N
sticktable
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M2_8_0.php b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M2_8_0.php
new file mode 100644
index 000000000..c5d364cb8
--- /dev/null
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M2_8_0.php
@@ -0,0 +1,45 @@
+getNodeByReference('frontends.frontend')->iterateItems() as $frontend) {
+ if (isset($frontend->ssl_http2Enabled)) {
+ $frontend->http2Enabled = '1';
+ $frontend->ssl_http2Enabled = null;
+ }
+ }
+ }
+}
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index c806d2edc..6cc446097 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -222,6 +222,13 @@ POSSIBILITY OF SUCH DAMAGE.
// hook into on-show event for dialog to extend layout.
$('#DialogBackend').on('shown.bs.modal', function (e) {
+ $("#backend\\.mode").change(function(){
+ var service_id = 'table_' + $(this).val();
+ $(".mode_table").hide();
+ $("."+service_id).show();
+ });
+ $("#backend\\.mode").change();
+
$("#backend\\.healthCheckEnabled").change(function(){
var service_id = 'table_healthcheck_' + $(this).is(':checked');
$(".healthcheck_table").hide();
@@ -548,7 +555,7 @@ POSSIBILITY OF SUCH DAMAGE.
{{ lang._('Lastly, enable HAProxy using the %sService Settings%s.') | format('', '') }}
{{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('', '') }}
- {{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '', '', '') }}
+ {{ lang._('Further information is available in our %sHAProxy plugin documentation%s and of course in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '', '', '') }}
@@ -590,7 +597,7 @@ POSSIBILITY OF SUCH DAMAGE.
{{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('', '') }}
{{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('', '', '', '', '', '', '', '') }}
- {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}
+ {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}
{{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('', '') }}
@@ -605,7 +612,7 @@ POSSIBILITY OF SUCH DAMAGE.
{{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('', '') }}
{{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}
- {{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('', '', '', '') }}
+ {{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('', '', '', '') }}
@@ -620,7 +627,7 @@ POSSIBILITY OF SUCH DAMAGE.
{{ lang._("%sMap Files:%s A map allows to map a data in input to an other one on output. For example, this makes it possible to map a large number of domains to backend pools without using the GUI. Map files need to be used in %sRules%s, otherwise they are ignored.") | format('', '', '', '') }}
{{ lang._("%sCPU Affinity Rules:%s This feature makes it possible to bind HAProxy's processes/threads to a specific CPU (or a CPU set). Furthermore it is possible to select CPU Affinity Rules in %sPublic Services%s to restrict them to a certain set of processes/threads/CPUs.") | format('', '', '', '') }}
- {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s.") | format('', '', '', '', '', '' ,'', '' ,'', '' ,'', '') }}
+ {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s.") | format('', '', '', '', '', '' ,'', '' ,'', '' ,'', '') }}
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 0bd3cef3e..e503234d0 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -985,6 +985,7 @@ userlist stats_auth
frontend {{frontend.name}}
{% set ssl_certs = [] %}
{% set ssl_options = [] %}
+{% set adv_options = [] %}
{% if frontend.ssl_enabled == '1' %}
{# # check if ssl certs are configured #}
{% if frontend.ssl_certificates|default("") != "" or frontend.ssl_default_certificate|default("") != "" %}
@@ -1006,8 +1007,10 @@ frontend {{frontend.name}}
{% do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
{% endif %}
{# # HTTP/2 #}
-{% if frontend.ssl_http2Enabled|default("") == '1' and frontend.mode == 'http' %}
-{% do ssl_options.append('alpn h2,http/1.1') %}
+{% if frontend.http2Enabled|default("") == '1' and frontend.advertised_protocols|default("") != "" %}
+{# # convert protocols to HAProxy-compatible format #}
+{% set alpn_options = frontend.advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
+{% do ssl_options.append('alpn ' ~ alpn_options) %}
{% endif %}
{# # HSTS #}
{% if frontend.ssl_hstsEnabled|default("") == '1' and frontend.mode == 'http' %}
@@ -1039,10 +1042,12 @@ frontend {{frontend.name}}
{% endif %}
{% endif %}
{% endif %}
+{# # HTTP/2 without TLS #}
+{% elif frontend.http2Enabled|default("") == '1' and frontend.http2Enabled_nontls|default("") == '1' %}
+{% do adv_options.append('proto h2') %}
{% endif %}
{# # CPU affinity configuration #}
{% set bind_process = [] %}
-{% set process_thread = [] %}
{% if frontend.linkedCpuAffinityRules|default('') != '' %}
{% for cpu_map in frontend.linkedCpuAffinityRules.split(',') %}
{% set cpu_map_data = helpers.getUUID(cpu_map) %}
@@ -1050,7 +1055,7 @@ frontend {{frontend.name}}
{# # Limit visibility to a certain set of processes #}
{% do bind_process.append(cpu_map_data.process_id|replace('x', '')) %}
{# # Restrict the list of processes/threads on which this listener is allowed to run #}
-{% do process_thread.append('process ' ~ cpu_map_data.process_id|replace('x', '') ~ '/' ~ cpu_map_data.thread_id|replace('x', '')) %}
+{% do adv_options.append('process ' ~ cpu_map_data.process_id|replace('x', '') ~ '/' ~ cpu_map_data.thread_id|replace('x', '')) %}
{% endif %}
{% endfor %}
{% if bind_process|length > 0 %}
@@ -1060,7 +1065,7 @@ frontend {{frontend.name}}
{# # bind/listen configuration #}
{% if frontend.bind|default("") != "" %}
{% for bind in frontend.bind.split(",") %}
- bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if process_thread|length > 0 %} {{ process_thread|join(' ') }} {% endif %}
+ bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %}
{% endfor %}
{% endif %}
@@ -1259,12 +1264,17 @@ backend {{backend.name}}
# health checking is DISABLED
{% set healthcheck_enabled = '0' %}
{% endif %}
-{# # XXX: Usually the frontend and the backend are in the same mode, #}
-{# # but we have no way to know what frontend uses this backend. #}
-{# # Hence we can't automatically set the mode and thus need a #}
-{# # (redundant) GUI option for this. #}
+{# # NOTE: Usually the frontend and the backend are in the same mode, #}
+{# # but we have no way to know what frontend uses this backend. #}
+{# # Hence we can't automatically set the mode and thus need a #}
+{# # (redundant) GUI option for this. #}
mode {{backend.mode}}
+{# # balancing algorithm #}
+{% if backend.algorithm|default("") == 'random' %}
+ balance {{backend.algorithm}}({{backend.random_draws}})
+{% else %}
balance {{backend.algorithm}}
+{% endif %}
{# # call macro to evaluate stickiness config #}
{{ StickTableConfig(backend,true) }}
# tuning options
@@ -1400,6 +1410,15 @@ backend {{backend.name}}
{% else %}
{% do server_options.append('verify none') %}
{% endif %}
+{# # HTTP/2 #}
+{% if backend.http2Enabled|default("") == '1' and backend.ba_advertised_protocols|default("") != "" %}
+{# # convert protocols to HAProxy-compatible format #}
+{% set alpn_options = backend.ba_advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %}
+{% do server_options.append('alpn ' ~ alpn_options) %}
+{% endif %}
+{# # HTTP/2 without TLS #}
+{% elif backend.http2Enabled|default("") == '1' and backend.http2Enabled_nontls|default("") == '1' %}
+{% do server_options.append('proto h2') %}
{% endif %}
{# # source address #}
{% if backend.source|default("") != "" %}