<![CDATA[Suggestion for Haproxy ACL XOR syntax]]>Hi,

lately I had to set up multiple a haproxy frontend for one of our WAN IPs which has multiple backends - one for each customer.

Some customers require us to access the backend from any WAN IP, some others from specific subnets. Since a Firewall-Rule on the same port (eg. 443) for our WAN IP can either be from any IP source or a specific one, I decided to setup it the following way:

  • Each frontend has multiple acls for each URL and also for each customer subnet, if required.

  • If multiple networks have to access an URL, an extra acl with source ip defined is setup up also

  • All other requests not matching an URL and an IP get dropped

Now the pfsense acl syntax usually not requires an AND-operator, however, when having multiple urls and subnets, the acl syntax gets more  complex.
Haproxy offers a way of grouping OR-requirements using (). So instead of using

acl_url1 acl_ip1 || acl_url1 acl_ip2 || acl_url2 acl_ip1 etc.

I could do:

(acl_url1 || acl url2 ) (acl_ip1 || acl_ip2) etc.

The acl fiels is a one-line small input field in the UI, making it difficult to read so I have to stick to a text editor and copy-paste it afterwards.
Also the ()-syntax is denied by the pfsense-gui when applying the haproxy.cfg by saying "unknown acl …".

I strongly suggest this to be changed so acls can be set up more easily and being kept compact like they used to be when working with a normal haproxy configuration created by hand. Also I would like to request the field to be made resizable or (at least) having a scroll-function.

  • Julian
]]>https://forum.netgate.com/topic/114095/suggestion-for-haproxy-acl-xor-syntaxRSS for NodeTue, 21 Apr 2026 17:04:18 GMTThu, 06 Apr 2017 08:41:47 GMT60<![CDATA[Reply to Suggestion for Haproxy ACL XOR syntax on Thu, 13 Apr 2017 09:33:48 GMT]]>Hi PiBa,

dang I thought I realised it that way myself on an 1.7 HaProxy Cluster but you're obviously right - it's still not supported.  :-X Maybe I suggest this one to the haproxy community so they'll implement it first.

]]>https://forum.netgate.com/post/693078https://forum.netgate.com/post/693078Thu, 13 Apr 2017 09:33:48 GMT<![CDATA[Reply to Suggestion for Haproxy ACL XOR syntax on Sat, 08 Apr 2017 18:04:25 GMT]]>Are you sure haproxy supports this?

The webgui does not block you from entering this.
And the error during applying the configuration is generated by haproxy itself.

Make the config in he webgui so it rejects it, and then run "haproxy -c -f /var/etc/haproxy_test/haproxy.cfg" yourself from a console?
Manually change the config file and run the command again? I have not found a working combination..

Documentation of haproxy also doesn't give any clear examples of what you state is possible.

p.s.
May i suggest using networks-alias from firewall/aliases for keeping the list of ip's and subnets you want to allow? (you do need to restart haproxy after changing them..)

]]>https://forum.netgate.com/post/692211https://forum.netgate.com/post/692211Sat, 08 Apr 2017 18:04:25 GMT