net/haproxy: add new global param to handle server ssl verification, refs #26

2026-05-28 04:34:15 -04:00 · 2016-08-01 14:04:07 +02:00 · 2016-08-01 14:04:07 +02:00 · 1878899f68
commit 1878899f68
parent 755961aa5b
3 changed files with 21 additions and 0 deletions
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/main.xml
@ -37,6 +37,13 @@
                <type>text</type>
                <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> HAProxy will not be able to allocate enough memory if you set this value too high. Consider raising the settings for kern.maxfiles and kern.maxfilesperproc if you need to specify a non-default value.</div>]]></help>
            </field>
+            <field>
+                <id>haproxy.general.tuning.sslServerVerify</id>
+                <label>Verify SSL Server Certificates</label>
+                <type>dropdown</type>
+                <help><![CDATA[This enforces a certain behavior for SSL verify on servers, ignoring per-server settings. If set to 'enforce verify', server certificates are verified. If set to 'disable verify', server certificates are not verified. The default is 'no preference' to only use per-server configurations and not enforce a global default for all servers.]]></help>
+                <advanced>true</advanced>
+            </field>
            <field>
                <id>haproxy.general.tuning.maxDHSize</id>
                <label>Maximum SSL DH Size</label>
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@ -27,6 +27,15 @@
                    <ValidationMessage>Please specify a value between 1 and 128.</ValidationMessage>
                    <Required>Y</Required>
                </nbproc>
+                <sslServerVerify type="OptionField">
+                    <Required>Y</Required>
+                    <default>ignore</default>
+                    <OptionValues>
+                        <ignore>no preference [default]</ignore>
+                        <required>enforce verify</required>
+                        <none>disable verify</none>
+                    </OptionValues>
+                </sslServerVerify>
                <maxDHSize type="IntegerField">
                    <default>1024</default>
                    <MinimumValue>1024</MinimumValue>
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@ -456,6 +456,11 @@ global
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxDHSize') %}
    tune.ssl.default-dh-param   {{OPNsense.HAProxy.general.tuning.maxDHSize}}
 {% endif %}
+{% if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') %}
+{%     if OPNsense.HAProxy.general.tuning.spreadChecks|default("") != 'ignore' %}
+    ssl-server-verify           {{OPNsense.HAProxy.general.tuning.sslServerVerify}}
+{%     endif %}
+{% endif %}
 {% if OPNsense.HAProxy.general.tuning.spreadChecks|default("") != "" %}
    spread-checks               {{OPNsense.HAProxy.general.tuning.spreadChecks}}
 {% endif %}