net/haproxy: fix SNI when OCSP is enabled, closes #3779

2026-05-28 04:34:15 -04:00 · 2024-01-30 22:49:22 +01:00 · 2024-01-30 22:49:22 +01:00 · 404c19f6e7
commit 404c19f6e7
parent 6eb9417ac5
5 changed files with 37 additions and 2 deletions
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@ -6,6 +6,17 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================

+4.3
+
+Added:
+* Add new global parameter: DNS prefer IP family (#3779)
+
+Fixed:
+* SNI not working when automatic OCSP updates are enabled (#3779)
+
+Changed:
+* prefer IPv4 results when resolving DNS names (#3779)
+
 4.2

 Added:
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@ -22,6 +22,12 @@
        <type>text</type>
        <help><![CDATA[Sets the maximum number of concurrent connections per HAProxy process.<br/><div class="text-info"><b>NOTE:</b> Consider raising the settings for kern.maxfiles and kern.maxfilesperproc in <a target="_blank" href="/system_advanced_sysctl.php">System: Settings: Tunables</a>, otherwise HAProxy will fail to open the specified number of connections.</div>]]></help>
    </field>
+    <field>
+        <id>haproxy.general.tuning.resolversPrefer</id>
+        <label>DNS prefer IP family</label>
+        <type>dropdown</type>
+        <help><![CDATA[This option allows to choose which IP family is preferred when resolving DNS names. This is useful when IPv6 or IPv4 is not available. It solves a common issue with OCSP updates.]]></help>
+    </field>
    <field>
        <id>haproxy.general.tuning.sslServerVerify</id>
        <label>Verify SSL Server Certificates</label>
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@ -85,6 +85,14 @@
                    <ValidationMessage>Please specify a value between 1 and 1024.</ValidationMessage>
                    <Required>N</Required>
                </nbthread>
+                <resolversPrefer type="OptionField">
+                    <Required>N</Required>
+                    <default>ipv4</default>
+                    <OptionValues>
+                        <ipv4>IPv4</ipv4>
+                        <ipv6>IPv6</ipv6>
+                    </OptionValues>
+                </resolversPrefer>
                <sslServerVerify type="OptionField">
                    <Required>Y</Required>
                    <default>ignore</default>
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@ -97,7 +97,7 @@ foreach ($configNodes as $key => $value) {
                                            echo "exported $type to " . $output_pem_filename . "\n";
                                            // Check if automatic OCSP updates are enabled.
                                            if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
-                                                $crtlist[] = $output_pem_filename . " ocsp-update on";
+                                                $crtlist[] = $output_pem_filename . " [ocsp-update on]";
                                            } else {
                                                $crtlist[] = $output_pem_filename;
                                            }
@ -125,7 +125,12 @@ foreach ($configNodes as $key => $value) {
                            // check if a default certificate is configured
                            if (($type == 'cert') and isset($child->ssl_default_certificate) and (string)$child->ssl_default_certificate != "") {
                                $default_cert = (string)$child->ssl_default_certificate;
-                                $default_cert_filename = $export_path . $default_cert . ".pem";
+                                // Check if automatic OCSP updates are enabled.
+                                if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
+                                    $default_cert_filename = $export_path . $default_cert . ".pem [ocsp-update on]";
+                                } else {
+                                    $default_cert_filename = $export_path . $default_cert . ".pem";
+                                }
                                // ensure that the default certificate is the first entry on the list
                                $crtlist = array_diff($crtlist, [$default_cert_filename]);
                                array_unshift($crtlist, $default_cert_filename);
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@ -991,6 +991,11 @@ global
    tune.ssl.ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
 {%   endif %}
 {% endif %}
+{% if helpers.exists('OPNsense.HAProxy.general.tuning.resolversPrefer') %}
+    httpclient.resolvers.prefer   {{OPNsense.HAProxy.general.tuning.resolversPrefer}}
+{% else %}
+    httpclient.resolvers.prefer   ipv4
+{% endif %}
 {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxDHSize') %}
    tune.ssl.default-dh-param   {{OPNsense.HAProxy.general.tuning.maxDHSize}}
 {% endif %}