From 0e553b0a087e275dc6744656cf6ee32b73e6a6ea Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 21 Mar 2016 21:01:04 +0100
Subject: [PATCH] (proxy) force restart when a cert change is detected in
 reconfigureAction

---
 .../OPNsense/Proxy/Api/ServiceController.php    | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
index 5b843efc9..cfc8abe7d 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/Api/ServiceController.php
@@ -118,6 +118,7 @@ class ServiceController extends ApiControllerBase
     public function reconfigureAction()
     {
         if ($this->request->isPost()) {
+            $force_restart = false;
             // close session for long running action
             $this->sessionClose();
 
@@ -126,8 +127,20 @@ class ServiceController extends ApiControllerBase
 
             $runStatus = $this->statusAction();
 
+            // some operations can not be performed by a squid -k reconfigure,
+            // try to determine if we need a stop/start here
+            if (is_file('/var/squid/ssl_crtd.id')) {
+                $prev_sslbump_cert = trim(file_get_contents('/var/squid/ssl_crtd.id'));
+            } else {
+                $prev_sslbump_cert = "";
+            }
+            if (((string)$mdlProxy->forward->sslcertificate) != $prev_sslbump_cert) {
+                $force_restart = true;
+            }
+
             // stop squid when disabled
-            if ($runStatus['status'] == "running" && $mdlProxy->general->enabled->__toString() == 0) {
+            if ($runStatus['status'] == "running" &&
+               ($mdlProxy->general->enabled->__toString() == 0 || $force_restart)) {
                 $this->stopAction();
             }
 
@@ -136,7 +149,7 @@ class ServiceController extends ApiControllerBase
 
             // (res)start daemon
             if ($mdlProxy->general->enabled->__toString() == 1) {
-                if ($runStatus['status'] == "running") {
+                if ($runStatus['status'] == "running" && !$force_restart) {
                     $backend->configdRun("proxy reconfigure");
                 } else {
                     $this->startAction();