diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 7ea41d936..65573b469 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= haproxy
-PLUGIN_VERSION= 4.2
+PLUGIN_VERSION= 4.3
PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer
PLUGIN_DEPENDS= haproxy28 py${PLUGIN_PYTHON}-haproxy-cli
PLUGIN_MAINTAINER= opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index f692d8110..667d5fc21 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,17 @@ very high loads while needing persistence or Layer7 processing.
Plugin Changelog
================
+4.3
+
+Added:
+* Add new global parameter: DNS prefer IP family (#3779)
+
+Fixed:
+* SNI not working when automatic OCSP updates are enabled (#3779)
+
+Changed:
+* prefer IPv4 results when resolving DNS names (#3779)
+
4.2
Added:
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
index f20d662dc..069dea4ad 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/generalTuning.xml
@@ -22,6 +22,12 @@
text
NOTE: Consider raising the settings for kern.maxfiles and kern.maxfilesperproc in System: Settings: Tunables, otherwise HAProxy will fail to open the specified number of connections.
]]>
+
+ haproxy.general.tuning.resolversPrefer
+
+ dropdown
+
+ haproxy.general.tuning.sslServerVerify
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 3e90be2f2..92270f886 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -85,6 +85,14 @@
Please specify a value between 1 and 1024.N
+
+ N
+ ipv4
+
+ IPv4
+ IPv6
+
+ Yignore
diff --git a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
index 935160b42..3eae885bb 100755
--- a/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
+++ b/net/haproxy/src/opnsense/scripts/OPNsense/HAProxy/exportCerts.php
@@ -97,7 +97,7 @@ foreach ($configNodes as $key => $value) {
echo "exported $type to " . $output_pem_filename . "\n";
// Check if automatic OCSP updates are enabled.
if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
- $crtlist[] = $output_pem_filename . " ocsp-update on";
+ $crtlist[] = $output_pem_filename . " [ocsp-update on]";
} else {
$crtlist[] = $output_pem_filename;
}
@@ -125,7 +125,12 @@ foreach ($configNodes as $key => $value) {
// check if a default certificate is configured
if (($type == 'cert') and isset($child->ssl_default_certificate) and (string)$child->ssl_default_certificate != "") {
$default_cert = (string)$child->ssl_default_certificate;
- $default_cert_filename = $export_path . $default_cert . ".pem";
+ // Check if automatic OCSP updates are enabled.
+ if (isset($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled) and ($configObj->OPNsense->HAProxy->general->tuning->ocspUpdateEnabled == '1')) {
+ $default_cert_filename = $export_path . $default_cert . ".pem [ocsp-update on]";
+ } else {
+ $default_cert_filename = $export_path . $default_cert . ".pem";
+ }
// ensure that the default certificate is the first entry on the list
$crtlist = array_diff($crtlist, [$default_cert_filename]);
array_unshift($crtlist, $default_cert_filename);
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 4ee933700..847091b70 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -991,6 +991,11 @@ global
tune.ssl.ocsp-update.maxdelay {{OPNsense.HAProxy.general.tuning.ocspUpdateMaxDelay}}
{% endif %}
{% endif %}
+{% if helpers.exists('OPNsense.HAProxy.general.tuning.resolversPrefer') %}
+ httpclient.resolvers.prefer {{OPNsense.HAProxy.general.tuning.resolversPrefer}}
+{% else %}
+ httpclient.resolvers.prefer ipv4
+{% endif %}
{% if helpers.exists('OPNsense.HAProxy.general.tuning.maxDHSize') %}
tune.ssl.default-dh-param {{OPNsense.HAProxy.general.tuning.maxDHSize}}
{% endif %}