Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suggestion for Haproxy ACL XOR syntax

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      netcore
      last edited by

      Hi,

      lately I had to set up multiple a haproxy frontend for one of our WAN IPs which has multiple backends - one for each customer.

      Some customers require us to access the backend from any WAN IP, some others from specific subnets. Since a Firewall-Rule on the same port (eg. 443) for our WAN IP can either be from any IP source or a specific one, I decided to setup it the following way:

      • Each frontend has multiple acls for each URL and also for each customer subnet, if required.

      • If multiple networks have to access an URL, an extra acl with source ip defined is setup up also

      • All other requests not matching an URL and an IP get dropped

      Now the pfsense acl syntax usually not requires an AND-operator, however, when having multiple urls and subnets, the acl syntax gets more  complex.
      Haproxy offers a way of grouping OR-requirements using (). So instead of using

      acl_url1 acl_ip1 || acl_url1 acl_ip2 || acl_url2 acl_ip1 etc.

      I could do:

      (acl_url1 || acl url2 ) (acl_ip1 || acl_ip2) etc.

      The acl fiels is a one-line small input field in the UI, making it difficult to read so I have to stick to a text editor and copy-paste it afterwards.
      Also the ()-syntax is denied by the pfsense-gui when applying the haproxy.cfg by saying "unknown acl …".

      I strongly suggest this to be changed so acls can be set up more easily and being kept compact like they used to be when working with a normal haproxy configuration created by hand. Also I would like to request the field to be made resizable or (at least) having a scroll-function.

      • Julian
      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Are you sure haproxy supports this?

        The webgui does not block you from entering this.
        And the error during applying the configuration is generated by haproxy itself.

        Make the config in he webgui so it rejects it, and then run "haproxy -c -f /var/etc/haproxy_test/haproxy.cfg" yourself from a console?
        Manually change the config file and run the command again? I have not found a working combination..

        Documentation of haproxy also doesn't give any clear examples of what you state is possible.

        p.s.
        May i suggest using networks-alias from firewall/aliases for keeping the list of ip's and subnets you want to allow? (you do need to restart haproxy after changing them..)

        1 Reply Last reply Reply Quote 0
        • N
          netcore
          last edited by

          Hi PiBa,

          dang I thought I realised it that way myself on an 1.7 HaProxy Cluster but you're obviously right - it's still not supported.  :-X Maybe I suggest this one to the haproxy community so they'll implement it first.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.