net/haproxy: add "default certificate" parameter, fixes #51 (#55)

net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml

@@ -64,6 +64,13 @@
         <help><![CDATA[Select certificates to use for SSL offloading. HAProxy's SNI recognition will determine the correct certificate automatically. If no SNI is provided by the client then the first certificate will be presented.<br/>To import additional certificates, go to <a href="/system_certmanager.php">Certificate Manager</a>.]]></help>
         <hint>Type certificate name or choose from list.</hint>
     </field>
+    <field>
+        <id>frontend.ssl_default_certificate</id>
+        <label>Default certificate</label>
+        <type>dropdown</type>
+        <help><![CDATA[This certificate will be presented if no SNI is provided by the client or if the client provides an SNI hostname which does not match any certificate.<div class="text-info"><b>NOTE:</b> This parameter is optional to enforce a certain sort order for certificates. The certificate itself must still be listed under "Certificates".</div>]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>frontend.ssl_customOptions</id>
         <label>Advanced SSL options</label>

net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml

@@ -282,6 +282,11 @@
                     <Multiple>Y</Multiple>
                     <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
                 </ssl_certificates>
+                <ssl_default_certificate type="CertificateField">
+                    <Required>N</Required>
+                    <Multiple>N</Multiple>
+                    <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
+                </ssl_default_certificate>
                 <ssl_customOptions type="TextField">
                     <Required>N</Required>
                 </ssl_customOptions>

net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf

@@ -551,8 +551,17 @@ frontend {{frontend.name}}
 {%       if frontend.ssl_enabled == '1' %}
 {#         # collect ssl certs (if configured) #}
 {%         if frontend.ssl_certificates|default("") != "" %}
+{#           # check if a default certificate is configured #}
+{%           if frontend.ssl_default_certificate|default("") != "" %}
+{%             do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ frontend.ssl_default_certificate ~ '.pem') %}
+{%           endif %}
 {%           for cert in frontend.ssl_certificates.split(",") %}
-{%             do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{#             # skip default certificate, it was already added to the list #}
+{%             if frontend.ssl_default_certificate|default("") != "" and cert == frontend.ssl_default_certificate %}
+{#               # do nothing  #}
+{%             else %}
+{%               do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{%             endif %}
 {%           endfor %}
 {%         endif %}
 {#         # advanced ssl options #}