Merge pull request #19 from manusfreedom/master

Fix bugs & add feature
opnsense · Jun 13, 2016 · 0e73e2d · 0e73e2d
2 parents 22a3f00 + e64babd
commit 0e73e2d
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 35 deletions.
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml
@@ -130,6 +130,20 @@
         <help><![CDATA[These lines will be added to the HAProxy backend configuration.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>backend.tuning_defaultserver</id>
+        <label>Default for server</label>
+        <type>text</type>
+        <help><![CDATA[Default option for all server entries.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>backend.tuning_noport</id>
+        <label>Use Frontend port</label>
+        <type>checkbox</type>
+        <help><![CDATA[Don't use port on server, use the same port as frontend receive. If check enable, require port check in server.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <label>Actions (ACLs)</label>
         <type>header</type>

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogServer.xml
@@ -51,4 +51,11 @@
         <help><![CDATA[Sets the interval (in milliseconds) for running health checks on the server.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>server.checkport</id>
+        <label>Port to check</label>
+        <type>text</type>
+        <help><![CDATA[Provide the TCP communication port to use during check, i.e. 80 or 443.]]></help>
+        <advanced>true</advanced>
+    </field>
 </form>
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
@@ -17,6 +17,13 @@
                 <label>NOTE: Define global parameters for the HAProxy service. They cannot be overriden.</label>
                 <type>info</type>
             </field>
+            <field>
+                <id>haproxy.general.tuning.root</id>
+                <label>Run as root</label>
+                <type>checkbox</type>
+                <help><![CDATA[Enable or disable HAProxy running as root.<br/><div class="text-info"><b>NOTE:</b> Enabling root could be a security issue but it's required by some feature.</div>]]></help>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>haproxy.general.tuning.chroot</id>
                 <label>Secure mode (chroot)</label>
@@ -118,6 +125,13 @@
                 <type>dropdown</type>
                 <help><![CDATA[Enable or disable session redistribution in case of connection failure.]]></help>
             </field>
+            <field>
+                <id>haproxy.general.defaults.customOptions</id>
+                <label>Custom options</label>
+                <type>textbox</type>
+                <help><![CDATA[These lines will be added to the defaults settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
+                <advanced>true</advanced>
+            </field>
         </subtab>
         <subtab id="haproxy-general-logging" description="Logging Configuration">
             <field>
@@ -189,6 +203,13 @@
                 <help><![CDATA[Grant access to HAProxy statistics page. Please provide both user and password in clear text separated by a ':', i.e. john:secret123 or jdoe:anonymous. Use TAB key to complete adding a user.]]></help>
                 <hint>Enter user:password here. Finish with TAB.</hint>
             </field>
+            <field>
+                <id>haproxy.general.stats.customOptions</id>
+                <label>Custom options</label>
+                <type>textbox</type>
+                <help><![CDATA[These lines will be added to the statistics settings of to the HAProxy configuration file.<br/><div class="text-info"><b>NOTE:</b> The syntax will not be checked, use at your own risk!</div>]]></help>
+                <advanced>true</advanced>
+            </field>
         </subtab>
     </tab>
 

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -10,6 +10,10 @@
                 <Required>Y</Required>
             </enabled>
             <tuning>
+                <root type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </root>
                 <chroot type="BooleanField">
                     <default>0</default>
                     <Required>Y</Required>
@@ -114,6 +118,9 @@
                         <x-3>redispatch on the 3rd retry prior to the last retry</x-3>
                     </OptionValues>
                 </redispatch>
+                <customOptions type="TextField">
+                    <Required>N</Required>
+                </customOptions>
             </defaults>
             <logging>
                 <host type="TextField">
@@ -208,6 +215,9 @@
                     <mask>/^((([0-9a-zA-Z._\-]+:[0-9a-zA-Z._\-]+)([,]){0,1}))*/u</mask>
                     <ValidationMessage>Please provide a valid user and password, i.e. user:secret123.</ValidationMessage>
                 </users>
+                <customOptions type="TextField">
+                    <Required>N</Required>
+                </customOptions>
             </stats>
         </general>
         <frontends>
@@ -233,9 +243,9 @@
                     <Required>Y</Required>
                     <multiple>Y</multiple>
                     <!-- <default>localhost:8080</default> -->
-                    <mask>/^((([0-9a-zA-Z._\-\*]+:[0-9]+)([,]){0,1}))*/u</mask>
+                    <mask>/^((([0-9a-zA-Z._\-\*]+:[0-9]+(-[0-9]+)?)([,]){0,1}))*/u</mask>
                     <ChangeCase>lower</ChangeCase>
-                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443.</ValidationMessage>
+                    <ValidationMessage>Please provide a valid listen address, i.e. 127.0.0.1:8080 or www.example.com:443. Port range as start-end, i.e. 127.0.0.1:1220-1240.</ValidationMessage>
                 </bind>
                 <mode type="OptionField">
                     <Required>Y</Required>
@@ -476,6 +486,13 @@
                 <customOptions type="TextField">
                     <Required>N</Required>
                 </customOptions>
+                <tuning_defaultserver type="TextField">
+                    <Required>N</Required>
+                </tuning_defaultserver>
+                <tuning_noport type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </tuning_noport>
                 <linkedActions type="ModelRelationField">
                     <Model>
                         <template>
@@ -526,6 +543,13 @@
                     <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
                     <Required>Y</Required>
                 </port>
+                <checkport type="IntegerField">
+                    <default>80</default>
+                    <MinimumValue>1</MinimumValue>
+                    <MaximumValue>65535</MaximumValue>
+                    <ValidationMessage>Please specify a value between 1 and 65535.</ValidationMessage>
+                    <Required>N</Required>
+                </checkport>
                 <mode type="OptionField">
                     <Required>Y</Required>
                     <default>active</default>

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -441,7 +441,10 @@
 {# ############################### #}
 
 global
+{% if OPNsense.HAProxy.general.tuning.root != "1" %}
+    # NOTE: Could be a security issue, but required for some feature.
     uid                         80
+{% endif %}
     gid                         80
 {% if OPNsense.HAProxy.general.tuning.chroot == "1" %}
     # NOTE: chroot prevents (most) local logging, you need to enable remote
@@ -491,7 +494,12 @@ global
 {%     endif %}
 {%   endfor %}
 {% endif %}
-
+{% if OPNsense.HAProxy.general.tuning.customOptions|default("") != "" %}
+    # WARNING: pass through options below this line
+{%   for customOpt in OPNsense.HAProxy.general.tuning.customOptions.split("\n") %}
+    {{customOpt}}
+{%   endfor %}
+{% endif %}
 
 {# ############################### #}
 {#             DEFAULTS            #}
@@ -518,6 +526,12 @@ defaults
 {%   if OPNsense.HAProxy.general.defaults.retries|default("") != "" %}
     retries {{OPNsense.HAProxy.general.defaults.retries}}
 {%   endif %}
+{%   if OPNsense.HAProxy.general.defaults.customOptions|default("") != "" %}
+    # WARNING: pass through options below this line
+{%     for customOpt in OPNsense.HAProxy.general.defaults.customOptions.split("\n") %}
+    {{customOpt}}
+{%     endfor %}
+{%   endif %}
 {% endif %}
 
 {# ############################### #}
@@ -526,30 +540,34 @@ defaults
 
 {% if helpers.exists('OPNsense.HAProxy.frontends') %}
 {%   for frontend in helpers.toList('OPNsense.HAProxy.frontends.frontend') %}
-{%     if frontend.enabled=='1' %}
+{%     if frontend.enabled == '1' %}
 # Frontend: {{frontend.name}} ({{frontend.description}})
 frontend {{frontend.name}}
-{#       # collect ssl certs (if configured) #}
-{%       if frontend.ssl_certificates|default("") != "" %}
-{%         set ssl_certs = [] %}
-{%         for cert in frontend.ssl_certificates.split(",") %}
-{%           do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
-{%         endfor %}
-{%       endif %}
-{#       # advanced ssl options #}
-{%       if frontend.ssl_customOptions|default("") != "" %}
-{#         # add a space to separate it from other ssl params #}
-{%         set ssl_options = frontend.ssl_customOptions ~ ' ' %}
+{%       set ssl_certs = [] %}
+{%       if frontend.ssl_enabled == '1' %}
+{#         # collect ssl certs (if configured) #}
+{%         if frontend.ssl_certificates|default("") != "" %}
+{%           for cert in frontend.ssl_certificates.split(",") %}
+{%             do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{%           endfor %}
+{%         endif %}
+{#         # advanced ssl options #}
+{%         if frontend.ssl_customOptions|default("") != "" %}
+{#           # add a space to separate it from other ssl params #}
+{%           set ssl_options = frontend.ssl_customOptions ~ ' ' %}
+{%         endif %}
 {%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}
 {%         for bind in frontend.bind.split(",") %}
-    bind {{bind}} name {{bind}} {% if ssl_certs|default("") != "" %}ssl {{ ssl_options }}{{ssl_certs|join(' ')}}{% endif %}
+    bind {{bind}} name {{bind}} {% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options }}{{ssl_certs|join(' ')}} {% endif %}
 
 {%         endfor %}
 {%       endif %}
     mode {{frontend.mode}}
+{%       if frontend.mode != "tcp" %}
     option {{frontend.connectionBehaviour}}
+{%       endif %}
 {#       # select backend #}
 {%       if frontend.defaultBackend|default("") != "" %}
 {%         set backend_data = helpers.getUUID(frontend.defaultBackend) %}
@@ -688,23 +706,6 @@ backend {{backend.name}}
     # health checking is DISABLED
 {%         set healthcheck_enabled = '0' %}
 {%       endif %}
-{%       for server in backend.linkedServers.split(",") %}
-{%         set server_data = helpers.getUUID(server) %}
-{#         # collect optional server parameters #}
-{%         set server_options = [] %}
-{#         # check if health check is enabled #}
-{%         if healthcheck_enabled == '1' %}
-{%           do server_options.append('check') %}
-{%           do server_options.append('inter ' ~ server_data.checkInterval) %}
-{#           # add all additions from healthchecks here #}
-{%           do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
-{%         endif %}
-{#         # server weight #}
-{%         do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
-{#         # server role/mode #}
-{%         do server_options.append(server_data.mode) if server_data.mode|default("") != "active" %}
-    server {{server_data.name}} {{server_data.address}}:{{server_data.port}} {{server_options|join(' ')}}
-{%       endfor %}
 {#       # XXX: Usually the frontend and the backend are in the same mode,  #}
 {#       #      but we have no way to know what frontend uses this backend. #}
 {#       #      Hence we can't automatically set the mode and thus need a   #}
@@ -759,6 +760,27 @@ backend {{backend.name}}
     {{customOpt}}
 {%         endfor %}
 {%       endif %}
+{%       if backend.tuning_defaultserver|default("") != "" %}
+    default-server {{backend.tuning_defaultserver}}
+{%       endif %}
+
+{%       for server in backend.linkedServers.split(",") %}
+{%         set server_data = helpers.getUUID(server) %}
+{#         # collect optional server parameters #}
+{%         set server_options = [] %}
+{#       if# check if health check is enabled #}("") != "" %}
+{%         if healthcheck_enabled == '1' %}
+{%           do server_options.append('check') %}
+{%           do server_options.append('inter ' ~ server_data.checkInterval) %}
+{#           # add all additions from healthchecks here #}
+{%           do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
+{%         endif %}
+{#         # server weight #}
+{%         do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
+{#         # server role/mode #}
+{%         do server_options.append(server_data.mode) if server_data.mode|default("") != "active" %}
+    server {{server_data.name}} {{server_data.address}}:{% if backend.tuning_noport != '1' %}{{server_data.port}}{% endif %}{% if server_data.checkport|default("") != "" %} port {{server_data.checkport}}{% endif %} {{server_options|join(' ')}}
+{%       endfor %}
 
 {%     else %}
 # Backend (DISABLED): {{backend.description}}
@@ -779,6 +801,12 @@ listen local_statistics
     stats uri       /haproxy?stats
     stats realm     HAProxy\ statistics
     stats admin     if TRUE
+{%   if OPNsense.HAProxy.general.stats.customOptions|default("") != "" %}
+    # WARNING: pass through options below this line
+{%     for customOpt in OPNsense.HAProxy.general.stats.customOptions.split("\n") %}
+    {{customOpt}}
+{%     endfor %}
+{%   endif %}
 
 {# # remote stats are optional #}
 {%   if OPNsense.HAProxy.general.stats.remoteEnabled|default("") == "1" %}
@@ -799,9 +827,15 @@ listen  remote_statistics
 {%           endfor %}
 {%         endif %}
 {%       endif %}
-{%    else %}
+{%       if OPNsense.HAProxy.general.stats.customOptions|default("") != "" %}
+    # WARNING: pass through options below this line
+{%         for customOpt in OPNsense.HAProxy.general.stats.customOptions.split("\n") %}
+    {{customOpt}}
+{%         endfor %}
+{%       endif %}
+{%     else %}
 # ERROR: remote statistics disabled, because no listen address was specified
-{%    endif %}
+{%     endif %}
 {%   endif %}
 {% else %}
 # statistics are DISABLED