diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index de2849155..31b5e73c1 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -1,7 +1,7 @@ PLUGIN_NAME= haproxy -PLUGIN_VERSION= 2.3 +PLUGIN_VERSION= 2.4 PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer -PLUGIN_DEPENDS= haproxy +PLUGIN_DEPENDS= haproxy-devel PLUGIN_MAINTAINER= opnsense@moov.de .include "../../Mk/plugins.mk" diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php index e5f7b3f34..a68baac0e 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php @@ -29,7 +29,7 @@ */ namespace OPNsense\HAProxy\Api; -use \OPNsense\Base\ApiControllerBase; +use \OPNsense\Base\ApiMutableServiceControllerBase; use \OPNsense\Core\Backend; use \OPNsense\HAProxy\HAProxy; @@ -37,125 +37,12 @@ use \OPNsense\HAProxy\HAProxy; * Class ServiceController * @package OPNsense\HAProxy */ -class ServiceController extends ApiControllerBase +class ServiceController extends ApiMutableServiceControllerBase { - /** - * start haproxy service (in background) - * @return array - */ - public function startAction() - { - if ($this->request->isPost()) { - // close session for long running action - $this->sessionClose(); - $backend = new Backend(); - $response = $backend->configdRun("haproxy start"); - return array("response" => $response); - } else { - return array("response" => array()); - } - } - - /** - * stop haproxy service - * @return array - */ - public function stopAction() - { - if ($this->request->isPost()) { - // close session for long running action - $this->sessionClose(); - $backend = new Backend(); - $response = $backend->configdRun("haproxy stop"); - return array("response" => $response); - } else { - return array("response" => array()); - } - } - - /** - * restart haproxy service - * @return array - */ - public function restartAction() - { - if ($this->request->isPost()) { - // close session for long running action - $this->sessionClose(); - $backend = new Backend(); - $response = $backend->configdRun("haproxy restart"); - return array("response" => $response); - } else { - return array("response" => array()); - } - } - - /** - * retrieve status of haproxy service - * @return array - * @throws \Exception - */ - public function statusAction() - { - $backend = new Backend(); - $mdlProxy = new HAProxy(); - $response = $backend->configdRun("haproxy status"); - - if (strpos($response, "not running") > 0) { - if ($mdlProxy->general->enabled->__toString() == 1) { - $status = "stopped"; - } else { - $status = "disabled"; - } - } elseif (strpos($response, "is running") > 0) { - $status = "running"; - } elseif ($mdlProxy->general->enabled->__toString() == 0) { - $status = "disabled"; - } else { - $status = "unkown"; - } - - return array("status" => $status); - } - - /** - * reconfigure haproxy, generate config and reload - */ - public function reconfigureAction() - { - if ($this->request->isPost()) { - $force_restart = false; - // close session for long running action - $this->sessionClose(); - - $mdlProxy = new HAProxy(); - $backend = new Backend(); - - $runStatus = $this->statusAction(); - - // stop haproxy when disabled - if ($runStatus['status'] == "running" && - ($mdlProxy->general->enabled->__toString() == 0 || $force_restart)) { - $this->stopAction(); - } - - // generate template - $backend->configdRun('template reload OPNsense/HAProxy'); - - // (res)start daemon - if ($mdlProxy->general->enabled->__toString() == 1) { - if ($runStatus['status'] == "running" && !$force_restart) { - $backend->configdRun("haproxy reload"); - } else { - $this->startAction(); - } - } - - return array("status" => "ok"); - } else { - return array("status" => "failed"); - } - } + static protected $internalServiceClass = '\OPNsense\HAProxy\HAProxy'; + static protected $internalServiceTemplate = 'OPNsense/Haproxy'; + static protected $internalServiceEnabled = 'general.enabled'; + static protected $internalServiceName = 'haproxy'; /** * run syntax check for haproxy configuration diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml index a86a6599e..886d9f206 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml @@ -198,6 +198,214 @@ text + + + header + + + + acl.src_bytes_in_rate_comparison + + dropdown + + + acl.src_bytes_in_rate + + text + + + + + header + + + + acl.src_bytes_out_rate_comparison + + dropdown + + + acl.src_bytes_out_rate + + text + + + + + header + + + + acl.src_conn_cnt_comparison + + dropdown + + + acl.src_conn_cnt + + text + + + + + header + + + + acl.src_conn_cur_comparison + + dropdown + + + acl.src_conn_cur + + text + + + + + header + + + + acl.src_conn_rate_comparison + + dropdown + + + acl.src_conn_rate + + text + + + + + header + + + + acl.src_http_err_cnt_comparison + + dropdown + + + acl.src_http_err_cnt + + text + + + + + header + + + + acl.src_http_err_rate_comparison + + dropdown + + + acl.src_http_err_rate + + text + + + + + header + + + + acl.src_http_req_cnt_comparison + + dropdown + + + acl.src_http_req_cnt + + text + + + + + header + + + + acl.src_http_req_rate_comparison + + dropdown + + + acl.src_http_req_rate + + text + + + + + header + + + + acl.src_kbytes_in_comparison + + dropdown + + + acl.src_kbytes_in + + text + + + + + header + + + + acl.src_kbytes_out_comparison + + dropdown + + + acl.src_kbytes_out + + text + + + + + header + + + + acl.src_port_comparison + + dropdown + + + acl.src_port + + text + + + + + header + + + + acl.src_sess_cnt_comparison + + dropdown + + + acl.src_sess_cnt + + text + + header diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index c55ab4c51..396d7926d 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -90,7 +90,7 @@ action.http_request_redirect text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -129,7 +129,7 @@ action.http_request_add_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -146,7 +146,7 @@ action.http_request_set_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -219,7 +219,7 @@ action.http_response_add_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -236,7 +236,7 @@ action.http_response_set_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml index 6c7d1fbe9..53320c994 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml @@ -28,7 +28,7 @@ backend.algorithm dropdown - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> Choose a load balancing algorithm. @@ -78,9 +78,16 @@ backend.stickiness_pattern dropdown - HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> + HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> Choose a persistence type. + + backend.stickiness_dataTypes + + select_multiple + + HAProxy documentation for a full description.]]> + backend.stickiness_expire @@ -107,6 +114,48 @@ text + + backend.stickiness_connRatePeriod + + text + + true + + + backend.stickiness_sessRatePeriod + + text + + true + + + backend.stickiness_httpReqRatePeriod + + text + + true + + + backend.stickiness_httpErrRatePeriod + + text + + true + + + backend.stickiness_bytesInRatePeriod + + text + + true + + + backend.stickiness_bytesOutRatePeriod + + text + + true + header diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index 3b1e3449a..6835cbd09 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -110,6 +110,18 @@ checkbox + + frontend.ssl_hstsIncludeSubDomains + + checkbox + + + + frontend.ssl_hstsPreload + + checkbox + + frontend.ssl_hstsMaxAge @@ -133,6 +145,20 @@ true + + frontend.tuning_timeoutHttpReq + + text + + true + + + frontend.tuning_timeoutHttpKeepAlive + + text + + true + header @@ -182,6 +208,101 @@ checkbox + + + header + + + frontend.stickiness_pattern + + dropdown + HAProxy documentation for further information.]]> + Choose a stick-table type. + + + frontend.stickiness_dataTypes + + select_multiple + + HAProxy documentation for a full description.]]> + + + frontend.stickiness_expire + + text + + true + + + frontend.stickiness_size + + text + + true + + + frontend.stickiness_counter + + checkbox + + true + + + frontend.stickiness_counter_key + + text + HAProxy documentation for a full description.]]> + true + + + frontend.stickiness_length + + text + + true + + + frontend.stickiness_connRatePeriod + + text + + true + + + frontend.stickiness_sessRatePeriod + + text + + true + + + frontend.stickiness_httpReqRatePeriod + + text + + true + + + frontend.stickiness_httpErrRatePeriod + + text + + true + + + frontend.stickiness_bytesInRatePeriod + + text + + true + + + frontend.stickiness_bytesOutRatePeriod + + text + + true + header diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml index 04a05134c..3f2cb6d37 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml @@ -20,6 +20,58 @@ + + + haproxy.general.peers.enabled + + checkbox + + + + + header + + + haproxy.general.peers.name1 + + text + + + + haproxy.general.peers.listen1 + + text + + + + haproxy.general.peers.port1 + + text + + + + + header + + + haproxy.general.peers.name2 + + text + + + + haproxy.general.peers.listen2 + + text + + + + haproxy.general.peers.port2 + + text + + + diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index bf4252e17..50435b9c8 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -1,6 +1,6 @@ //OPNsense/HAProxy - 2.0.1 + 2.1.0 the HAProxy load balancer @@ -17,6 +17,38 @@ 1 + + + 0 + Y + + + N + + + N + + + 1024 + 1 + 65535 + Please specify a value between 1 and 65535. + N + + + N + + + N + + + 1024 + 1 + 65535 + Please specify a value between 1 and 65535. + N + + 0 @@ -355,6 +387,14 @@ 1 Y + + 0 + N + + + 0 + N + 15768000 1 @@ -373,6 +413,16 @@ Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". N + + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + 0 Y @@ -393,6 +443,101 @@ 0 Y + + N + + only store IPv4 addresses [default] + only store IPv6 addresses + store 32bit integers + store substrings + store binary blocks + + + + N + Y + + Connection count + Current connections + Connection rate + Session count + Session rate + HTTP request count + HTTP request rate + HTTP error count + HTTP error rate + Bytes in count (client to server) + Bytes in rate (client to server) + Bytes out count (server to client) + Bytes out rate (server to client) + + + + Y + 30m + /^([0-9]{1,5}(?:ms|s|m|h|d)?)/u + lower + Should be a number between 1 and 5 characters followed by either "d", "h", "m", "s" or "ms". + + + Y + 50k + /^([0-9]{1,5}[k|m|g]{1})*/u + lower + Should be a number between 1 and 5 characters followed by either "k", "m" or "g". + + + 1 + N + + + src + N + /^([0-9a-zA-Z._]){1,32}$/u + Should be a string between 1 and 32 characters. + + + 1 + 16384 + Please specify a value between 1 and 16384. + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + 0 Y @@ -522,6 +667,25 @@ Stick on RDP-Cookie + + N + Y + + Connection count + Current connections + Connection rate + Session count + Session rate + HTTP request count + HTTP request rate + HTTP error count + HTTP error rate + Bytes in count (client to server) + Bytes in rate (client to server) + Bytes out count (server to client) + Bytes out rate (server to client) + + Y 30m @@ -547,6 +711,42 @@ Please specify a value between 1 and 10000. N + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". @@ -695,7 +895,7 @@ - /^([0-9a-zA-Z._]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -857,7 +1057,7 @@ N - /^([0-9a-zA-Z._]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -878,9 +1078,6 @@ Path ends with Path matches Path regex - Path contains subdir Path contains string URL parameter contains @@ -889,6 +1086,26 @@ SSL Client certificate verify error result SSL Client certificate issued by CA common-name Source IP matches specified IP + Source IP is local + Source IP: TCP source port + Source IP: incoming bytes rate + Source IP: outgoing bytes rate + Source IP: amount of data received (in kilobytes) + Source IP: amount of data sent (in kilobytes) + + Source IP: cumulative number of connections + Source IP: concurrent connections + Source IP: connection rate + + + + Source IP: cumulative number of HTTP errors + Source IP: rate of HTTP errors + Source IP: number of HTTP requests + Source IP: rate of HTTP requests + + Source IP: cumulative number of connections + Source IP: session rate Minimum number of usable servers in backend Traffic is HTTP Traffic is SSL @@ -981,6 +1198,202 @@ /^.{1,4096}$/u N + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + 0 500000 @@ -1046,7 +1459,7 @@ - /^([0-9a-zA-Z._]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -1085,7 +1498,6 @@ Y - Use specified Backend Pool Override server in Backend Pool @@ -1301,7 +1713,7 @@ Y - /^([0-9a-zA-Z_\-]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -1321,7 +1733,7 @@ Y - /^([0-9a-zA-Z_\-]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml index d91b7c8ed..b49bddb1f 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml @@ -3,6 +3,7 @@ + diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt index 1083b8780..91921fc35 100644 --- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt +++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt @@ -472,7 +472,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('Lastly, enable HAProxy using the %sService Settings%s.') | format('', '') }}

    • {{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('', '') }}

    -

    {{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '', '', '') }}

    +

    {{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '', '', '') }}


    @@ -514,7 +514,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('', '') }}
  • {{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('', '', '', '', '', '', '', '') }}
    • -

    {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    +

    {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    {{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('', '') }}


    @@ -528,7 +528,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._("%sError Messages:%s Return a custom message instead of errors generated by HAProxy. Useful to overwrite HAProxy's internal error messages. The message must represent the full HTTP response and include required HTTP headers.") | format('', '') }}
  • {{ lang._("%sLua scripts:%s Include your own Lua code/scripts to extend HAProxy's functionality. The Lua code can be used in certain %sRules%s, for example.") | format('', '', '', '') }}
    • -

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s and the %sLua Script%s features.") | format('', '', '', '') }}

    +

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s and the %sLua Script%s features.") | format('', '', '', '') }}


    diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index dd8db755c..a4b193405 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -3,6 +3,15 @@ # Do not edit this file manually. {% if helpers.exists('OPNsense.HAProxy') %} +{# ############################### #} +{# GLOBAL VARIABLES #} +{# ############################### #} + +{%- if helpers.exists('OPNsense.HAProxy.general.peers') and OPNsense.HAProxy.general.peers.enabled|default("") == "1" -%} +{% set peers_enabled = True %} +{% set peers_name = 'opnsense-haproxy-peers' %} +{%- endif -%} + {# ############################### #} {# MACROS #} {# ############################### #} @@ -172,6 +181,36 @@ {% set acl_enabled = '0' %} # ERROR: missing parameters {% endif %} +{% elif acl_data.expression == 'src_is_local' %} +{% do acl_options.append('src_is_local') %} +{% elif acl_data.expression == 'src_bytes_in_rate' %} +{% do acl_options.append('src_bytes_in_rate ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %} +{% elif acl_data.expression == 'src_bytes_out_rate' %} +{% do acl_options.append('src_bytes_out_rate ' ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %} +{% elif acl_data.expression == 'src_conn_cnt' %} +{% do acl_options.append('src_conn_cnt ' ~ acl_data.src_conn_cnt_comparison ~ ' ' ~ acl_data.src_conn_cnt) %} +{% elif acl_data.expression == 'src_conn_cur' %} +{% do acl_options.append('src_conn_cur ' ~ acl_data.src_conn_cur_comparison ~ ' ' ~ acl_data.src_conn_cur) %} +{% elif acl_data.expression == 'src_conn_rate' %} +{% do acl_options.append('src_conn_rate ' ~ acl_data.src_conn_rate_comparison ~ ' ' ~ acl_data.src_conn_rate) %} +{% elif acl_data.expression == 'src_http_err_cnt' %} +{% do acl_options.append('src_http_err_cnt ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %} +{% elif acl_data.expression == 'src_http_err_rate' %} +{% do acl_options.append('src_http_err_rate ' ~ acl_data.src_http_err_rate_comparison ~ ' ' ~ acl_data.src_http_err_rate) %} +{% elif acl_data.expression == 'src_http_req_cnt' %} +{% do acl_options.append('src_http_req_cnt ' ~ acl_data.src_http_req_cnt_comparison ~ ' ' ~ acl_data.src_http_req_cnt) %} +{% elif acl_data.expression == 'src_http_req_rate' %} +{% do acl_options.append('src_http_req_rate ' ~ acl_data.src_http_req_rate_comparison ~ ' ' ~ acl_data.src_http_req_rate) %} +{% elif acl_data.expression == 'src_kbytes_in' %} +{% do acl_options.append('src_kbytes_in ' ~ acl_data.src_kbytes_in_comparison ~ ' ' ~ acl_data.src_kbytes_in) %} +{% elif acl_data.expression == 'src_kbytes_out' %} +{% do acl_options.append('src_kbytes_out ' ~ acl_data.src_kbytes_out_comparison ~ ' ' ~ acl_data.src_kbytes_out) %} +{% elif acl_data.expression == 'src_port' %} +{% do acl_options.append('src_port ' ~ acl_data.src_port_comparison ~ ' ' ~ acl_data.src_port) %} +{% elif acl_data.expression == 'src_sess_cnt' %} +{% do acl_options.append('src_sess_cnt' ~ acl_data.src_sess_cnt_comparison ~ ' ' ~ acl_data.src_sess_cnt) %} +{% elif acl_data.expression == 'src_sess_rate' %} +{% do acl_options.append('src_sess_rate ' ~ acl_data.src_sess_rate_comparison ~ ' ' ~ acl_data.src_sess_rate) %} {% elif acl_data.expression == 'nbsrv' %} {% do acl_options.append('') %} {% if acl_data.nbsrv|default("") != "" %} @@ -455,6 +494,87 @@ {% endif %} {%- endmacro %} +{# Macro expects a backend or frontend object. #} +{% macro StickTableConfig(proxy, backend=False) -%} +{% if proxy is defined %} +{# # check if stickiness is disabled (set to "None") #} +{% if proxy.stickiness_pattern|default("") != "" %} + # stickiness +{# # check if additional data types are configured #} +{% if proxy.stickiness_dataTypes|default("") != "" %} +{% set stickiness_datatypes = [] %} +{% for datatype in proxy.stickiness_dataTypes.split(",") %} +{# # add time period to all types where this is required #} +{% if datatype == 'conn_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_connRatePeriod ~ ')') %} +{% elif datatype == 'sess_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_sessRatePeriod ~ ')') %} +{% elif datatype == 'http_req_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpReqRatePeriod ~ ')') %} +{% elif datatype == 'http_err_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpErrRatePeriod ~ ')') %} +{% elif datatype == 'bytes_in_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_bytesInRatePeriod ~ ')') %} +{% elif datatype == 'bytes_out_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_bytesOutRatePeriod ~ ')') %} +{% else %} +{% do stickiness_datatypes.append(datatype) %} +{% endif %} +{% endfor %} +{% set stickiness_store = 'store ' ~ stickiness_datatypes|join(',') %} +{% endif %} +{# # check stick-table type #} +{% if proxy.stickiness_pattern == "sourceipv4" or proxy.stickiness_pattern == "ipv4" %} +{% set table_type = 'ip' %} +{% elif proxy.stickiness_pattern == "sourceipv6" or proxy.stickiness_pattern == "ipv6" %} +{% set table_type = 'ipv6' %} +{% elif proxy.stickiness_pattern == "cookievalue" or proxy.stickiness_pattern == "string" %} +{% set table_type = 'string' %} +{% set add_length = True %} +{% elif proxy.stickiness_pattern == "rdpcookie" or proxy.stickiness_pattern == "binary" %} +{% set table_type = 'binary' %} +{% set add_length = True %} +{% elif proxy.stickiness_pattern == "integer" %} +{% set table_type = 'integer' %} +{% endif %} +{# # check data length #} +{% if add_length is defined %} +{% if proxy.stickiness_cookielength is defined %} +{% set data_length = proxy.stickiness_cookielength %} +{% elif proxy.stickiness_length is defined %} +{% set data_length = proxy.stickiness_length %} +{% else %} +{% set data_length = '32' %} +{% endif %} +{% endif %} +{# # add stick-table #} +{% if table_type is defined %} + stick-table type {{table_type}} {%if add_length is defined %}len {{data_length}} {% endif %}size {{proxy.stickiness_size}} expire {{proxy.stickiness_expire}} {{stickiness_store}} {% if peers_enabled is defined %}{{'peers ' ~ peers_name}}{% endif %} + +{% endif %} +{# # sticky counters (frontends only) #} +{%- if backend == False -%} +{%- if proxy.stickiness_counter|default("0") == "1" and proxy.stickiness_counter_key != '' %} + tcp-request connection track-sc0 {{proxy.stickiness_counter_key}} +{%- endif -%} +{%- endif -%} +{# # stick-table persistence (backends only) #} +{%- if backend == True -%} +{%- if proxy.stickiness_pattern == "cookievalue" %} + stick store-response res.cook({{proxy.stickiness_cookiename}}) + stick on req.cook({{proxy.stickiness_cookiename}}) +{%- elif proxy.stickiness_pattern == "rdpcookie" %} + stick on req.rdp_cookie(mstshash) +{%- elif proxy.stickiness_pattern != '' %} + stick on src +{%- endif -%} +{%- endif -%} +{% endif %} +{% else %} +# ERROR: StickTableConfig called with empty data +{% endif %} +{%- endmacro -%} + {% if not (helpers.exists('OPNsense.HAProxy.general') and OPNsense.HAProxy.general.enabled|default("0") == "1") %} # # NOTE: HAProxy is currently DISABLED @@ -608,7 +728,15 @@ frontend {{frontend.name}} {% endif %} {# # HSTS #} {% if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %} - http-response set-header Strict-Transport-Security max-age={{frontend.ssl_hstsMaxAge}} +{% set hsts_options = [] %} +{% do hsts_options.append('max-age=' ~ frontend.ssl_hstsMaxAge) %} +{% if frontend.ssl_hstsIncludeSubDomains|default("") == '1' %} +{% do hsts_options.append('; includeSubDomains') %} +{% endif %} +{% if frontend.ssl_hstsPreload|default("") == '1' %} +{% do hsts_options.append('; preload') %} +{% endif %} + http-response set-header Strict-Transport-Security "{{ hsts_options|join('') }}" {% endif %} {% endif %} {% endif %} @@ -644,6 +772,14 @@ frontend {{frontend.name}} {% elif OPNsense.HAProxy.general.defaults.timeoutClient is defined %} timeout client {{OPNsense.HAProxy.general.defaults.timeoutClient}} {% endif %} +{% if frontend.tuning_timeoutHttpReq|default("") != "" and frontend.mode == 'http' %} + timeout http-request {{frontend.tuning_timeoutHttpReq}} +{% endif %} +{% if frontend.tuning_timeoutHttpKeepAlive|default("") != "" and frontend.mode == 'http' %} + timeout http-keep-alive {{frontend.tuning_timeoutHttpKeepAlive}} +{% endif %} +{# # call macro to evaluate stickiness config #} +{{ StickTableConfig(frontend) }} # logging options {% if frontend.logging_dontLogNull=='1' %} option dontlognull @@ -802,24 +938,8 @@ backend {{backend.name}} {# # (redundant) GUI option for this. #} mode {{backend.mode}} balance {{backend.algorithm}} -{# # ignore if stickiness is disabled (set to "None") #} -{% if backend.stickiness_pattern|default("") != "" %} - # stickiness -{% if backend.stickiness_pattern == "sourceipv4" %} - stick-table type ip size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} - stick on src -{% elif backend.stickiness_pattern == "sourceipv6" %} - stick-table type ipv6 size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} - stick on src -{% elif backend.stickiness_pattern == "cookievalue" %} - stick-table type string len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} - stick store-response res.cook({{backend.stickiness_cookiename}}) - stick on req.cook({{backend.stickiness_cookiename}}) -{% elif backend.stickiness_pattern == "rdpcookie" %} - stick-table type binary len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} - stick on req.rdp_cookie(mstshash) -{% endif %} -{% endif %} +{# # call macro to evaluate stickiness config #} +{{ StickTableConfig(backend,true) }} # tuning options {% if backend.tuning_timeoutConnect|default("") != "" %} timeout connect {{backend.tuning_timeoutConnect}} @@ -948,6 +1068,24 @@ backend {{backend.name}} {% endfor %} {% endif %} +{# ############################### #} +{# PEERS #} +{# ############################### #} + +{% if helpers.exists('OPNsense.HAProxy.general.peers') and OPNsense.HAProxy.general.peers.enabled|default("") == "1" %} +{# # ensure that no value is missing #} +{% if OPNsense.HAProxy.general.peers.name1|default("") != '' and + OPNsense.HAProxy.general.peers.listen1|default("") != '' and + OPNsense.HAProxy.general.peers.port1|default("") != '' and + OPNsense.HAProxy.general.peers.name2|default("") != '' and + OPNsense.HAProxy.general.peers.listen2|default("") != '' and + OPNsense.HAProxy.general.peers.port2|default("") != '' %} +peers {{peers_name}} + peer {{OPNsense.HAProxy.general.peers.name1}} {{OPNsense.HAProxy.general.peers.listen1}}:{{OPNsense.HAProxy.general.peers.port1}} + peer {{OPNsense.HAProxy.general.peers.name2}} {{OPNsense.HAProxy.general.peers.listen2}}:{{OPNsense.HAProxy.general.peers.port2}} +{% endif %} +{% endif %} + {# ############################### #} {# STATISTICS #} {# ############################### #}