Copyright (C) 2008 Remco Hoef Copyright (C) 2013 PiBa-NL merging (some of the) "haproxy-devel" changes from: Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ require("guiconfig.inc"); require_once("haproxy.inc"); /* Compatibility function for pfSense 2.0 */ if (!function_exists("cert_get_purpose")) { function cert_get_purpose(){ $result = array(); $result['server'] = "Yes"; return $result; } } /**/ function get_certificat_usage($refid) { $usage = array(); $cert = lookup_cert($refid); if (is_cert_revoked($cert)) $usage[] = "Revoked"; if (is_webgui_cert($refid)) $usage[] = "webConfigurator"; if (is_user_cert($refid)) $usage[] = "User Cert"; if (is_openvpn_server_cert($refid)) $usage[] = "OpenVPN Server"; if (is_openvpn_client_cert($refid)) $usage[] = "OpenVPN Client"; if (is_ipsec_cert($cert['refid'])) $usage[] = "IPsec Tunnel"; if (function_exists("is_captiveportal_cert")) if (is_captiveportal_cert($refid)) $usage[] = "Captive Portal"; return $usage; } // This function (is intended to) provides a uniform way to retrieve a list of server certificates function get_certificates_server($get_includeWebCert=false) { global $config; $certificates=array(); $a_cert = &$config['cert']; foreach ($a_cert as $cert) { if ($get_ca == false && is_webgui_cert($cert['refid'])) continue; $purpose = cert_get_purpose($cert['crt']); //$certserverpurpose = $purpose['server'] == 'Yes' ? " [Server certificate]" : ""; $certserverpurpose = ""; $selected = ""; $caname = ""; $inuse = ""; $revoked = ""; $ca = lookup_ca($cert['caref']); if ($ca) $caname = " (CA: {$ca['descr']})"; if ($pconfig['certref'] == $cert['refid']) $selected = "selected"; if (cert_in_use($cert['refid'])) $inuse = " *In Use"; if (is_cert_revoked($cert)) $revoked = " *Revoked"; $usagestr=""; $usage = get_certificat_usage($cert['refid']); foreach($usage as $use){ $usagestr .= " " . $use; } if ($usagestr != "") $usagestr = " (".trim($usagestr).")"; $certificates[$cert['refid']]['name'] = $cert['descr'] . $caname . $certserverpurpose . $inuse . $revoked . $usagestr; } return $certificates; } function haproxy_acl_select($mode) { global $a_acltypes; $seltext = ''; foreach ($a_acltypes as $expr) { if ($expr['mode'] == '' || $expr['mode'] == $mode) $seltext .= ""; } return $seltext; } $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); } $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item']; global $simplefields; $simplefields = array('name','desc','status','secondary','primary_frontend','type','forwardfor','httpclose','extaddr','backend_serverpool', 'max_connections','client_timeout','port','ssloffloadcert','dcertadv','ssloffload','ssloffloadacl','advanced_bind'); if (isset($_POST['id'])) $id = $_POST['id']; else $id = $_GET['id']; if (isset($_GET['dup'])) $id = $_GET['dup']; $id = get_frontend_id($id); if (isset($id) && $a_backend[$id]) { $pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item']; $pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']); foreach($simplefields as $stat) $pconfig[$stat] = $a_backend[$id][$stat]; } if (isset($_GET['dup'])) unset($id); $changedesc = "Services: HAProxy: Frontend"; $changecount = 0; if ($_POST) { $changecount++; unset($input_errors); $pconfig = $_POST; if ($pconfig['secondary'] != "yes") { $reqdfields = explode(" ", "name type port max_connections"); $reqdfieldsn = explode(",", "Name,Type,Port,Max connections"); } else { $reqdfields = explode(" ", "name"); $reqdfieldsn = explode(",", "Name"); } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['name'])) $input_errors[] = "The field 'Name' contains invalid characters."; if ($pconfig['secondary'] != "yes") { if (!is_numeric($_POST['max_connections'])) $input_errors[] = "The field 'Max connections' value is not a number."; $ports = split(",", $_POST['port'] . ","); foreach($ports as $port) if ($port && !is_numeric($port)) $input_errors[] = "The field 'Port' value is not a number."; if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) $input_errors[] = "The field 'Client timeout' value is not a number."; } /* Ensure that our pool names are unique */ for ($i=0; isset($config['installedpackages']['haproxy']['ha_backends']['item'][$i]); $i++) if (($_POST['name'] == $config['installedpackages']['haproxy']['ha_backends']['item'][$i]['name']) && ($i != $id)) $input_errors[] = "This frontend name has already been used. Frontend names must be unique. $i != $id"; $a_acl=array(); $acl_names=array(); for($x=0; $x<99; $x++) { $acl_name=$_POST['acl_name'.$x]; $acl_expression=$_POST['acl_expression'.$x]; $acl_value=$_POST['acl_value'.$x]; if ($acl_name) { $acl_names[]=$acl_name; $acl=array(); $acl['name']=$acl_name; $acl['expression']=$acl_expression; $acl['value']=$acl_value; $a_acl[]=$acl; if (preg_match("/[^a-zA-Z0-9\.\-_]/", $acl_name)) $input_errors[] = "The field 'Name' contains invalid characters."; if (!preg_match("/.{1,}/", $acl_value)) $input_errors[] = "The field 'Value' is required."; if (!preg_match("/.{2,}/", $acl_name)) $input_errors[] = "The field 'Name' is required."; } } $pconfig['a_acl']=$a_acl; if (!$input_errors) { $backend = array(); if(isset($id) && $a_backend[$id]) $backend = $a_backend[$id]; if($backend['name'] != "") $changedesc .= " modified '{$backend['name']}' pool:"; // update references to this primary frontend if ($backend['name'] != $_POST['name']) { foreach($a_backend as &$frontend) { if ($frontend['primary_frontend'] == $backend['name']) { $frontend['primary_frontend'] = $_POST['name']; } } } foreach($simplefields as $stat) update_if_changed($stat, $backend[$stat], $_POST[$stat]); update_if_changed("advanced", $backend['advanced'], base64_encode($_POST['advanced'])); $backend['ha_acls']['item'] = $a_acl; if (isset($id) && $a_backend[$id]) { $a_backend[$id] = $backend; } else { $a_backend[] = $backend; } if ($changecount > 0) { touch($d_haproxyconfdirty_path); write_config($changedesc); } header("Location: haproxy_listeners.php"); exit; } } $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; if (!$id) { //default value for new items. $pconfig['ssloffloadacl'] = "yes"; } $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); ?>

Edit haproxy listener
Name size="25" maxlength="25">
Description size="64">
Status
Shared Frontend onclick="updatevisibility();"/> Use this setting to configure multiple backends/accesslists for a single frontend.
All settings of which only 1 can exist will be hidden.
The frontend settings will be merged into 1 set of frontend configuration.
Primary frontend
External address
If you want this rule to apply to another IP address than the IP address of the interface chosen above, select it here (you need to define Virtual IP addresses on the first). Also note that if you are trying to redirect connections on the LAN select the "any" option.
External port size="30" maxlength="500">
The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443
Max connections size="10" maxlength="10">
Backend server pool
Type
This defines the processing type of HAProxy, and will determine the availabe options for acl checks and also several other options.
Please note that for https encryption/decryption on HAProxy with a certificate the processing type needs to be set to 'http'.
Access Control lists >
Name Expression Value

acl's with the same name wil be 'combined', acl's with different names will be evaluated seperately.
For more information about ACL's please see HAProxy Documentation Section 7 - Using ACL's

 
Advanced settings
Client timeout size="10" maxlength="10">
the time (in milliseconds) we accept to wait for data from the client, or for the client to accept data (default 30000).
Use 'forwardfor' option >
The 'forwardfor' option creates an HTTP 'X-Forwarded-For' header which contains the client's IP address. This is useful to let the final web server know what the client address was. (eg for statistics on domains)

It is important to note that as long as HAProxy does not support keep-alive connections, only the first request of a connection will receive the header. For this reason, it is important to ensure that option httpclose is set when using this option.
Use 'httpclose' option >
The 'httpclose' option removes any 'Connection' header both ways, and adds a 'Connection: close' header in each direction. This makes it easier to disable HTTP keep-alive than the previous 4-rules block.
Bind pass thru size="64">
NOTE: paste text into this box that you would like to pass behind the bind option.
Advanced pass thru
NOTE: paste text into this box that you would like to pass thru.
 
SSL Offloading
Use Offloading onclick="updatevisibility();">Use Offloading
The SSL Offloading will reduce web servers load by encrypt data to users on internet and send it without encrytion to internal servers.
Certificate No Certificates defined.
Create one under System > Cert Manager.'); ?>
NOTE: choose the cert to use on this frontend.
ACL for certificate CN onclick="updatevisibility();">Add ACL for certificate CommonName.
Advanced ssl options size="10" maxlength="64">
NOTE: Paste additional ssl options(without commas) to include on ssl listening options.
some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
 
 
NOTE: You must add a firewall rule permitting access to this frontend!