Netgate SG-1000 microFirewall

Author Topic: HAProxy actions order  (Read 142 times)

0 Members and 1 Guest are viewing this topic.

Offline dgcom

  • Full Member
  • ***
  • Posts: 140
  • Karma: +7/-2
    • View Profile
HAProxy actions order
« on: December 15, 2017, 05:10:11 pm »
While configuring HAProxy fronted, it is possible to rearrange actions in any order.
However when config file is generated, package moves all http-request directives first and then adds use_backend regardles of the sort in UI.
Can someone explain why package is doing this? There is nothing in HAProxy documentation I can find which would require http-request to be before use_backend.

This creates couple of issues:
  • Prevents some types of configuration - for example, I needed to forward specific requests to a backend before redirecting everything else to https
  • Package UI is not matching actual config being created

Code: [Select]
acl           https        ssl_fc
acl unsecure path_beg -i /app/
acl host-web hdr_reg(host) -i ^web\.web\.com(:([0-9]){1,5})?$
use_backend Unsecure_http_ipvANY  if  host-web unsecure
http-request redirect scheme https  if  host-web !https

Because of this, I am forced to workaround, complicating rules:

Code: [Select]
acl           https        ssl_fc
acl unsecure path_beg -i /app/
acl host-web hdr_reg(host) -i ^web\.web\.com(:([0-9]){1,5})?$
http-request redirect scheme https  if  host-web !https !unsecure
use_backend Unsecure_http_ipvANY  if  host-web unsecure

This is a sample, in larger configurations it can become more complex.

There was a bug logged a year ago: https://redmine.pfsense.org/issues/7022 but is marked as "Not a Bug" for some reason.
If UI representation of actions does not match generated configuration, I'd consider this a bug still.

If package author insists on separating certain actions, there should be separate sections in UI (like ACLs are separated), however I do not really see any reason for this...
DG

Offline PiBa

  • Hero Member
  • *****
  • Posts: 819
  • Karma: +132/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy actions order
« Reply #1 on: December 16, 2017, 06:16:31 pm »
As the haproxy binary would say:
Quote
a 'http-request' rule placed after a 'use_backend' rule will still be processed before.

Offline dgcom

  • Full Member
  • ***
  • Posts: 140
  • Karma: +7/-2
    • View Profile
Re: HAProxy actions order
« Reply #2 on: December 16, 2017, 10:34:39 pm »
As the haproxy binary would say:
Quote
a 'http-request' rule placed after a 'use_backend' rule will still be processed before.

Interesting, can you point me to where this is documented?
Technically, I do not see why this would be a requirement - all these rues use the the same set of ACLs...
I don't mind if this is how it works, but again, HAProxy package UI has to reflect that rule as well :)
DG

Offline PiBa

  • Hero Member
  • *****
  • Posts: 819
  • Karma: +132/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: HAProxy actions order
« Reply #3 on: December 17, 2017, 10:13:02 am »
Documented.. not really that i could find..
When haproxy is loaded with a configuration like proposed it will return the warning generated by code.:
https://github.com/haproxy/haproxy/blob/397131093f03c8cebc433ffba6beca3ee8641773/src/cfgparse.c#L461

But i agree not having the webgui 'automagically' move rules to places where the user did not intend them to be is worth checking if that can be changed. Just having haproxy generate a warning to the user is probably better than having the webgui 'hide' the possible configuration issue. But i think it was done for the 'shared frontend' webgui implementation to avoid user 'unsolvable' startup warnings..

Offline dgcom

  • Full Member
  • ***
  • Posts: 140
  • Karma: +7/-2
    • View Profile
Re: HAProxy actions order
« Reply #4 on: December 17, 2017, 12:26:52 pm »
Thank you for the link...
Interesting behavior, I might be able to test this by editing config manually and see for myself :)

Still, not telling UI user that his order of actions won't work is bad :(
DG