From 42041e5fd513019f780e109ff1d2875abbec75df Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 16 Nov 2016 06:50:31 +0100
Subject: [PATCH] net/haproxy: add "default certificate" parameter, fixes #51
 (#55)

---
 .../OPNsense/HAProxy/forms/dialogFrontend.xml         |  7 +++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  5 +++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   | 11 ++++++++++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 6508bbe11..e6ed0b2c8 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -64,6 +64,13 @@
         <help><![CDATA[Select certificates to use for SSL offloading. HAProxy's SNI recognition will determine the correct certificate automatically. If no SNI is provided by the client then the first certificate will be presented.<br/>To import additional certificates, go to <a href="/system_certmanager.php">Certificate Manager</a>.]]></help>
         <hint>Type certificate name or choose from list.</hint>
     </field>
+    <field>
+        <id>frontend.ssl_default_certificate</id>
+        <label>Default certificate</label>
+        <type>dropdown</type>
+        <help><![CDATA[This certificate will be presented if no SNI is provided by the client or if the client provides an SNI hostname which does not match any certificate.<div class="text-info"><b>NOTE:</b> This parameter is optional to enforce a certain sort order for certificates. The certificate itself must still be listed under "Certificates".</div>]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>frontend.ssl_customOptions</id>
         <label>Advanced SSL options</label>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index b96f80ae2..3f71ce11d 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -282,6 +282,11 @@
                     <Multiple>Y</Multiple>
                     <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
                 </ssl_certificates>
+                <ssl_default_certificate type="CertificateField">
+                    <Required>N</Required>
+                    <Multiple>N</Multiple>
+                    <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
+                </ssl_default_certificate>
                 <ssl_customOptions type="TextField">
                     <Required>N</Required>
                 </ssl_customOptions>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index f22de296f..4b2946f20 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -551,8 +551,17 @@ frontend {{frontend.name}}
 {%       if frontend.ssl_enabled == '1' %}
 {#         # collect ssl certs (if configured) #}
 {%         if frontend.ssl_certificates|default("") != "" %}
+{#           # check if a default certificate is configured #}
+{%           if frontend.ssl_default_certificate|default("") != "" %}
+{%             do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ frontend.ssl_default_certificate ~ '.pem') %}
+{%           endif %}
 {%           for cert in frontend.ssl_certificates.split(",") %}
-{%             do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{#             # skip default certificate, it was already added to the list #}
+{%             if frontend.ssl_default_certificate|default("") != "" and cert == frontend.ssl_default_certificate %}
+{#               # do nothing  #}
+{%             else %}
+{%               do ssl_certs.append('crt /var/etc/haproxy/ssl/' ~ cert ~ '.pem') %}
+{%             endif %}
 {%           endfor %}
 {%         endif %}
 {#         # advanced ssl options #}