diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 2ed5d20a4..e9a1b33b5 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -45,17 +45,17 @@
dropdown
-
-
- header
-
-
frontend.ssl_enabled
-
+
checkbox
Enable SSL offloading
+
+
+ header
+
+
frontend.ssl_certificates
@@ -74,11 +74,36 @@
frontend.ssl_customOptions
-
+
text
- Example: no-sslv3 ciphers HIGH:!DSS:!aNULL@STRENGTH
]]>
+
true
+
+ frontend.ssl_advancedEnabled
+
+ checkbox
+
+
+
+
+ header
+
+
+
+ frontend.ssl_bindOptions
+
+ select_multiple
+
+ true
+
+
+
+ frontend.ssl_cipherList
+
+ text
+
+
header
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 5829d0c53..045076ccd 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -298,6 +298,31 @@
N
+
+ 0
+ Y
+
+
+ N
+ no-sslv3,no-tlsv10,no-tls-tickets
+ Y
+
+ no-sslv3
+ no-tlsv10
+ no-tlsv11
+ no-tlsv12
+ no-tls-tickets
+ force-sslv3
+ force-tlsv10
+ force-tlsv11
+ force-tlsv12
+ strict-sni
+
+
+
+ ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+ N
+
1
500000
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 031b8f8c5..9750fc363 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -186,6 +186,22 @@ POSSIBILITY OF SUCH DAMAGE.
$("."+service_id).show();
});
$("#frontend\\.mode").change();
+
+ // show/hide SSL offloading
+ $("#frontend\\.ssl_enabled").change(function(){
+ var service_id = 'table_ssl_' + $(this).is(':checked');
+ $(".table_ssl").hide();
+ $("."+service_id).show();
+ });
+ $("#frontend\\.ssl_enabled").change();
+
+ // show/hide advanced SSL settings
+ $("#frontend\\.ssl_advancedEnabled").change(function(){
+ var service_id = 'table_ssl_advanced_' + $(this).is(':checked');
+ $(".table_ssl_advanced").hide();
+ $("."+service_id).show();
+ });
+ $("#frontend\\.ssl_advancedEnabled").change();
})
// hook into on-show event for dialog to extend layout.
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ad6ce9700..1d3f84f6f 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -571,22 +571,33 @@ defaults
# Frontend: {{frontend.name}} ({{frontend.description}})
frontend {{frontend.name}}
{% set ssl_certs = [] %}
+{% set ssl_options = [] %}
{% if frontend.ssl_enabled == '1' %}
{# # check if ssl certs are configured #}
{% if frontend.ssl_certificates|default("") != "" %}
{# # NOTE: Cert lists are generated by exportCerts.php #}
{% do ssl_certs.append('crt-list /var/etc/haproxy/ssl/' ~ frontend.id ~ '.crtlist') %}
{% endif %}
-{# # advanced ssl options #}
+{# # advanced ssl parameters (pass-through) #}
{% if frontend.ssl_customOptions|default("") != "" %}
-{# # add a space to separate it from other ssl params #}
-{% set ssl_options = frontend.ssl_customOptions ~ ' ' %}
+{% do ssl_options.append(frontend.ssl_customOptions ~ ' ') %}
+{% endif %}
+{# # advanced ssl settings #}
+{% if frontend.ssl_advancedEnabled|default("") == '1' %}
+{% if frontend.ssl_bindOptions|default("") != "" %}
+{% for bindopt in frontend.ssl_bindOptions.split(",") %}
+{% do ssl_options.append(bindopt) %}
+{% endfor %}
+{% endif %}
+{% if frontend.ssl_cipherList|default("") != "" %}
+{% do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
+{% endif %}
{% endif %}
{% endif %}
{# # bind/listen configuration #}
{% if frontend.bind|default("") != "" %}
{% for bind in frontend.bind.split(",") %}
- bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options }}{{ssl_certs|join(' ')}} {% endif %}
+ bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}
{% endfor %}
{% endif %}