upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

net/haproxy: safeguarding for deleted items

Browse source
This commit is contained in:
Frank Wall 2017-02-02 01:44:26 +01:00 committed by Franco Fichtner
parent 911f6e7ec2
commit b3460992b6
1 changed files with 248 additions and 236 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

484
net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
View file

@ -37,182 +37,189 @@
{# # collect ACLs for this action #}
{% set action_acls = [] %}
{# # collect ACL errors (may disable Action) #}
{% set acl_errors = '0' %}
{% set acl_errors = 0 %}
{# # An action with no ACLs may still be valid #}
{% if action_data.linkedAcls|default("") != "" %}
{% for acl in action_data.linkedAcls.split(",") %}
{% set acl_data = helpers.getUUID(acl) %}
{% set acl_enabled = '1' %}
{# # first check if this ACL condition should be negated #}
{% if acl_data.negate|default("") == '1' %}
{% do action_acls.append('!acl_' ~ acl_data.id) if acl_data.negate|default("") == '1' %}
{% else %}
{% do action_acls.append('acl_' ~ acl_data.id) %}
{% endif %}
{# # check if this ACL was already defined in this scope #}
{% if acl_data.id in acls_seen %}
{# # DEBUG: ignoring duplicate ACL {{acl_data.name}} #}
{% continue %}
{% endif %}
{% do acls_seen.append(acl_data.id) %}
{% set acl_options = [] %}
{% if acl_data.expression == 'host_starts_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_beg(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_ends_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_end(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_matches' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_regex' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_reg(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_contains' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_sub(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_starts_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_beg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_ends_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_end -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_matches' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_regex' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_reg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_contains' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_dir -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'url_parameter' %}
{% if acl_data.value|default("") != "" and acl_data.urlparam|default("") != "" %}
{% do acl_options.append('url_param(' ~ acl_data.urlparam ~ ') -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_c_verify_code' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('ssl_c_verify ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_c_verify' %}
{% do acl_options.append('ssl_c_verify 0') %}
{% elif acl_data.expression == 'ssl_c_ca_commonname' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('ssl_c_i_dn(CN) ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'source_ip' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('src ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'backendservercount' %}
{% do acl_options.append('') %}
{% if acl_data.value|default("") != "" and acl_data.queryBackend|default("") != "" %}
{% do acl_options.append('nbsrv(backend_' ~ acl_data.queryBackend ~ ') ge ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'traffic_is_http' %}
{% do acl_options.append('req.proto_http') %}
{% elif acl_data.expression == 'traffic_is_ssl' %}
{% do acl_options.append('req.ssl_ver gt 0') %}
{% elif acl_data.expression == 'ssl_sni_matches' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_contains' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m sub -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_starts_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m beg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_ends_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m end -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_regex' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m reg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'custom_acl' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append(acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% else %}
{% set acl_data = helpers.getUUID(acl) %}
{# # check if this ACL can be found in configuration #}
{% if acl_data == {} %}
# ERROR: ACL data not found ({{acl}})
{% set acl_errors = acl_errors + 1 %}
{% set acl_enabled = '0' %}
{% else %}
{# # first check if this ACL condition should be negated #}
{% if acl_data.negate|default("") == '1' %}
{% do action_acls.append('!acl_' ~ acl_data.id) if acl_data.negate|default("") == '1' %}
{% else %}
{% do action_acls.append('acl_' ~ acl_data.id) %}
{% endif %}
{# # check if this ACL was already defined in this scope #}
{% if acl_data.id in acls_seen %}
{# # DEBUG: ignoring duplicate ACL {{acl_data.name}} #}
{% continue %}
{% endif %}
{% do acls_seen.append(acl_data.id) %}
{% set acl_options = [] %}
{% if acl_data.expression == 'host_starts_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_beg(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_ends_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_end(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_matches' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_regex' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_reg(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'host_contains' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('hdr_sub(host) -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_starts_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_beg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_ends_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_end -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_matches' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_regex' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_reg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'path_contains' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('path_dir -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'url_parameter' %}
{% if acl_data.value|default("") != "" and acl_data.urlparam|default("") != "" %}
{% do acl_options.append('url_param(' ~ acl_data.urlparam ~ ') -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_c_verify_code' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('ssl_c_verify ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_c_verify' %}
{% do acl_options.append('ssl_c_verify 0') %}
{% elif acl_data.expression == 'ssl_c_ca_commonname' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('ssl_c_i_dn(CN) ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'source_ip' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('src ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'backendservercount' %}
{% do acl_options.append('') %}
{% if acl_data.value|default("") != "" and acl_data.queryBackend|default("") != "" %}
{% do acl_options.append('nbsrv(backend_' ~ acl_data.queryBackend ~ ') ge ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'traffic_is_http' %}
{% do acl_options.append('req.proto_http') %}
{% elif acl_data.expression == 'traffic_is_ssl' %}
{% do acl_options.append('req.ssl_ver gt 0') %}
{% elif acl_data.expression == 'ssl_sni_matches' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_contains' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m sub -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_starts_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m beg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_ends_with' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m end -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'ssl_sni_regex' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append('req.ssl_sni -m reg -i ' ~ acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% elif acl_data.expression == 'custom_acl' %}
{% if acl_data.value|default("") != "" %}
{% do acl_options.append(acl_data.value) %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: missing parameters
{% endif %}
{% else %}
{% set acl_enabled = '0' %}
# ERROR: unsupported ACL expression
{% endif %}
{% endif %}
{# # check if ACL is valid #}
{% if acl_enabled == '1' %}
@ -220,7 +227,7 @@
acl acl_{{acl_data.id}} {{acl_options|join(' ')}}
{% else %}
{% set acl_errors = acl_errors + 1 %}
# ACL INVALID: {{acl_data.name}}
# ACL INVALID: {{acl_data.name}} ({{acl}})
{% endif %}
{% endfor %}
{% endif %}
@ -811,75 +818,80 @@ backend {{backend.name}}
{% endif %}
{% for server in backend.linkedServers.split(",") %}
{% set server_data = helpers.getUUID(server) %}
{# # collect optional server parameters #}
{% set server_options = [] %}
{# # check if health check is enabled #}
{% if healthcheck_enabled == '1' %}
{% do server_options.append('check') %}
{% do server_options.append('inter ' ~ server_data.checkInterval) %}
{# # use a different interval when server is in DOWN state #}
{% if server_data.checkDownInterval|default("") != "" %}
{% do server_options.append('downinter ' ~ server_data.checkDownInterval) %}
{% endif %}
{# # use a different port for health check #}
{% if healthcheck_data.checkport|default("") != "" %}
{# # prefer port from health check template #}
{% do server_options.append('port ' ~ healthcheck_data.checkport) %}
{% elif server_data.checkport|default("") != "" %}
{% do server_options.append('port ' ~ server_data.checkport) %}
{% endif %}
{# # add all additions from healthchecks here #}
{% do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
{% endif %}
{# # server weight #}
{% do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
{# # server role/mode #}
{% if server_data.mode|default("") != 'active' %}
{% do server_options.append(server_data.mode) %}
{% endif %}
{# # server ssl communication #}
{% if server_data.ssl|default("") == '1' %}
{% do server_options.append('ssl') %}
{# # get status of ssl verification #}
{% set ssl_verify_enabled = '0' %}
{% if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %}
{# # NOTE: Global parameter overrides per-server configuration. #}
{% set ssl_verify_enabled = '1' if OPNsense.HAProxy.general.tuning.sslServerVerify|default("") == 'required' %}
{% elif server_data.sslVerify|default("") == '1' %}
{% set ssl_verify_enabled = '1' %}
{% endif %}
{# # configure ssl verification #}
{% if ssl_verify_enabled == '1' %}
{# # enable SSL verification #}
{% do server_options.append('verify required') %}
{# # check for SSL CA #}
{% if server_data.sslCA|default("") != "" %}
{% do server_options.append('ca-file /var/etc/haproxy/ssl/' ~ server_data.sslCA ~ '.pem') %}
{# # check if this server can be found in configuration #}
{% if server_data == {} %}
# ERROR: server data not found ({{server}})
{% else %}
{# # collect optional server parameters #}
{% set server_options = [] %}
{# # check if health check is enabled #}
{% if healthcheck_enabled == '1' %}
{% do server_options.append('check') %}
{% do server_options.append('inter ' ~ server_data.checkInterval) %}
{# # use a different interval when server is in DOWN state #}
{% if server_data.checkDownInterval|default("") != "" %}
{% do server_options.append('downinter ' ~ server_data.checkDownInterval) %}
{% endif %}
{# # check for SSL CRL #}
{% if server_data.sslCRL|default("") != "" %}
{% do server_options.append('crl-file /var/etc/haproxy/ssl/' ~ server_data.sslCRL ~ '.pem') %}
{# # use a different port for health check #}
{% if healthcheck_data.checkport|default("") != "" %}
{# # prefer port from health check template #}
{% do server_options.append('port ' ~ healthcheck_data.checkport) %}
{% elif server_data.checkport|default("") != "" %}
{% do server_options.append('port ' ~ server_data.checkport) %}
{% endif %}
{# # check for SSL client cert #}
{% if server_data.sslClientCertificate|default("") != "" %}
{% do server_options.append('crt /var/etc/haproxy/ssl/' ~ server_data.sslClientCertificate ~ '.pem') %}
{% endif %}
{% else %}
{% do server_options.append('verify none') %}
{# # add all additions from healthchecks here #}
{% do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %}
{% endif %}
{# # server weight #}
{% do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %}
{# # server role/mode #}
{% if server_data.mode|default("") != 'active' %}
{% do server_options.append(server_data.mode) %}
{% endif %}
{# # server ssl communication #}
{% if server_data.ssl|default("") == '1' %}
{% do server_options.append('ssl') %}
{# # get status of ssl verification #}
{% set ssl_verify_enabled = '0' %}
{% if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %}
{# # NOTE: Global parameter overrides per-server configuration. #}
{% set ssl_verify_enabled = '1' if OPNsense.HAProxy.general.tuning.sslServerVerify|default("") == 'required' %}
{% elif server_data.sslVerify|default("") == '1' %}
{% set ssl_verify_enabled = '1' %}
{% endif %}
{# # configure ssl verification #}
{% if ssl_verify_enabled == '1' %}
{# # enable SSL verification #}
{% do server_options.append('verify required') %}
{# # check for SSL CA #}
{% if server_data.sslCA|default("") != "" %}
{% do server_options.append('ca-file /var/etc/haproxy/ssl/' ~ server_data.sslCA ~ '.pem') %}
{% endif %}
{# # check for SSL CRL #}
{% if server_data.sslCRL|default("") != "" %}
{% do server_options.append('crl-file /var/etc/haproxy/ssl/' ~ server_data.sslCRL ~ '.pem') %}
{% endif %}
{# # check for SSL client cert #}
{% if server_data.sslClientCertificate|default("") != "" %}
{% do server_options.append('crt /var/etc/haproxy/ssl/' ~ server_data.sslClientCertificate ~ '.pem') %}
{% endif %}
{% else %}
{% do server_options.append('verify none') %}
{% endif %}
{% endif %}
{# # source address #}
{% if backend.source|default("") != "" %}
{# # prefer backend configuration #}
{% do server_options.append('source ' ~ backend.source) %}
{% elif server_data.source|default("") != "" %}
{% do server_options.append('source ' ~ server_data.source) %}
{% endif %}
{# # server advanced options #}
{% if server_data.advanced|default("") != "" %}
{% do server_options.append(server_data.advanced) %}
{% endif %}
{% endif %}
{# # source address #}
{% if backend.source|default("") != "" %}
{# # prefer backend configuration #}
{% do server_options.append('source ' ~ backend.source) %}
{% elif server_data.source|default("") != "" %}
{% do server_options.append('source ' ~ server_data.source) %}
{% endif %}
{# # server advanced options #}
{% if server_data.advanced|default("") != "" %}
{% do server_options.append(server_data.advanced) %}
{% endif %}
server {{server_data.name}} {{server_data.address}}:{% if backend.tuning_noport != '1' %}{{server_data.port}}{% endif %} {{server_options|join(' ')}}
{% endif %}
{% endfor %}
{% else %}