From d2e057782d9c973c698b646d926dbfec929845a5 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Fri, 12 Jan 2018 22:52:41 +0100 Subject: [PATCH 01/13] net/haproxy: support additional HSTS options, refs #447 --- .../OPNsense/HAProxy/forms/dialogFrontend.xml | 12 ++++++++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 10 +++++++++- .../service/templates/OPNsense/HAProxy/haproxy.conf | 10 +++++++++- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index 3b1e3449a..3c069d9d9 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -110,6 +110,18 @@ checkbox + + frontend.ssl_hstsIncludeSubDomains + + checkbox + + + + frontend.ssl_hstsPreload + + checkbox + + frontend.ssl_hstsMaxAge diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index bf4252e17..5952c48e6 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -1,6 +1,6 @@ //OPNsense/HAProxy - 2.0.1 + 2.1.0 the HAProxy load balancer @@ -355,6 +355,14 @@ 1 Y + + 0 + N + + + 0 + N + 15768000 1 diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index dd8db755c..90c7c9883 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -608,7 +608,15 @@ frontend {{frontend.name}} {% endif %} {# # HSTS #} {% if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %} - http-response set-header Strict-Transport-Security max-age={{frontend.ssl_hstsMaxAge}} +{% set hsts_options = [] %} +{% do hsts_options.append('max-age=' ~ frontend.ssl_hstsMaxAge) %} +{% if frontend.ssl_hstsIncludeSubDomains|default("") == '1' %} +{% do hsts_options.append('; includeSubDomains') %} +{% endif %} +{% if frontend.ssl_hstsPreload|default("") == '1' %} +{% do hsts_options.append('; preload') %} +{% endif %} + http-response set-header Strict-Transport-Security "{{ hsts_options|join('') }}" {% endif %} {% endif %} {% endif %} From 7381101d5fafff59c4ffe20e342f63f6d2258775 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sat, 13 Jan 2018 00:44:27 +0100 Subject: [PATCH 02/13] net/haproxy: switch to new mutable service controller --- .../HAProxy/Api/ServiceController.php | 125 +----------------- 1 file changed, 6 insertions(+), 119 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php index e5f7b3f34..a68baac0e 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/Api/ServiceController.php @@ -29,7 +29,7 @@ */ namespace OPNsense\HAProxy\Api; -use \OPNsense\Base\ApiControllerBase; +use \OPNsense\Base\ApiMutableServiceControllerBase; use \OPNsense\Core\Backend; use \OPNsense\HAProxy\HAProxy; @@ -37,125 +37,12 @@ use \OPNsense\HAProxy\HAProxy; * Class ServiceController * @package OPNsense\HAProxy */ -class ServiceController extends ApiControllerBase +class ServiceController extends ApiMutableServiceControllerBase { - /** - * start haproxy service (in background) - * @return array - */ - public function startAction() - { - if ($this->request->isPost()) { - // close session for long running action - $this->sessionClose(); - $backend = new Backend(); - $response = $backend->configdRun("haproxy start"); - return array("response" => $response); - } else { - return array("response" => array()); - } - } - - /** - * stop haproxy service - * @return array - */ - public function stopAction() - { - if ($this->request->isPost()) { - // close session for long running action - $this->sessionClose(); - $backend = new Backend(); - $response = $backend->configdRun("haproxy stop"); - return array("response" => $response); - } else { - return array("response" => array()); - } - } - - /** - * restart haproxy service - * @return array - */ - public function restartAction() - { - if ($this->request->isPost()) { - // close session for long running action - $this->sessionClose(); - $backend = new Backend(); - $response = $backend->configdRun("haproxy restart"); - return array("response" => $response); - } else { - return array("response" => array()); - } - } - - /** - * retrieve status of haproxy service - * @return array - * @throws \Exception - */ - public function statusAction() - { - $backend = new Backend(); - $mdlProxy = new HAProxy(); - $response = $backend->configdRun("haproxy status"); - - if (strpos($response, "not running") > 0) { - if ($mdlProxy->general->enabled->__toString() == 1) { - $status = "stopped"; - } else { - $status = "disabled"; - } - } elseif (strpos($response, "is running") > 0) { - $status = "running"; - } elseif ($mdlProxy->general->enabled->__toString() == 0) { - $status = "disabled"; - } else { - $status = "unkown"; - } - - return array("status" => $status); - } - - /** - * reconfigure haproxy, generate config and reload - */ - public function reconfigureAction() - { - if ($this->request->isPost()) { - $force_restart = false; - // close session for long running action - $this->sessionClose(); - - $mdlProxy = new HAProxy(); - $backend = new Backend(); - - $runStatus = $this->statusAction(); - - // stop haproxy when disabled - if ($runStatus['status'] == "running" && - ($mdlProxy->general->enabled->__toString() == 0 || $force_restart)) { - $this->stopAction(); - } - - // generate template - $backend->configdRun('template reload OPNsense/HAProxy'); - - // (res)start daemon - if ($mdlProxy->general->enabled->__toString() == 1) { - if ($runStatus['status'] == "running" && !$force_restart) { - $backend->configdRun("haproxy reload"); - } else { - $this->startAction(); - } - } - - return array("status" => "ok"); - } else { - return array("status" => "failed"); - } - } + static protected $internalServiceClass = '\OPNsense\HAProxy\HAProxy'; + static protected $internalServiceTemplate = 'OPNsense/Haproxy'; + static protected $internalServiceEnabled = 'general.enabled'; + static protected $internalServiceName = 'haproxy'; /** * run syntax check for haproxy configuration From 3a6c27bbf8d767d11dc865eeb04d230c3913efde Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sat, 13 Jan 2018 00:50:42 +0100 Subject: [PATCH 03/13] net/haproxy: bump version --- net/haproxy/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index de2849155..4c4fde354 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -1,5 +1,5 @@ PLUGIN_NAME= haproxy -PLUGIN_VERSION= 2.3 +PLUGIN_VERSION= 2.4 PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer PLUGIN_DEPENDS= haproxy PLUGIN_MAINTAINER= opnsense@moov.de From 55bcce55dabc3a08534e90323e98dc30bc180154 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sat, 13 Jan 2018 14:48:20 +0100 Subject: [PATCH 04/13] net/haproxy: add new HTTP timeout settings, refs #202 --- .../OPNsense/HAProxy/forms/dialogFrontend.xml | 14 ++++++++++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 10 ++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 6 ++++++ 3 files changed, 30 insertions(+) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index 3c069d9d9..6fc2948a1 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -145,6 +145,20 @@ true + + frontend.tuning_timeoutHttpReq + + text + + true + + + frontend.tuning_timeoutHttpKeepAlive + + text + + true + header diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 5952c48e6..c7717b67d 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -381,6 +381,16 @@ Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". N + + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + 0 Y diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 90c7c9883..ccaefda24 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -651,6 +651,12 @@ frontend {{frontend.name}} timeout client {{frontend.tuning_timeoutClient}} {% elif OPNsense.HAProxy.general.defaults.timeoutClient is defined %} timeout client {{OPNsense.HAProxy.general.defaults.timeoutClient}} +{% endif %} +{% if frontend.tuning_timeoutHttpReq|default("") != "" and frontend.mode == 'http' %} + timeout http-request {{frontend.tuning_timeoutHttpReq}} +{% endif %} +{% if frontend.tuning_timeoutHttpKeepAlive|default("") != "" and frontend.mode == 'http' %} + timeout http-keep-alive {{frontend.tuning_timeoutHttpKeepAlive}} {% endif %} # logging options {% if frontend.logging_dontLogNull=='1' %} From d447b5d5a771008ed83c03b4cf5fad8addd371e2 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 00:35:30 +0100 Subject: [PATCH 05/13] net/haproxy: make stick-table config more flexible, refs #202 --- .../OPNsense/HAProxy/forms/dialogBackend.xml | 49 +++++++++++++++++ .../app/models/OPNsense/HAProxy/HAProxy.xml | 55 +++++++++++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 34 ++++++++++-- 3 files changed, 133 insertions(+), 5 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml index 6c7d1fbe9..b311cfca5 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml @@ -81,6 +81,13 @@ HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> Choose a persistence type. + + backend.stickiness_dataTypes + + select_multiple + + HAProxy documentation for a full description.]]> + backend.stickiness_expire @@ -107,6 +114,48 @@ text + + backend.stickiness_connRatePeriod + + text + + true + + + backend.stickiness_sessRatePeriod + + text + + true + + + backend.stickiness_httpReqRatePeriod + + text + + true + + + backend.stickiness_httpErrRatePeriod + + text + + true + + + backend.stickiness_bytesInRatePeriod + + text + + true + + + backend.stickiness_bytesOutRatePeriod + + text + + true + header diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index c7717b67d..acbef1629 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -540,6 +540,25 @@ Stick on RDP-Cookie + + N + Y + + Connection count + Current connections + Connection rate + Session count + Session rate + HTTP request count + HTTP request rate + HTTP error count + HTTP error rate + Bytes in count (client to server) + Bytes in rate (client to server) + Bytes out count (server to client) + Bytes out rate (server to client) + + Y 30m @@ -565,6 +584,42 @@ Please specify a value between 1 and 10000. N + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index ccaefda24..9eb5f0976 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -816,21 +816,45 @@ backend {{backend.name}} {# # (redundant) GUI option for this. #} mode {{backend.mode}} balance {{backend.algorithm}} -{# # ignore if stickiness is disabled (set to "None") #} +{# # check if stickiness is disabled (set to "None") #} {% if backend.stickiness_pattern|default("") != "" %} # stickiness +{# # check if additional data types are configured #} +{% if backend.stickiness_dataTypes|default("") != "" %} +{% set stickiness_datatypes = [] %} +{% for datatype in backend.stickiness_dataTypes.split(",") %} +{# # add time period to all types where this is required #} +{% if datatype == 'conn_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_connRatePeriod ~ ')') %} +{% elif datatype == 'sess_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_sessRatePeriod ~ ')') %} +{% elif datatype == 'http_req_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_httpReqRatePeriod ~ ')') %} +{% elif datatype == 'http_err_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_httpErrRatePeriod ~ ')') %} +{% elif datatype == 'bytes_in_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_bytesInRatePeriod ~ ')') %} +{% elif datatype == 'bytes_out_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_bytesOutRatePeriod ~ ')') %} +{% else %} +{% do stickiness_datatypes.append(datatype) %} +{% endif %} +{% endfor %} +{% set stickiness_store = 'store ' ~ stickiness_datatypes|join(',') %} +{% endif %} +{# # check stick-table type #} {% if backend.stickiness_pattern == "sourceipv4" %} - stick-table type ip size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} + stick-table type ip size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} stick on src {% elif backend.stickiness_pattern == "sourceipv6" %} - stick-table type ipv6 size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} + stick-table type ipv6 size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} stick on src {% elif backend.stickiness_pattern == "cookievalue" %} - stick-table type string len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} + stick-table type string len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} stick store-response res.cook({{backend.stickiness_cookiename}}) stick on req.cook({{backend.stickiness_cookiename}}) {% elif backend.stickiness_pattern == "rdpcookie" %} - stick-table type binary len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} + stick-table type binary len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} stick on req.rdp_cookie(mstshash) {% endif %} {% endif %} From f171deba9f7bbd9cad85d591c5cedc611b558ef2 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 16:27:39 +0100 Subject: [PATCH 06/13] net/haproxy: support many new conditions, refs #202 --- .../OPNsense/HAProxy/forms/dialogAcl.xml | 208 +++++++++++++++++ .../OPNsense/HAProxy/forms/dialogBackend.xml | 2 +- .../app/models/OPNsense/HAProxy/HAProxy.xml | 220 +++++++++++++++++- .../templates/OPNsense/HAProxy/haproxy.conf | 30 +++ 4 files changed, 455 insertions(+), 5 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml index a86a6599e..886d9f206 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml @@ -198,6 +198,214 @@ text + + + header + + + + acl.src_bytes_in_rate_comparison + + dropdown + + + acl.src_bytes_in_rate + + text + + + + + header + + + + acl.src_bytes_out_rate_comparison + + dropdown + + + acl.src_bytes_out_rate + + text + + + + + header + + + + acl.src_conn_cnt_comparison + + dropdown + + + acl.src_conn_cnt + + text + + + + + header + + + + acl.src_conn_cur_comparison + + dropdown + + + acl.src_conn_cur + + text + + + + + header + + + + acl.src_conn_rate_comparison + + dropdown + + + acl.src_conn_rate + + text + + + + + header + + + + acl.src_http_err_cnt_comparison + + dropdown + + + acl.src_http_err_cnt + + text + + + + + header + + + + acl.src_http_err_rate_comparison + + dropdown + + + acl.src_http_err_rate + + text + + + + + header + + + + acl.src_http_req_cnt_comparison + + dropdown + + + acl.src_http_req_cnt + + text + + + + + header + + + + acl.src_http_req_rate_comparison + + dropdown + + + acl.src_http_req_rate + + text + + + + + header + + + + acl.src_kbytes_in_comparison + + dropdown + + + acl.src_kbytes_in + + text + + + + + header + + + + acl.src_kbytes_out_comparison + + dropdown + + + acl.src_kbytes_out + + text + + + + + header + + + + acl.src_port_comparison + + dropdown + + + acl.src_port + + text + + + + + header + + + + acl.src_sess_cnt_comparison + + dropdown + + + acl.src_sess_cnt + + text + + header diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml index b311cfca5..0f93af843 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml @@ -86,7 +86,7 @@ select_multiple - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> backend.stickiness_expire diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index acbef1629..ab97b718c 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -951,9 +951,6 @@ Path ends with Path matches Path regex - Path contains subdir Path contains string URL parameter contains @@ -962,6 +959,26 @@ SSL Client certificate verify error result SSL Client certificate issued by CA common-name Source IP matches specified IP + Source IP is local + Source IP: TCP source port + Source IP: incoming bytes rate + Source IP: outgoing bytes rate + Source IP: amount of data received (in kilobytes) + Source IP: amount of data sent (in kilobytes) + + Source IP: cumulative number of connections + Source IP: concurrent connections + Source IP: connection rate + + + + Source IP: cumulative number of HTTP errors + Source IP: rate of HTTP errors + Source IP: number of HTTP requests + Source IP: rate of HTTP requests + + Source IP: cumulative number of connections + Source IP: session rate Minimum number of usable servers in backend Traffic is HTTP Traffic is SSL @@ -1054,6 +1071,202 @@ /^.{1,4096}$/u N + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + + + N + gt + + greater than + greater equal + equal + less than + less equal + + + + N + 0 500000 @@ -1158,7 +1371,6 @@ Y - Use specified Backend Pool Override server in Backend Pool diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 9eb5f0976..cfc150c62 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -172,6 +172,36 @@ {% set acl_enabled = '0' %} # ERROR: missing parameters {% endif %} +{% elif acl_data.expression == 'src_is_local' %} +{% do acl_options.append('src_is_local') %} +{% elif acl_data.expression == 'src_bytes_in_rate' %} +{% do acl_options.append('src_bytes_in_rate ' ~ acl_data.src_bytes_in_rate_comparison ~ ' ' ~ acl_data.src_bytes_in_rate) %} +{% elif acl_data.expression == 'src_bytes_out_rate' %} +{% do acl_options.append('src_bytes_out_rate ' ~ acl_data.src_bytes_out_rate_comparison ~ ' ' ~ acl_data.src_bytes_out_rate) %} +{% elif acl_data.expression == 'src_conn_cnt' %} +{% do acl_options.append('src_conn_cnt ' ~ acl_data.src_conn_cnt_comparison ~ ' ' ~ acl_data.src_conn_cnt) %} +{% elif acl_data.expression == 'src_conn_cur' %} +{% do acl_options.append('src_conn_cur ' ~ acl_data.src_conn_cur_comparison ~ ' ' ~ acl_data.src_conn_cur) %} +{% elif acl_data.expression == 'src_conn_rate' %} +{% do acl_options.append('src_conn_rate ' ~ acl_data.src_conn_rate_comparison ~ ' ' ~ acl_data.src_conn_rate) %} +{% elif acl_data.expression == 'src_http_err_cnt' %} +{% do acl_options.append('src_http_err_cnt ' ~ acl_data.src_http_err_cnt_comparison ~ ' ' ~ acl_data.src_http_err_cnt) %} +{% elif acl_data.expression == 'src_http_err_rate' %} +{% do acl_options.append('src_http_err_rate ' ~ acl_data.src_http_err_rate_comparison ~ ' ' ~ acl_data.src_http_err_rate) %} +{% elif acl_data.expression == 'src_http_req_cnt' %} +{% do acl_options.append('src_http_req_cnt ' ~ acl_data.src_http_req_cnt_comparison ~ ' ' ~ acl_data.src_http_req_cnt) %} +{% elif acl_data.expression == 'src_http_req_rate' %} +{% do acl_options.append('src_http_req_rate ' ~ acl_data.src_http_req_rate_comparison ~ ' ' ~ acl_data.src_http_req_rate) %} +{% elif acl_data.expression == 'src_kbytes_in' %} +{% do acl_options.append('src_kbytes_in ' ~ acl_data.src_kbytes_in_comparison ~ ' ' ~ acl_data.src_kbytes_in) %} +{% elif acl_data.expression == 'src_kbytes_out' %} +{% do acl_options.append('src_kbytes_out ' ~ acl_data.src_kbytes_out_comparison ~ ' ' ~ acl_data.src_kbytes_out) %} +{% elif acl_data.expression == 'src_port' %} +{% do acl_options.append('src_port ' ~ acl_data.src_port_comparison ~ ' ' ~ acl_data.src_port) %} +{% elif acl_data.expression == 'src_sess_cnt' %} +{% do acl_options.append('src_sess_cnt' ~ acl_data.src_sess_cnt_comparison ~ ' ' ~ acl_data.src_sess_cnt) %} +{% elif acl_data.expression == 'src_sess_rate' %} +{% do acl_options.append('src_sess_rate ' ~ acl_data.src_sess_rate_comparison ~ ' ' ~ acl_data.src_sess_rate) %} {% elif acl_data.expression == 'nbsrv' %} {% do acl_options.append('') %} {% if acl_data.nbsrv|default("") != "" %} From d060107a494addb475f4d2def53c362ce8a4ad6d Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 18:12:08 +0100 Subject: [PATCH 07/13] net/haproxy: support stick-table in frontends for #202 --- .../OPNsense/HAProxy/forms/dialogFrontend.xml | 81 ++++++++++++ .../app/models/OPNsense/HAProxy/HAProxy.xml | 85 +++++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 120 ++++++++++++------ 3 files changed, 244 insertions(+), 42 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index 6fc2948a1..d908c0f01 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -208,6 +208,87 @@ checkbox + + + header + + + frontend.stickiness_pattern + + dropdown + HAProxy documentation for further information.]]> + Choose a stick-table type. + + + frontend.stickiness_dataTypes + + select_multiple + + HAProxy documentation for a full description.]]> + + + frontend.stickiness_expire + + text + + true + + + frontend.stickiness_size + + text + + true + + + frontend.stickiness_length + + text + + true + + + frontend.stickiness_connRatePeriod + + text + + true + + + frontend.stickiness_sessRatePeriod + + text + + true + + + frontend.stickiness_httpReqRatePeriod + + text + + true + + + frontend.stickiness_httpErrRatePeriod + + text + + true + + + frontend.stickiness_bytesInRatePeriod + + text + + true + + + frontend.stickiness_bytesOutRatePeriod + + text + + true + header diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index ab97b718c..edba14fbf 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -411,6 +411,91 @@ 0 Y + + N + + only store IPv4 addresses [default] + only store IPv6 addresses + store 32bit integers + store substrings (max. 32 characters) + store binary blocks (max. 32 characters) + + + + N + Y + + Connection count + Current connections + Connection rate + Session count + Session rate + HTTP request count + HTTP request rate + HTTP error count + HTTP error rate + Bytes in count (client to server) + Bytes in rate (client to server) + Bytes out count (server to client) + Bytes out rate (server to client) + + + + Y + 30m + /^([0-9]{1,5}(?:ms|s|m|h|d)?)/u + lower + Should be a number between 1 and 5 characters followed by either "d", "h", "m", "s" or "ms". + + + Y + 50k + /^([0-9]{1,5}[k|m|g]{1})*/u + lower + Should be a number between 1 and 5 characters followed by either "k", "m" or "g". + + + 1 + 16384 + Please specify a value between 1 and 16384. + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 10s + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + + + 1m + /^([0-9]{1,8}(?:us|ms|s|m|h|d)?)/u + Should be a number between 1 and 8 characters, optionally followed by either "d", "h", "m", "s", "ms" or "us". + N + 0 Y diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index cfc150c62..eebeac93e 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -485,6 +485,80 @@ {% endif %} {%- endmacro %} +{# Macro expects a backend or frontend object. #} +{% macro StickTableConfig(proxy, backend=False) -%} +{% if proxy is defined %} +{# # check if stickiness is disabled (set to "None") #} +{% if proxy.stickiness_pattern|default("") != "" %} + # stickiness +{# # check if additional data types are configured #} +{% if proxy.stickiness_dataTypes|default("") != "" %} +{% set stickiness_datatypes = [] %} +{% for datatype in proxy.stickiness_dataTypes.split(",") %} +{# # add time period to all types where this is required #} +{% if datatype == 'conn_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_connRatePeriod ~ ')') %} +{% elif datatype == 'sess_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_sessRatePeriod ~ ')') %} +{% elif datatype == 'http_req_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpReqRatePeriod ~ ')') %} +{% elif datatype == 'http_err_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_httpErrRatePeriod ~ ')') %} +{% elif datatype == 'bytes_in_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_bytesInRatePeriod ~ ')') %} +{% elif datatype == 'bytes_out_rate' %} +{% do stickiness_datatypes.append(datatype ~ '(' ~ proxy.stickiness_bytesOutRatePeriod ~ ')') %} +{% else %} +{% do stickiness_datatypes.append(datatype) %} +{% endif %} +{% endfor %} +{% set stickiness_store = 'store ' ~ stickiness_datatypes|join(',') %} +{% endif %} +{# # check stick-table type #} +{% if proxy.stickiness_pattern == "sourceipv4" or proxy.stickiness_pattern == "ipv4" %} +{% set table_type = 'ip' %} +{% elif proxy.stickiness_pattern == "sourceipv6" or proxy.stickiness_pattern == "ipv6" %} +{% set table_type = 'ipv6' %} +{% elif proxy.stickiness_pattern == "cookievalue" or proxy.stickiness_pattern == "string" %} +{% set table_type = 'string' %} +{% set add_length = True %} +{% elif proxy.stickiness_pattern == "rdpcookie" or proxy.stickiness_pattern == "binary" %} +{% set table_type = 'binary' %} +{% set add_length = True %} +{% elif proxy.stickiness_pattern == "integer" %} +{% set table_type = 'integer' %} +{% endif %} +{# # check data length #} +{% if add_length is defined %} +{% if proxy.stickiness_cookielength is defined %} +{% set data_length = proxy.stickiness_cookielength %} +{% elif proxy.stickiness_length is defined %} +{% set data_length = proxy.stickiness_length %} +{% else %} +{% set data_length = '32' %} +{% endif %} +{% endif %} +{# # add stick-table #} +{% if table_type is defined %} + stick-table type {{table_type}} {%if add_length is defined %}len {{data_length}} {% endif %}size {{proxy.stickiness_size}} expire {{proxy.stickiness_expire}} {{stickiness_store}} +{% endif %} +{# # stick-table persistence (backends only) #} +{%- if backend == True -%} +{%- if proxy.stickiness_pattern == "cookievalue" %} + stick store-response res.cook({{proxy.stickiness_cookiename}}) + stick on req.cook({{proxy.stickiness_cookiename}}) +{%- elif proxy.stickiness_pattern == "rdpcookie" %} + stick on req.rdp_cookie(mstshash) +{%- elif proxy.stickiness_pattern != '' %} + stick on src +{%- endif -%} +{%- endif -%} +{% endif %} +{% else %} +# ERROR: StickTableConfig called with empty data +{% endif %} +{%- endmacro -%} + {% if not (helpers.exists('OPNsense.HAProxy.general') and OPNsense.HAProxy.general.enabled|default("0") == "1") %} # # NOTE: HAProxy is currently DISABLED @@ -688,6 +762,8 @@ frontend {{frontend.name}} {% if frontend.tuning_timeoutHttpKeepAlive|default("") != "" and frontend.mode == 'http' %} timeout http-keep-alive {{frontend.tuning_timeoutHttpKeepAlive}} {% endif %} +{# # call macro to evaluate stickiness config #} +{{ StickTableConfig(frontend) }} # logging options {% if frontend.logging_dontLogNull=='1' %} option dontlognull @@ -846,48 +922,8 @@ backend {{backend.name}} {# # (redundant) GUI option for this. #} mode {{backend.mode}} balance {{backend.algorithm}} -{# # check if stickiness is disabled (set to "None") #} -{% if backend.stickiness_pattern|default("") != "" %} - # stickiness -{# # check if additional data types are configured #} -{% if backend.stickiness_dataTypes|default("") != "" %} -{% set stickiness_datatypes = [] %} -{% for datatype in backend.stickiness_dataTypes.split(",") %} -{# # add time period to all types where this is required #} -{% if datatype == 'conn_rate' %} -{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_connRatePeriod ~ ')') %} -{% elif datatype == 'sess_rate' %} -{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_sessRatePeriod ~ ')') %} -{% elif datatype == 'http_req_rate' %} -{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_httpReqRatePeriod ~ ')') %} -{% elif datatype == 'http_err_rate' %} -{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_httpErrRatePeriod ~ ')') %} -{% elif datatype == 'bytes_in_rate' %} -{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_bytesInRatePeriod ~ ')') %} -{% elif datatype == 'bytes_out_rate' %} -{% do stickiness_datatypes.append(datatype ~ '(' ~ backend.stickiness_bytesOutRatePeriod ~ ')') %} -{% else %} -{% do stickiness_datatypes.append(datatype) %} -{% endif %} -{% endfor %} -{% set stickiness_store = 'store ' ~ stickiness_datatypes|join(',') %} -{% endif %} -{# # check stick-table type #} -{% if backend.stickiness_pattern == "sourceipv4" %} - stick-table type ip size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} - stick on src -{% elif backend.stickiness_pattern == "sourceipv6" %} - stick-table type ipv6 size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} - stick on src -{% elif backend.stickiness_pattern == "cookievalue" %} - stick-table type string len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} - stick store-response res.cook({{backend.stickiness_cookiename}}) - stick on req.cook({{backend.stickiness_cookiename}}) -{% elif backend.stickiness_pattern == "rdpcookie" %} - stick-table type binary len {{backend.stickiness_cookielength}} size {{backend.stickiness_size}} expire {{backend.stickiness_expire}} {{stickiness_store}} - stick on req.rdp_cookie(mstshash) -{% endif %} -{% endif %} +{# # call macro to evaluate stickiness config #} +{{ StickTableConfig(backend,true) }} # tuning options {% if backend.tuning_timeoutConnect|default("") != "" %} timeout connect {{backend.tuning_timeoutConnect}} From 7f8bcab242dbcb76848629478e8aa9f6468f7af9 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 18:16:29 +0100 Subject: [PATCH 08/13] net/haproxy: fix option and help text --- .../app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml | 2 +- .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index d908c0f01..5fde9664d 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -216,7 +216,7 @@ frontend.stickiness_pattern dropdown - HAProxy documentation for further information.]]> + HAProxy documentation for further information.]]> Choose a stick-table type. diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index edba14fbf..d4a690779 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -417,8 +417,8 @@ only store IPv4 addresses [default] only store IPv6 addresses store 32bit integers - store substrings (max. 32 characters) - store binary blocks (max. 32 characters) + store substrings + store binary blocks From 65a3e7cf169f56fac1606d727aac7bcfb3ce614f Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 19:06:37 +0100 Subject: [PATCH 09/13] net/haproxy: add sticky counter for #202 --- .../OPNsense/HAProxy/forms/dialogFrontend.xml | 14 ++++++++++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 10 ++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 6 ++++++ 3 files changed, 30 insertions(+) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index 5fde9664d..1ccd924b6 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -240,6 +240,20 @@ true + + frontend.stickiness_counter + + checkbox + + true + + + frontend.stickiness_counter_key + + text + HAProxy documentation for a full description.]]> + true + frontend.stickiness_length diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index d4a690779..982e9c0ae 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -454,6 +454,16 @@ lower Should be a number between 1 and 5 characters followed by either "k", "m" or "g". + + 1 + N + + + src + N + /^([0-9a-zA-Z._]){1,32}$/u + Should be a string between 1 and 32 characters. + 1 16384 diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index eebeac93e..bd0954a1d 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -542,6 +542,12 @@ {% if table_type is defined %} stick-table type {{table_type}} {%if add_length is defined %}len {{data_length}} {% endif %}size {{proxy.stickiness_size}} expire {{proxy.stickiness_expire}} {{stickiness_store}} {% endif %} +{# # sticky counters (frontends only) #} +{%- if backend == False -%} +{%- if proxy.stickiness_counter|default("0") == "1" and proxy.stickiness_counter_key != '' %} + tcp-request connection track-sc0 {{proxy.stickiness_counter_key}} +{%- endif -%} +{%- endif -%} {# # stick-table persistence (backends only) #} {%- if backend == True -%} {%- if proxy.stickiness_pattern == "cookievalue" %} From 079ce406293a7e858037102c3e9f47aff443a64a Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 19:25:29 +0100 Subject: [PATCH 10/13] net/haproxy: relax several "name" fields Some "name" fields are used as identifiers in haproxy.conf, these require special care. Others are only used in the GUI and may contain special characters. --- .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 982e9c0ae..798cc4467 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -863,7 +863,7 @@ - /^([0-9a-zA-Z._]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -1025,7 +1025,7 @@ N - /^([0-9a-zA-Z._]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -1427,7 +1427,7 @@ - /^([0-9a-zA-Z._]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -1681,7 +1681,7 @@ Y - /^([0-9a-zA-Z_\-]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y @@ -1701,7 +1701,7 @@ Y - /^([0-9a-zA-Z_\-]){1,255}$/u + /^[^\t^,^;^\.^\[^\]^\{^\}]{1,255}$/u Should be a string between 1 and 255 characters. Y From 198c0f7d793bbf0b23906c68f7693a8191985270 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Sun, 14 Jan 2018 22:03:23 +0100 Subject: [PATCH 11/13] net/haproxy: update documentation URLs --- .../OPNsense/HAProxy/forms/dialogAction.xml | 10 +++++----- .../OPNsense/HAProxy/forms/dialogBackend.xml | 4 ++-- .../OPNsense/HAProxy/forms/dialogFrontend.xml | 2 +- .../opnsense/mvc/app/views/OPNsense/HAProxy/index.volt | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index c55ab4c51..396d7926d 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -90,7 +90,7 @@ action.http_request_redirect text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -129,7 +129,7 @@ action.http_request_add_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -146,7 +146,7 @@ action.http_request_set_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -219,7 +219,7 @@ action.http_response_add_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -236,7 +236,7 @@ action.http_response_set_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml index 0f93af843..53320c994 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml @@ -28,7 +28,7 @@ backend.algorithm dropdown - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> Choose a load balancing algorithm. @@ -78,7 +78,7 @@ backend.stickiness_pattern dropdown - HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> + HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> Choose a persistence type. diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index 1ccd924b6..6835cbd09 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -216,7 +216,7 @@ frontend.stickiness_pattern dropdown - HAProxy documentation for further information.]]> + HAProxy documentation for further information.]]> Choose a stick-table type. diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt index 1083b8780..91921fc35 100644 --- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt +++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt @@ -472,7 +472,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('Lastly, enable HAProxy using the %sService Settings%s.') | format('', '') }}

    • {{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('', '') }}

    -

    {{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '', '', '') }}

    +

    {{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '', '', '') }}


    @@ -514,7 +514,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('', '') }}
  • {{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('', '', '', '', '', '', '', '') }}
    • -

    {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    +

    {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    {{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('', '') }}


    @@ -528,7 +528,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._("%sError Messages:%s Return a custom message instead of errors generated by HAProxy. Useful to overwrite HAProxy's internal error messages. The message must represent the full HTTP response and include required HTTP headers.") | format('', '') }}
  • {{ lang._("%sLua scripts:%s Include your own Lua code/scripts to extend HAProxy's functionality. The Lua code can be used in certain %sRules%s, for example.") | format('', '', '', '') }}
    • -

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s and the %sLua Script%s features.") | format('', '', '', '') }}

    +

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s and the %sLua Script%s features.") | format('', '', '', '') }}


    From ea600da8fc9ca904896f322d8c4dcdc99655c74c Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 15 Jan 2018 00:46:11 +0100 Subject: [PATCH 12/13] net/haproxy: implement session sync for #165 --- .../OPNsense/HAProxy/forms/main.xml | 52 +++++++++++++++++++ .../app/models/OPNsense/HAProxy/HAProxy.xml | 32 ++++++++++++ .../app/models/OPNsense/HAProxy/Menu/Menu.xml | 1 + .../templates/OPNsense/HAProxy/haproxy.conf | 32 +++++++++++- 4 files changed, 115 insertions(+), 2 deletions(-) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml index 04a05134c..3f2cb6d37 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml @@ -20,6 +20,58 @@     + + + haproxy.general.peers.enabled + + checkbox + + + + + header + + + haproxy.general.peers.name1 + + text + + + + haproxy.general.peers.listen1 + + text + + + + haproxy.general.peers.port1 + + text + + + + + header + + + haproxy.general.peers.name2 + + text + + + + haproxy.general.peers.listen2 + + text + + + + haproxy.general.peers.port2 + + text + + + diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 798cc4467..50435b9c8 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -17,6 +17,38 @@ 1 + + + 0 + Y + + + N + + + N + + + 1024 + 1 + 65535 + Please specify a value between 1 and 65535. + N + + + N + + + N + + + 1024 + 1 + 65535 + Please specify a value between 1 and 65535. + N + + 0 diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml index d91b7c8ed..b49bddb1f 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Menu/Menu.xml @@ -3,6 +3,7 @@ + diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index bd0954a1d..a4b193405 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -3,6 +3,15 @@ # Do not edit this file manually. {% if helpers.exists('OPNsense.HAProxy') %} +{# ############################### #} +{# GLOBAL VARIABLES #} +{# ############################### #} + +{%- if helpers.exists('OPNsense.HAProxy.general.peers') and OPNsense.HAProxy.general.peers.enabled|default("") == "1" -%} +{% set peers_enabled = True %} +{% set peers_name = 'opnsense-haproxy-peers' %} +{%- endif -%} + {# ############################### #} {# MACROS #} {# ############################### #} @@ -540,7 +549,8 @@ {% endif %} {# # add stick-table #} {% if table_type is defined %} - stick-table type {{table_type}} {%if add_length is defined %}len {{data_length}} {% endif %}size {{proxy.stickiness_size}} expire {{proxy.stickiness_expire}} {{stickiness_store}} + stick-table type {{table_type}} {%if add_length is defined %}len {{data_length}} {% endif %}size {{proxy.stickiness_size}} expire {{proxy.stickiness_expire}} {{stickiness_store}} {% if peers_enabled is defined %}{{'peers ' ~ peers_name}}{% endif %} + {% endif %} {# # sticky counters (frontends only) #} {%- if backend == False -%} @@ -558,7 +568,7 @@ {%- elif proxy.stickiness_pattern != '' %} stick on src {%- endif -%} -{%- endif -%} +{%- endif -%} {% endif %} {% else %} # ERROR: StickTableConfig called with empty data @@ -1058,6 +1068,24 @@ backend {{backend.name}} {% endfor %} {% endif %} +{# ############################### #} +{# PEERS #} +{# ############################### #} + +{% if helpers.exists('OPNsense.HAProxy.general.peers') and OPNsense.HAProxy.general.peers.enabled|default("") == "1" %} +{# # ensure that no value is missing #} +{% if OPNsense.HAProxy.general.peers.name1|default("") != '' and + OPNsense.HAProxy.general.peers.listen1|default("") != '' and + OPNsense.HAProxy.general.peers.port1|default("") != '' and + OPNsense.HAProxy.general.peers.name2|default("") != '' and + OPNsense.HAProxy.general.peers.listen2|default("") != '' and + OPNsense.HAProxy.general.peers.port2|default("") != '' %} +peers {{peers_name}} + peer {{OPNsense.HAProxy.general.peers.name1}} {{OPNsense.HAProxy.general.peers.listen1}}:{{OPNsense.HAProxy.general.peers.port1}} + peer {{OPNsense.HAProxy.general.peers.name2}} {{OPNsense.HAProxy.general.peers.listen2}}:{{OPNsense.HAProxy.general.peers.port2}} +{% endif %} +{% endif %} + {# ############################### #} {# STATISTICS #} {# ############################### #} From 75ce8a54873b1bccef54ce1fb67f81d07a40687a Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Wed, 17 Jan 2018 00:03:42 +0100 Subject: [PATCH 13/13] net/haproxy: switch to HAProxy 1.8, refs #224 --- net/haproxy/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 4c4fde354..31b5e73c1 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -1,7 +1,7 @@ PLUGIN_NAME= haproxy PLUGIN_VERSION= 2.4 PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer -PLUGIN_DEPENDS= haproxy +PLUGIN_DEPENDS= haproxy-devel PLUGIN_MAINTAINER= opnsense@moov.de .include "../../Mk/plugins.mk"