From 29f56908dd826d884f37e7eea8ba537ac57ff433 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Sat, 18 Nov 2017 00:15:11 +0100
Subject: [PATCH] net/haproxy: make SSL params configurable, closes #375

---
 .../OPNsense/HAProxy/forms/dialogFrontend.xml | 41 +++++++++++++++----
 .../app/models/OPNsense/HAProxy/HAProxy.xml   | 25 +++++++++++
 .../mvc/app/views/OPNsense/HAProxy/index.volt | 16 ++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf   | 19 +++++++--
 4 files changed, 89 insertions(+), 12 deletions(-)

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
index 2ed5d20a4..e9a1b33b5 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml
@@ -45,17 +45,17 @@
         <type>dropdown</type>
         <help><![CDATA[Set the default Backend Pool to use for this Public Service.]]></help>
     </field>
-    <field>
-        <label>SSL Offloading</label>
-        <type>header</type>
-        <style>mode_table table_http table_ssl</style>
-    </field>
     <field>
         <id>frontend.ssl_enabled</id>
-        <label>Enabled</label>
+        <label>Enable SSL offloading</label>
         <type>checkbox</type>
         <help>Enable SSL offloading</help>
     </field>
+    <field>
+        <label>SSL Offloading</label>
+        <type>header</type>
+        <style>mode_table table_http table_ssl table_ssl_true</style>
+    </field>
     <field>
         <id>frontend.ssl_certificates</id>
         <label>Certificates</label>
@@ -74,11 +74,36 @@
     </field>
     <field>
         <id>frontend.ssl_customOptions</id>
-        <label>Advanced SSL options</label>
+        <label>SSL option pass-through</label>
         <type>text</type>
-        <help><![CDATA[Specify additional SSL parameters such as force-sslv3, force-tlsv10, force-tlsv11, force-tlsv12, no-sslv3, no-tlsv10, no-tlsv11, no-tlsv12, no-tls-tickets or customize the list of SSL ciphers.<br/>Example: no-sslv3 ciphers HIGH:!DSS:!aNULL@STRENGTH<br/>]]></help>
+        <help><![CDATA[Pass additional SSL parameters to the HAProxy configuration.]]></help>
         <advanced>true</advanced>
     </field>
+    <field>
+        <id>frontend.ssl_advancedEnabled</id>
+        <label>Enable Advanced settings</label>
+        <type>checkbox</type>
+        <help><![CDATA[Enable advanced SSL settings.]]></help>
+    </field>
+    <field>
+        <label>Advanced SSL settings</label>
+        <type>header</type>
+        <style>mode_table table_http table_ssl table_ssl_advanced table_ssl_advanced_true</style>
+    </field>
+    <field>
+        <id>frontend.ssl_bindOptions</id>
+        <label>Bind options</label>
+        <type>select_multiple</type>
+        <style>tokenize</style>
+        <allownew>true</allownew>
+        <help><![CDATA[Used to enforce or disable certain SSL options.]]></help>
+    </field>
+    <field>
+        <id>frontend.ssl_cipherList</id>
+        <label>Cipher List</label>
+        <type>text</type>
+        <help><![CDATA[It sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake.]]></help>
+    </field>
     <field>
         <label>Tuning Options</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 5829d0c53..045076ccd 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -298,6 +298,31 @@
                 <ssl_customOptions type="TextField">
                     <Required>N</Required>
                 </ssl_customOptions>
+                <ssl_advancedEnabled type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </ssl_advancedEnabled>
+                <ssl_bindOptions type="OptionField">
+                    <Required>N</Required>
+                    <default>no-sslv3,no-tlsv10,no-tls-tickets</default>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <no-sslv3>no-sslv3</no-sslv3>
+                        <no-tlsv10>no-tlsv10</no-tlsv10>
+                        <no-tlsv11>no-tlsv11</no-tlsv11>
+                        <no-tlsv12>no-tlsv12</no-tlsv12>
+                        <no-tls-tickets>no-tls-tickets</no-tls-tickets>
+                        <force-sslv3>force-sslv3</force-sslv3>
+                        <force-tlsv10>force-tlsv10</force-tlsv10>
+                        <force-tlsv11>force-tlsv11</force-tlsv11>
+                        <force-tlsv12>force-tlsv12</force-tlsv12>
+                        <strict-sni>strict-sni</strict-sni>
+                    </OptionValues>
+                </ssl_bindOptions>
+                <ssl_cipherList type="TextField">
+                    <default>ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256</default>
+                    <Required>N</Required>
+                </ssl_cipherList>
                 <tuning_maxConnections type="IntegerField">
                     <MinimumValue>1</MinimumValue>
                     <MaximumValue>500000</MaximumValue>
diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
index 031b8f8c5..9750fc363 100644
--- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
+++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt
@@ -186,6 +186,22 @@ POSSIBILITY OF SUCH DAMAGE.
                 $("."+service_id).show();
             });
             $("#frontend\\.mode").change();
+
+            // show/hide SSL offloading
+            $("#frontend\\.ssl_enabled").change(function(){
+                var service_id = 'table_ssl_' + $(this).is(':checked');
+                $(".table_ssl").hide();
+                $("."+service_id).show();
+            });
+            $("#frontend\\.ssl_enabled").change();
+
+            // show/hide advanced SSL settings
+            $("#frontend\\.ssl_advancedEnabled").change(function(){
+                var service_id = 'table_ssl_advanced_' + $(this).is(':checked');
+                $(".table_ssl_advanced").hide();
+                $("."+service_id).show();
+            });
+            $("#frontend\\.ssl_advancedEnabled").change();
         })
 
         // hook into on-show event for dialog to extend layout.
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index ad6ce9700..1d3f84f6f 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -571,22 +571,33 @@ defaults
 # Frontend: {{frontend.name}} ({{frontend.description}})
 frontend {{frontend.name}}
 {%       set ssl_certs = [] %}
+{%       set ssl_options = [] %}
 {%       if frontend.ssl_enabled == '1' %}
 {#         # check if ssl certs are configured #}
 {%         if frontend.ssl_certificates|default("") != "" %}
 {#           # NOTE: Cert lists are generated by exportCerts.php #}
 {%           do ssl_certs.append('crt-list /var/etc/haproxy/ssl/' ~ frontend.id ~ '.crtlist') %}
 {%         endif %}
-{#         # advanced ssl options #}
+{#         # advanced ssl parameters (pass-through) #}
 {%         if frontend.ssl_customOptions|default("") != "" %}
-{#           # add a space to separate it from other ssl params #}
-{%           set ssl_options = frontend.ssl_customOptions ~ ' ' %}
+{%           do ssl_options.append(frontend.ssl_customOptions ~ ' ') %}
+{%         endif %}
+{#         # advanced ssl settings #}
+{%         if frontend.ssl_advancedEnabled|default("") == '1' %}
+{%           if frontend.ssl_bindOptions|default("") != "" %}
+{%             for bindopt in frontend.ssl_bindOptions.split(",") %}
+{%               do ssl_options.append(bindopt) %}
+{%             endfor %}
+{%           endif %}
+{%           if frontend.ssl_cipherList|default("") != "" %}
+{%             do ssl_options.append('ciphers ' ~ frontend.ssl_cipherList) %}
+{%           endif %}
 {%         endif %}
 {%       endif %}
 {#       # bind/listen configuration #}
 {%       if frontend.bind|default("") != "" %}
 {%         for bind in frontend.bind.split(",") %}
-    bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options }}{{ssl_certs|join(' ')}} {% endif %}
+    bind {{bind}} name {{bind}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}
 
 {%         endfor %}
 {%       endif %}