20"; rowname[2] = "server_port"; rowtype[2] = "textbox"; rowsize[2] = "5"; @@ -269,6 +271,9 @@ row_helper(); rowname[5] = "server_status"; rowtype[5] = "select"; rowsize[5] = "1"; + rowname[6] = "server_name"; + rowtype[6] = "textbox"; + rowsize[6] = "20"; @@ -543,14 +548,24 @@ set by the 'retries' parameter. Stats Username - size="64"> + size="64"> Stats Password - size="64"> + size="64"> +
+ + + + Stats Admin + + >
@@ -600,7 +615,7 @@ set by the 'retries' parameter.