net/haproxy: add basic logging capabilities

net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml

@@ -17,6 +17,12 @@
                 <label>NOTE: Define global parameters for the HAProxy service. They cannot be overriden.</label>
                 <type>info</type>
             </field>
+            <field>
+                <id>haproxy.general.tuning.chroot</id>
+                <label>Secure mode (chroot)</label>
+                <type>checkbox</type>
+                <help><![CDATA[Enable or disable HAProxy's chroot feature.<br/><div class="text-info"><b>NOTE:</b> Enabling chroot will deactivate logging to localhost, because the local syslogd is running in secure mode and does not accept network connections (and it's log socket is not accessible from the chroot directory). You'll need to log to a remote host when enabling the chroot feature.</div>]]></help>
+            </field>
             <field>
                 <id>haproxy.general.tuning.nbproc</id>
                 <label>HAProxy processes</label>

net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml

@@ -10,6 +10,10 @@
                 <Required>Y</Required>
             </enabled>
             <tuning>
+                <chroot type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </chroot>
                 <maxConnections type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
@@ -132,7 +136,7 @@
                         <daemon>daemon</daemon>
                         <ftp>ftp</ftp>
                         <kern>kern</kern>
-                        <local0>local0</local0>
+                        <local0>local0 [default]</local0>
                         <local1>local1</local1>
                         <local2>local2</local2>
                         <local3>local3</local3>

net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/setup.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-HAPROXY_DIRS="/var/log/haproxy /var/run/haproxy /var/etc/haproxy/ssl /var/etc/haproxy/lua /var/etc/haproxy/errorfiles"
+HAPROXY_DIRS="/var/run/haproxy /var/etc/haproxy/ssl /var/etc/haproxy/lua /var/etc/haproxy/errorfiles"
 
 for directory in ${HAPROXY_DIRS}; do
     mkdir -p ${directory}

net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/+TARGETS

@@ -1,2 +1,3 @@
 haproxy.conf:/usr/local/etc/haproxy.conf
+haproxy.inc:/usr/local/etc/inc/plugins.inc.d/haproxy.inc
 rc.conf.d:/etc/rc.conf.d/haproxy

net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf

@@ -443,7 +443,11 @@
 global
     uid                         80
     gid                         80
+{% if OPNsense.HAProxy.general.tuning.chroot == "1" %}
+    # NOTE: chroot prevents (most) local logging, you need to enable remote
+    #       logging when using it (because syslogd is running in secure mode).
     chroot                      /var/run/haproxy
+{% endif %}
     daemon
     stats                       socket /var/run/haproxy.socket level admin
     nbproc                      {{OPNsense.HAProxy.general.tuning.nbproc}}
@@ -465,12 +469,18 @@ global
 {% if OPNsense.HAProxy.general.tuning.luaMaxMem|default("") != "" %}
     tune.lua.maxmem             {{OPNsense.HAProxy.general.tuning.luaMaxMem}}
 {% endif %}
-{#  # logging configuration #}
-{%  set logging = [] %}
-{%  do logging.append(OPNsense.HAProxy.general.logging.host) %}
-{%  do logging.append('len ' ~ OPNsense.HAProxy.general.logging.length) if OPNsense.HAProxy.general.logging.length|default("") != "" %}
-{%  do logging.append(OPNsense.HAProxy.general.logging.facility) %}
-{%  do logging.append(OPNsense.HAProxy.general.logging.level) if OPNsense.HAProxy.general.logging.level|default("") != "" %}
+{# # logging configuration #}
+{% set logging = [] %}
+{% if OPNsense.HAProxy.general.logging.host != '127.0.0.1' %}
+{%   do logging.append(OPNsense.HAProxy.general.logging.host) %}
+{% else %}
+{#   # NOTE: syslogd is running is secure mode and thus does not accept network #}
+{#   #       connections. That's why we need to use the log socket instead. #}
+{%   do logging.append('/var/run/log') %}
+{% endif %}
+{% do logging.append('len ' ~ OPNsense.HAProxy.general.logging.length) if OPNsense.HAProxy.general.logging.length|default("") != "" %}
+{% do logging.append(OPNsense.HAProxy.general.logging.facility) %}
+{% do logging.append(OPNsense.HAProxy.general.logging.level) if OPNsense.HAProxy.general.logging.level|default("") != "" %}
     log {{logging|join(' ')}}
 {% if OPNsense.HAProxy.luas.lua is defined %}
     # lua scripts

net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.inc

@@ -0,0 +1,65 @@
+<?php
+
+/**
+ *    Copyright (C) 2016 Frank Wall
+ *    Copyright (C) 2014-2016 Franco Fichtner <franco@opnsense.org>
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/**
+ *  register legacy syslog facilities
+ * @return array
+ */
+function haproxy_syslog()
+{
+    $syslogconf = array();
+    $syslogconf['haproxy'] = array("facility" => array('haproxy'), "remote" => "haproxy");
+    return $syslogconf;
+}
+
+/**
+ *  register legacy service
+ * @return array
+ */
+function haproxy_services()
+{
+    global $config;
+    $services = array();
+
+    if (isset($config['OPNsense']['HAProxy']['general']['enabled']) && $config['OPNsense']['HAProxy']['general']['enabled'] == 1) {
+        $services[] = array(
+            'description' => gettext('HAProxy load balancer'),
+            'configd' => array(
+                'restart' => array('haproxy restart'),
+                'start' => array('haproxy start'),
+                'stop' => array('haproxy stop'),
+            ),
+            'name' => 'haproxy',
+        );
+    }
+
+    return $services;
+}