From b3460992b61718d3c2a4cbb2f15b878c4bd3030d Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Thu, 2 Feb 2017 01:44:26 +0100 Subject: [PATCH] net/haproxy: safeguarding for deleted items --- .../templates/OPNsense/HAProxy/haproxy.conf | 484 +++++++++--------- 1 file changed, 248 insertions(+), 236 deletions(-) diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index f3bf85ecf..e6d8852a5 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -37,182 +37,189 @@ {# # collect ACLs for this action #} {% set action_acls = [] %} {# # collect ACL errors (may disable Action) #} -{% set acl_errors = '0' %} +{% set acl_errors = 0 %} {# # An action with no ACLs may still be valid #} {% if action_data.linkedAcls|default("") != "" %} {% for acl in action_data.linkedAcls.split(",") %} -{% set acl_data = helpers.getUUID(acl) %} {% set acl_enabled = '1' %} -{# # first check if this ACL condition should be negated #} -{% if acl_data.negate|default("") == '1' %} -{% do action_acls.append('!acl_' ~ acl_data.id) if acl_data.negate|default("") == '1' %} -{% else %} -{% do action_acls.append('acl_' ~ acl_data.id) %} -{% endif %} -{# # check if this ACL was already defined in this scope #} -{% if acl_data.id in acls_seen %} -{# # DEBUG: ignoring duplicate ACL {{acl_data.name}} #} -{% continue %} -{% endif %} -{% do acls_seen.append(acl_data.id) %} -{% set acl_options = [] %} -{% if acl_data.expression == 'host_starts_with' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('hdr_beg(host) -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'host_ends_with' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('hdr_end(host) -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'host_matches' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('hdr(host) -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'host_regex' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('hdr_reg(host) -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'host_contains' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('hdr_sub(host) -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'path_starts_with' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('path_beg -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'path_ends_with' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('path_end -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'path_matches' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('path -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'path_regex' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('path_reg -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'path_contains' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('path_dir -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'url_parameter' %} -{% if acl_data.value|default("") != "" and acl_data.urlparam|default("") != "" %} -{% do acl_options.append('url_param(' ~ acl_data.urlparam ~ ') -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'ssl_c_verify_code' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('ssl_c_verify ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'ssl_c_verify' %} -{% do acl_options.append('ssl_c_verify 0') %} -{% elif acl_data.expression == 'ssl_c_ca_commonname' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('ssl_c_i_dn(CN) ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'source_ip' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('src ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'backendservercount' %} -{% do acl_options.append('') %} -{% if acl_data.value|default("") != "" and acl_data.queryBackend|default("") != "" %} -{% do acl_options.append('nbsrv(backend_' ~ acl_data.queryBackend ~ ') ge ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'traffic_is_http' %} -{% do acl_options.append('req.proto_http') %} -{% elif acl_data.expression == 'traffic_is_ssl' %} -{% do acl_options.append('req.ssl_ver gt 0') %} -{% elif acl_data.expression == 'ssl_sni_matches' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('req.ssl_sni -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'ssl_sni_contains' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('req.ssl_sni -m sub -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'ssl_sni_starts_with' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('req.ssl_sni -m beg -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'ssl_sni_ends_with' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('req.ssl_sni -m end -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'ssl_sni_regex' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append('req.ssl_sni -m reg -i ' ~ acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% elif acl_data.expression == 'custom_acl' %} -{% if acl_data.value|default("") != "" %} -{% do acl_options.append(acl_data.value) %} -{% else %} -{% set acl_enabled = '0' %} - # ERROR: missing parameters -{% endif %} -{% else %} +{% set acl_data = helpers.getUUID(acl) %} +{# # check if this ACL can be found in configuration #} +{% if acl_data == {} %} + # ERROR: ACL data not found ({{acl}}) +{% set acl_errors = acl_errors + 1 %} {% set acl_enabled = '0' %} +{% else %} +{# # first check if this ACL condition should be negated #} +{% if acl_data.negate|default("") == '1' %} +{% do action_acls.append('!acl_' ~ acl_data.id) if acl_data.negate|default("") == '1' %} +{% else %} +{% do action_acls.append('acl_' ~ acl_data.id) %} +{% endif %} +{# # check if this ACL was already defined in this scope #} +{% if acl_data.id in acls_seen %} +{# # DEBUG: ignoring duplicate ACL {{acl_data.name}} #} +{% continue %} +{% endif %} +{% do acls_seen.append(acl_data.id) %} +{% set acl_options = [] %} +{% if acl_data.expression == 'host_starts_with' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('hdr_beg(host) -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'host_ends_with' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('hdr_end(host) -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'host_matches' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('hdr(host) -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'host_regex' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('hdr_reg(host) -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'host_contains' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('hdr_sub(host) -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'path_starts_with' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('path_beg -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'path_ends_with' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('path_end -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'path_matches' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('path -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'path_regex' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('path_reg -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'path_contains' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('path_dir -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'url_parameter' %} +{% if acl_data.value|default("") != "" and acl_data.urlparam|default("") != "" %} +{% do acl_options.append('url_param(' ~ acl_data.urlparam ~ ') -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'ssl_c_verify_code' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('ssl_c_verify ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'ssl_c_verify' %} +{% do acl_options.append('ssl_c_verify 0') %} +{% elif acl_data.expression == 'ssl_c_ca_commonname' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('ssl_c_i_dn(CN) ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'source_ip' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('src ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'backendservercount' %} +{% do acl_options.append('') %} +{% if acl_data.value|default("") != "" and acl_data.queryBackend|default("") != "" %} +{% do acl_options.append('nbsrv(backend_' ~ acl_data.queryBackend ~ ') ge ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'traffic_is_http' %} +{% do acl_options.append('req.proto_http') %} +{% elif acl_data.expression == 'traffic_is_ssl' %} +{% do acl_options.append('req.ssl_ver gt 0') %} +{% elif acl_data.expression == 'ssl_sni_matches' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('req.ssl_sni -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'ssl_sni_contains' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('req.ssl_sni -m sub -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'ssl_sni_starts_with' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('req.ssl_sni -m beg -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'ssl_sni_ends_with' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('req.ssl_sni -m end -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'ssl_sni_regex' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append('req.ssl_sni -m reg -i ' ~ acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% elif acl_data.expression == 'custom_acl' %} +{% if acl_data.value|default("") != "" %} +{% do acl_options.append(acl_data.value) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} +{% else %} +{% set acl_enabled = '0' %} # ERROR: unsupported ACL expression +{% endif %} {% endif %} {# # check if ACL is valid #} {% if acl_enabled == '1' %} @@ -220,7 +227,7 @@ acl acl_{{acl_data.id}} {{acl_options|join(' ')}} {% else %} {% set acl_errors = acl_errors + 1 %} - # ACL INVALID: {{acl_data.name}} + # ACL INVALID: {{acl_data.name}} ({{acl}}) {% endif %} {% endfor %} {% endif %} @@ -811,75 +818,80 @@ backend {{backend.name}} {% endif %} {% for server in backend.linkedServers.split(",") %} {% set server_data = helpers.getUUID(server) %} -{# # collect optional server parameters #} -{% set server_options = [] %} -{# # check if health check is enabled #} -{% if healthcheck_enabled == '1' %} -{% do server_options.append('check') %} -{% do server_options.append('inter ' ~ server_data.checkInterval) %} -{# # use a different interval when server is in DOWN state #} -{% if server_data.checkDownInterval|default("") != "" %} -{% do server_options.append('downinter ' ~ server_data.checkDownInterval) %} -{% endif %} -{# # use a different port for health check #} -{% if healthcheck_data.checkport|default("") != "" %} -{# # prefer port from health check template #} -{% do server_options.append('port ' ~ healthcheck_data.checkport) %} -{% elif server_data.checkport|default("") != "" %} -{% do server_options.append('port ' ~ server_data.checkport) %} -{% endif %} -{# # add all additions from healthchecks here #} -{% do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %} -{% endif %} -{# # server weight #} -{% do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %} -{# # server role/mode #} -{% if server_data.mode|default("") != 'active' %} -{% do server_options.append(server_data.mode) %} -{% endif %} -{# # server ssl communication #} -{% if server_data.ssl|default("") == '1' %} -{% do server_options.append('ssl') %} -{# # get status of ssl verification #} -{% set ssl_verify_enabled = '0' %} -{% if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %} -{# # NOTE: Global parameter overrides per-server configuration. #} -{% set ssl_verify_enabled = '1' if OPNsense.HAProxy.general.tuning.sslServerVerify|default("") == 'required' %} -{% elif server_data.sslVerify|default("") == '1' %} -{% set ssl_verify_enabled = '1' %} -{% endif %} -{# # configure ssl verification #} -{% if ssl_verify_enabled == '1' %} -{# # enable SSL verification #} -{% do server_options.append('verify required') %} -{# # check for SSL CA #} -{% if server_data.sslCA|default("") != "" %} -{% do server_options.append('ca-file /var/etc/haproxy/ssl/' ~ server_data.sslCA ~ '.pem') %} +{# # check if this server can be found in configuration #} +{% if server_data == {} %} +# ERROR: server data not found ({{server}}) +{% else %} +{# # collect optional server parameters #} +{% set server_options = [] %} +{# # check if health check is enabled #} +{% if healthcheck_enabled == '1' %} +{% do server_options.append('check') %} +{% do server_options.append('inter ' ~ server_data.checkInterval) %} +{# # use a different interval when server is in DOWN state #} +{% if server_data.checkDownInterval|default("") != "" %} +{% do server_options.append('downinter ' ~ server_data.checkDownInterval) %} {% endif %} -{# # check for SSL CRL #} -{% if server_data.sslCRL|default("") != "" %} -{% do server_options.append('crl-file /var/etc/haproxy/ssl/' ~ server_data.sslCRL ~ '.pem') %} +{# # use a different port for health check #} +{% if healthcheck_data.checkport|default("") != "" %} +{# # prefer port from health check template #} +{% do server_options.append('port ' ~ healthcheck_data.checkport) %} +{% elif server_data.checkport|default("") != "" %} +{% do server_options.append('port ' ~ server_data.checkport) %} {% endif %} -{# # check for SSL client cert #} -{% if server_data.sslClientCertificate|default("") != "" %} -{% do server_options.append('crt /var/etc/haproxy/ssl/' ~ server_data.sslClientCertificate ~ '.pem') %} -{% endif %} -{% else %} -{% do server_options.append('verify none') %} +{# # add all additions from healthchecks here #} +{% do server_options.append(healthcheck_additions|join(' ')) if healthcheck_additions.length != '0' %} +{% endif %} +{# # server weight #} +{% do server_options.append('weight ' ~ server_data.weight) if server_data.weight|default("") != "" %} +{# # server role/mode #} +{% if server_data.mode|default("") != 'active' %} +{% do server_options.append(server_data.mode) %} +{% endif %} +{# # server ssl communication #} +{% if server_data.ssl|default("") == '1' %} +{% do server_options.append('ssl') %} +{# # get status of ssl verification #} +{% set ssl_verify_enabled = '0' %} +{% if helpers.exists('OPNsense.HAProxy.general.tuning.sslServerVerify') and OPNsense.HAProxy.general.tuning.sslServerVerify|default("") != 'ignore' %} +{# # NOTE: Global parameter overrides per-server configuration. #} +{% set ssl_verify_enabled = '1' if OPNsense.HAProxy.general.tuning.sslServerVerify|default("") == 'required' %} +{% elif server_data.sslVerify|default("") == '1' %} +{% set ssl_verify_enabled = '1' %} +{% endif %} +{# # configure ssl verification #} +{% if ssl_verify_enabled == '1' %} +{# # enable SSL verification #} +{% do server_options.append('verify required') %} +{# # check for SSL CA #} +{% if server_data.sslCA|default("") != "" %} +{% do server_options.append('ca-file /var/etc/haproxy/ssl/' ~ server_data.sslCA ~ '.pem') %} +{% endif %} +{# # check for SSL CRL #} +{% if server_data.sslCRL|default("") != "" %} +{% do server_options.append('crl-file /var/etc/haproxy/ssl/' ~ server_data.sslCRL ~ '.pem') %} +{% endif %} +{# # check for SSL client cert #} +{% if server_data.sslClientCertificate|default("") != "" %} +{% do server_options.append('crt /var/etc/haproxy/ssl/' ~ server_data.sslClientCertificate ~ '.pem') %} +{% endif %} +{% else %} +{% do server_options.append('verify none') %} +{% endif %} +{% endif %} +{# # source address #} +{% if backend.source|default("") != "" %} +{# # prefer backend configuration #} +{% do server_options.append('source ' ~ backend.source) %} +{% elif server_data.source|default("") != "" %} +{% do server_options.append('source ' ~ server_data.source) %} +{% endif %} +{# # server advanced options #} +{% if server_data.advanced|default("") != "" %} +{% do server_options.append(server_data.advanced) %} {% endif %} -{% endif %} -{# # source address #} -{% if backend.source|default("") != "" %} -{# # prefer backend configuration #} -{% do server_options.append('source ' ~ backend.source) %} -{% elif server_data.source|default("") != "" %} -{% do server_options.append('source ' ~ server_data.source) %} -{% endif %} -{# # server advanced options #} -{% if server_data.advanced|default("") != "" %} -{% do server_options.append(server_data.advanced) %} -{% endif %} server {{server_data.name}} {{server_data.address}}:{% if backend.tuning_noport != '1' %}{{server_data.port}}{% endif %} {{server_options|join(' ')}} +{% endif %} {% endfor %} {% else %}