Netgate SG-1000 microFirewall

Author Topic: HAProxy Source IP Alias Problem [Solved]  (Read 189 times)

0 Members and 1 Guest are viewing this topic.

Offline jafath

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
HAProxy Source IP Alias Problem [Solved]
« on: December 14, 2017, 10:00:07 am »
tldr;  HAproxy trying to use an alias as source IP filter.  Alias (7 hosts) resolved correctly in pfSense, HAProxy config file looks good, but HAProxy src file created for alias is empty

I configured an alias called infoddns in pfSense latest stable (2.4.x) that consists of 7 hosts.  The hosts are configured as FQDNs that are all updated using ddns.  mysub1.mydom.info, mysub2.mydom.info, etc.

When I look at Diagnostics/Tables, infoddns is there and the correctly resolved IP addresses are listed in the table.

I used that alias name as the value for a front end ACL of type "Source IP matches IP or Alias".  When I look at the generated HAProxy config, all looks correct:
acl         infoacl   src -f /var/etc/haproxy/ipalias_infoddns.lst

If I add the ACL to an action, those IPs (and all IPs) are blocked and return a 503.

When I look at the file /var/etc/haproxy/ipalias_infoddns.lst it is only 2 bytes long and contains no IPs.

It seems that everything is set up correctly, but the resolved alias IPs are never written to the HAProxy acl src file.  I have re-started HAProxy and rebooted pfSense with no change.

It's likely that I missed some configuration step, but I'm stumped at the moment.  Suggestions would be appreciated.

Jerry
« Last Edit: December 21, 2017, 10:03:55 am by jafath »

Offline PiBa

  • Hero Member
  • *****
  • Posts: 819
  • Karma: +132/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy Source IP Alias Problem
« Reply #1 on: December 18, 2017, 05:52:29 pm »
Not missing a step.. just that haproxy isn't going to resolve the names in a list to IP's, so the 'alias support' is limited to fixed IP's and subnets a.t.m.. It could be possible i suppose to resolve a list of names to IP's by the package when reloading the config, but when a dns record changes it wouldn't take effect until the config is reloaded.. so really it would still be of limited use.

Offline jafath

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HAProxy Source IP Alias Problem
« Reply #2 on: December 19, 2017, 05:22:44 pm »
Thanks PiBa.

Is it possible to read the contents of a pfSense table from a shell script?  If so, I could simply run a cron job to read the table contents which is being resolved correctly and write the HAProxy src file which is being configured correctly, but not populated.



Offline PiBa

  • Hero Member
  • *****
  • Posts: 819
  • Karma: +132/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy Source IP Alias Problem
« Reply #3 on: December 19, 2017, 05:48:31 pm »
Your cron job would be to late if its going to edit the file as it is only read on haproxy startup..

There might still be a possibility though, if you manage to read the ip's from pfSense.
Code: [Select]
pfctl -t bogons -T show
And then add them to the haproxy in memory list.
Code: [Select]
/usr/local/pkg/haproxy/haproxy_socket.sh add acl /var/etc/haproxy/ipalias_infoddns.lst 1.2.3.4/31

Offline jafath

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HAProxy Source IP Alias Problem
« Reply #4 on: December 20, 2017, 03:21:13 pm »
That works perfectly!  Thanks very much for your help.

Offline jafath

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: HAProxy Source IP Alias Problem
« Reply #5 on: December 21, 2017, 08:48:17 am »
Here's the script I added to cron.  There might be more efficient / better ways to do it, but this works for my case with a fairly small number of IPs in the alias.

#!/bin/sh
#
# Update an HAProxy acl with ddns addresses from a pfsense table
#

#Edit this value to match pfSense alias name
ALIASNAME="infoddns"

#Force update on first run - acl will be empty after restart
/usr/local/pkg/haproxy/haproxy_socket.sh show acl "/var/etc/haproxy/ipalias_${ALIASNAME}.lst" > "/tmp/${ALIASNAME}-acl"
rc=`wc -l < "/tmp/${ALIASNAME}-acl" | awk '{print $1}'`
if [ $rc -lt 2 ]; then echo "X" > "/tmp/${ALIASNAME}-cur"; fi

#Dump the alias table to a temp file
pfctl -t ${ALIASNAME} -T show > "/tmp/${ALIASNAME}-new"

#Check new alias table against current
diff "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur" >/dev/null 2>&1

#If no change, just exit
rc=$?; if [ $rc == 0 ]; then exit 0; fi
                                                                           
#Clear current acl
/usr/local/pkg/haproxy/haproxy_socket.sh clear acl "/var/etc/haproxy/ipalias_${ALIASNAME}.lst"

#read each alias table line and add to HAproxy acl IP values
while read -r line; do
/usr/local/pkg/haproxy/haproxy_socket.sh add acl "/var/etc/haproxy/ipalias_${ALIASNAME}.lst ${line}/31"
done < "/tmp/${ALIASNAME}-new"

#Set current alias file to the updated values
mv "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur"

exit 0