HAProxy 0.59_4 is broken :(

Smoothrunnings

So there is no confusion lets start with this image
I am using pfSense 2.4.3-p1, this is a new box running an i7 3770S, 8GB of RAM, and a Intel 320 40GB SSD. Its an old SmoothWall. So pfSense is a fresh install so is HAProxy. My old pfSense firewall which is a Watchguard XTM 5 series runs 2.4.3-p1 and an older version of HAPRoxy 0.54_2

The problem lies in the Expression list, found in the table for the ACL (access control list) look at the picture if you don't understand. This is under the Frontend. I use 'Server Name indication TLS extension matches' for the Expression on all my servers. In the new 0.59_4 this Expression isn't an option when creating new entry. But if you save what you created using any of the Expressions available and edit the Frontend again then edit any of the entries, under Expression (under the ACL table) the option for 'Server Name indication TLS extension matches' appears however after selecting it on all my servers and clicking save, going back to to verify, I noticed all my entries under the ACL table are GONE.

I already had someone on Reddit verify this on his pfSense 2.4.3-p1 and HAProxy 0.59_4, I would like to know if there is a work around or if there will be another release soon of HAProxy addressing this issue (and others)??

Thanks,

jahonix

https://forum.netgate.com/search?term=HAProxy%200.59_4&in=titlesposts&matchWords=all&sortBy=relevance&sortDirection=&showAs=posts

Smoothrunnings

How long does it take for the committed changes to be active on pfSense? Someone gave me this link, you can see there is a HAProxy 059_5 deve level. Not sure if that's for the 2.4.4 dev or what?

https://github.com/pfsense/FreeBSD-ports/commits/devel/net/pfSense-pkg-haproxy

jahonix

@smoothrunnings
I have no idea.
Follow LEVenetz advice, reinstall 0.59_2 and you're good to go again.

PiBa

@smoothrunnings
Ive tried this exact scenario.. And it works properly here.
-Installed 2.4.3 and updated to 2.4.3p1
-Installed 'haproxy 0.59_4'
-Create frontend,
-Set type to "ssl/https"
-Choose the "Server Name Indication TLS extension matches"
-Save / open frontend again.. settings are still there..

p.s. if you change the type to 'http' do your acl's come back? are you sure you used the sni acl's and not the 'host matches' which is a http acl not a ssl/https one.?

Edit:
p.s. any javascript errors in the browser console, and what browser is used?

Edit2:
The 'correct' screen shot looks different.. ive got a CS checkbox in the acl's configuration:

Smoothrunnings

@piba

Confirmed with others on reddit it's broken. Can you show the HAProxy version you were using in a screen shot, could it be your running version 0.59_5?

Reddit post and confirmation as of today. I don't think others would be lying...
https://www.reddit.com/r/PFSENSE/comments/92it0e/haproxy_setup_issue/

Thanks

PiBa

@smoothrunnings

Smoothrunnings

@piba LIke I said for myself and others it doesn't work. I think its fair say it's broken. I am not sure what hardware you are using or what you had installed on it previously, but I started with with nothing installed on my SmoothWall (CAR-3030) appliance. Others online have tested it and said it fails. So clearly there is a problem.

I found the thread to revert back to the previous build that works, I think I am going to do that. Then not update until I have some way of verifying the issue has been resolved.

Thanks,

PiBa

@smoothrunnings
Ive started with a empty VM adn installed a fresh pfSense with a fresh haproxy on it..

Yes there were some issues for sure with previous versions, if there still are we need to figure out how to fix them.. simply reverting is not the right option long term. And well i cannot reproduce the issue as described currently so wont be able to fix it..

I need your input for this, we need to find what was different between your and my installation.

jahonix

@smoothrunnings said in HAProxy 0.59_4 is broken :(:

Others online have tested it and said it fails.

AFAIK PiBa is the main committer to the HAproxy package.
It would be in your own interest to help him sort out scenarios where it's not working rather than citing what others say or pointing to reddit.

At least that's what I would do if a developer responds to my problem directly...

Smoothrunnings

@piba

pfSense and installed packages:

http://www.smoothrunnings.ca/images/reddit/ha-pic1.jpg
http://www.smoothrunnings.ca/images/reddit/ha-pic2.jpg

Video one, creation of the option, notice how the drop down list is incomplete. The list shows up perfectly on my old pfsense firewall that runs the older version of HAProxy on the same machine...so its not a JAVA issue..but thanks. :)

https://youtu.be/eDmlbsO3X-s

Video 2. After have selected anything out of the list, saved my settings, tried to apply and gotten an error, then gone back into the frontend you can see my entry is completely gone. Just as others including myself have experienced in 0.59_4

https://youtu.be/tA3Jt6wDst8

PiBa

@smoothrunnings
And the 'type' on your video is set to 'HTTP' not to 'SSL/HTTPS' ?
In which case your not supposed to use SNI..

Smoothrunnings

@piba Your right, I stand corrected. Thanks!

PiBa

@smoothrunnings
OK no problem, with that part out of the way, can you confirm 'everything works properly' for your setup?

Yes when editing a frontend its possible to choose acl methods that are not applicable to that type of frontend when editing an already existing acl item.. Thats a little 'bug', but it has always been present and is actually not so easy to fix.. not going to burn myself again on that anytime soon :)

Smoothrunnings

@piba I was able to apply the settings, checking the old firewall it is setup with SSL/HTTPS, one small step I over looked when replicating the changes. I will install the SmoothWall tomorrow but I don't expect any issues, but if there are any I will let you know.

Thanks,

maverick_slo

Wow...
I`m without haproxy now :)

Number of packages to be reinstalled: 1
[1/1] Reinstalling pfSense-pkg-haproxy-devel-0.59_5...
[1/1] Extracting pfSense-pkg-haproxy-devel-0.59_5: .......... done
Removing haproxy-devel components...
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Syslog entries... done.
Saving updated package information...
overwrite!
Loading package configuration... done.
Configuring package components...
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...
Fatal error: Uncaught Error: Cannot create references to/from string offsets in /usr/local/pkg/haproxy/haproxy.inc:1477
Stack trace:
#0 /usr/local/pkg/haproxy/haproxy.inc(2385): haproxy_writeconf('/var/etc/haprox...')
#1 /usr/local/pkg/haproxy/haproxy.inc(653): haproxy_check_run(1)
#2 /etc/inc/pkg-utils.inc(760) : eval()'d code(1): haproxy_custom_php_install_command()
#3 /etc/inc/pkg-utils.inc(760): eval()
#4 /etc/inc/pkg-utils.inc(847): eval_once('haproxy_custom_...')
#5 /etc/rc.packages(74): install_package_xml('haproxy-devel')
#6 {main}
thrown in /usr/local/pkg/haproxy/haproxy.inc on line 1477
PHP ERROR: Type: 1, File: /usr/local/pkg/haproxy/haproxy.inc, Line: 1477, Message: Uncaught Error: Cannot create references to/from string offsets in /usr/local/pkg/haproxy/haproxy.inc:1477
Stack trace:
#0 /usr/local/pkg/haproxy/haproxy.inc(2385): haproxy_writeconf('/var/etc/haprox...')
#1 /usr/local/pkg/haproxy/haproxy.inc(653): haproxy_check_run(1)
#2 /etc/inc/pkg-utils.inc(760) : eval()'d code(1): haproxy_custom_php_install_command()
#3 /etc/inc/pkg-utils.inc(760): eval()
#4 /etc/inc/pkg-utils.inc(847): eval_once('haproxy_custom_...')
#5 /etc/rc.packages(74): install_package_xml('haproxy-devel')
#6 {main}
thrownpkg-static: POST-INSTALL script failed

Cleaning up cache... done.
Success

PiBa

@maverick_slo
using 2.4.4'beta' with php7 i guess? PR with version 0.59_6 that should fix that one is pending..