mirror of
https://github.com/netbirdio/plugins.git
synced 2026-05-22 18:44:07 -07:00
Merge pull request #2058 from fraenki/haproxy_790
net/haproxy: release 2.25
This commit is contained in:
Frank Wall
GitHub
@@ -1,5 +1,5 @@
|
||||
PLUGIN_NAME= haproxy
|
||||
PLUGIN_VERSION= 2.24
|
||||
PLUGIN_VERSION= 2.25
|
||||
PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer
|
||||
PLUGIN_DEPENDS= haproxy20
|
||||
PLUGIN_MAINTAINER= opnsense@moov.de
|
||||
|
||||
@@ -6,6 +6,11 @@ very high loads while needing persistence or Layer7 processing.
|
||||
Plugin Changelog
|
||||
================
|
||||
|
||||
2.25
|
||||
|
||||
Added:
|
||||
* add support for TLSv1.3 (#790)
|
||||
|
||||
2.24
|
||||
|
||||
Added:
|
||||
|
||||
+19
-1
@@ -98,11 +98,29 @@
|
||||
<sortable>true</sortable>
|
||||
<help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>frontend.ssl_minVersion</id>
|
||||
<label>Minimum SSL Version</label>
|
||||
<type>dropdown</type>
|
||||
<help><![CDATA[This option enforces use of the specified version (or higher) on SSL connections.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>frontend.ssl_maxVersion</id>
|
||||
<label>Maximum SSL Version</label>
|
||||
<type>dropdown</type>
|
||||
<help><![CDATA[This option enforces use of the specified version (or lower) on SSL connections.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>frontend.ssl_cipherList</id>
|
||||
<label>Cipher List</label>
|
||||
<type>text</type>
|
||||
<help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
|
||||
<help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>frontend.ssl_cipherSuites</id>
|
||||
<label>Cipher Suites</label>
|
||||
<type>text</type>
|
||||
<help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>frontend.ssl_hstsEnabled</id>
|
||||
|
||||
+19
-1
@@ -93,10 +93,28 @@
|
||||
<allownew>true</allownew>
|
||||
<help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>haproxy.general.tuning.ssl_minVersion</id>
|
||||
<label>Minimum SSL Version</label>
|
||||
<type>dropdown</type>
|
||||
<help><![CDATA[This option enforces use of the specified version (or higher) on SSL connections.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>haproxy.general.tuning.ssl_maxVersion</id>
|
||||
<label>Maximum SSL Version</label>
|
||||
<type>dropdown</type>
|
||||
<help><![CDATA[This option enforces use of the specified version (or lower) on SSL connections.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>haproxy.general.tuning.ssl_cipherList</id>
|
||||
<label>Cipher List</label>
|
||||
<type>text</type>
|
||||
<help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
|
||||
<help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.]]></help>
|
||||
</field>
|
||||
<field>
|
||||
<id>haproxy.general.tuning.ssl_cipherSuites</id>
|
||||
<label>Cipher Suites</label>
|
||||
<type>text</type>
|
||||
<help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.]]></help>
|
||||
</field>
|
||||
</form>
|
||||
|
||||
@@ -136,18 +136,44 @@
|
||||
<no-tlsv10>no-tlsv10</no-tlsv10>
|
||||
<no-tlsv11>no-tlsv11</no-tlsv11>
|
||||
<no-tlsv12>no-tlsv12</no-tlsv12>
|
||||
<no-tlsv13>no-tlsv13</no-tlsv13>
|
||||
<no-tls-tickets>no-tls-tickets</no-tls-tickets>
|
||||
<force-sslv3>force-sslv3</force-sslv3>
|
||||
<force-tlsv10>force-tlsv10</force-tlsv10>
|
||||
<force-tlsv11>force-tlsv11</force-tlsv11>
|
||||
<force-tlsv12>force-tlsv12</force-tlsv12>
|
||||
<force-tlsv13>force-tlsv13</force-tlsv13>
|
||||
<strict-sni>strict-sni</strict-sni>
|
||||
</OptionValues>
|
||||
</ssl_bindOptions>
|
||||
<ssl_minVersion type="OptionField">
|
||||
<Required>N</Required>
|
||||
<OptionValues>
|
||||
<SSLv3>SSLv3</SSLv3>
|
||||
<TLSv1.0>TLSv1.0</TLSv1.0>
|
||||
<TLSv1.1>TLSv1.1</TLSv1.1>
|
||||
<TLSv1.2>TLSv1.2</TLSv1.2>
|
||||
<TLSv1.3>TLSv1.3</TLSv1.3>
|
||||
</OptionValues>
|
||||
</ssl_minVersion>
|
||||
<ssl_maxVersion type="OptionField">
|
||||
<Required>N</Required>
|
||||
<OptionValues>
|
||||
<SSLv3>SSLv3</SSLv3>
|
||||
<TLSv1.0>TLSv1.0</TLSv1.0>
|
||||
<TLSv1.1>TLSv1.1</TLSv1.1>
|
||||
<TLSv1.2>TLSv1.2</TLSv1.2>
|
||||
<TLSv1.3>TLSv1.3</TLSv1.3>
|
||||
</OptionValues>
|
||||
</ssl_maxVersion>
|
||||
<ssl_cipherList type="TextField">
|
||||
<default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
|
||||
<Required>N</Required>
|
||||
</ssl_cipherList>
|
||||
<ssl_cipherSuites type="TextField">
|
||||
<default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
|
||||
<Required>N</Required>
|
||||
</ssl_cipherSuites>
|
||||
</tuning>
|
||||
<defaults>
|
||||
<maxConnections type="IntegerField">
|
||||
@@ -442,18 +468,44 @@
|
||||
<no-tlsv10>no-tlsv10</no-tlsv10>
|
||||
<no-tlsv11>no-tlsv11</no-tlsv11>
|
||||
<no-tlsv12>no-tlsv12</no-tlsv12>
|
||||
<no-tlsv13>no-tlsv13</no-tlsv13>
|
||||
<no-tls-tickets>no-tls-tickets</no-tls-tickets>
|
||||
<force-sslv3>force-sslv3</force-sslv3>
|
||||
<force-tlsv10>force-tlsv10</force-tlsv10>
|
||||
<force-tlsv11>force-tlsv11</force-tlsv11>
|
||||
<force-tlsv12>force-tlsv12</force-tlsv12>
|
||||
<force-tlsv13>force-tlsv13</force-tlsv13>
|
||||
<strict-sni>strict-sni</strict-sni>
|
||||
</OptionValues>
|
||||
</ssl_bindOptions>
|
||||
<ssl_minVersion type="OptionField">
|
||||
<Required>N</Required>
|
||||
<OptionValues>
|
||||
<SSLv3>SSLv3</SSLv3>
|
||||
<TLSv1.0>TLSv1.0</TLSv1.0>
|
||||
<TLSv1.1>TLSv1.1</TLSv1.1>
|
||||
<TLSv1.2>TLSv1.2</TLSv1.2>
|
||||
<TLSv1.3>TLSv1.3</TLSv1.3>
|
||||
</OptionValues>
|
||||
</ssl_minVersion>
|
||||
<ssl_maxVersion type="OptionField">
|
||||
<Required>N</Required>
|
||||
<OptionValues>
|
||||
<SSLv3>SSLv3</SSLv3>
|
||||
<TLSv1.0>TLSv1.0</TLSv1.0>
|
||||
<TLSv1.1>TLSv1.1</TLSv1.1>
|
||||
<TLSv1.2>TLSv1.2</TLSv1.2>
|
||||
<TLSv1.3>TLSv1.3</TLSv1.3>
|
||||
</OptionValues>
|
||||
</ssl_maxVersion>
|
||||
<ssl_cipherList type="TextField">
|
||||
<default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
|
||||
<Required>N</Required>
|
||||
</ssl_cipherList>
|
||||
<ssl_cipherSuites type="TextField">
|
||||
<default>TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256</default>
|
||||
<Required>N</Required>
|
||||
</ssl_cipherSuites>
|
||||
<ssl_hstsEnabled type="BooleanField">
|
||||
<default>1</default>
|
||||
<Required>Y</Required>
|
||||
|
||||
@@ -869,16 +869,27 @@ global
|
||||
{% endif %}
|
||||
{# # ssl default settings #}
|
||||
{% if OPNsense.HAProxy.general.tuning.ssl_defaultsEnabled|default("") == '1' %}
|
||||
{% set bindopts = [] %}
|
||||
{% if OPNsense.HAProxy.general.tuning.ssl_bindOptions|default("") != "" %}
|
||||
{% set bindopts = [] %}
|
||||
{% for bindopt in OPNsense.HAProxy.general.tuning.ssl_bindOptions.split(",") %}
|
||||
{% do bindopts.append(bindopt) %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if OPNsense.HAProxy.general.tuning.ssl_minVersion|default("") != "" %}
|
||||
{% do bindopts.append('ssl-min-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_minVersion) %}
|
||||
{% endif %}
|
||||
{% if OPNsense.HAProxy.general.tuning.ssl_maxVersion|default("") != "" %}
|
||||
{% do bindopts.append('ssl-max-ver ' ~ OPNsense.HAProxy.general.tuning.ssl_maxVersion) %}
|
||||
{% endif %}
|
||||
{% if (bindopts is defined and bindopts|default("") != "" )%}
|
||||
ssl-default-bind-options {{ bindopts|join(' ') }}
|
||||
{% endif %}
|
||||
{% if OPNsense.HAProxy.general.tuning.ssl_cipherList|default("") != "" %}
|
||||
ssl-default-bind-ciphers {{ OPNsense.HAProxy.general.tuning.ssl_cipherList }}
|
||||
{% endif %}
|
||||
{% if OPNsense.HAProxy.general.tuning.ssl_cipherSuites|default("") != "" %}
|
||||
ssl-default-bind-ciphersuites {{ OPNsense.HAProxy.general.tuning.ssl_cipherSuites }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{# # pass-through options #}
|
||||
{% if OPNsense.HAProxy.general.tuning.customOptions|default("") != "" %}
|
||||
@@ -1064,9 +1075,18 @@ frontend {{frontend.name}}
|
||||
{% do ssl_options.append(bindopt) %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if frontend.ssl_minVersion|default("") != "" %}
|
||||
{% do ssl_options.append('ssl-min-ver ' ~ frontend.ssl_minVersion) %}
|
||||
{% endif %}
|
||||
{% if frontend.ssl_maxVersion|default("") != "" %}
|
||||
{% do ssl_options.append('ssl-max-ver ' ~ frontend.ssl_maxVersion) %}
|
||||
{% endif %}
|
||||
{% if frontend.ssl_cipherList|default("") != "" %}
|
||||
{% do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
|
||||
{% endif %}
|
||||
{% if frontend.ssl_cipherSuites|default("") != "" %}
|
||||
{% do ssl_options.append('ciphersuites ' ~ frontend.ssl_cipherSuites) %}
|
||||
{% endif %}
|
||||
{# # HSTS #}
|
||||
{% if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
|
||||
{% set hsts_options = [] %}
|
||||
|
||||
Reference in New Issue
Block a user