HAProxy Source IP Alias Problem [Solved]



  • tldr;  HAproxy trying to use an alias as source IP filter.  Alias (7 hosts) resolved correctly in pfSense, HAProxy config file looks good, but HAProxy src file created for alias is empty

    I configured an alias called infoddns in pfSense latest stable (2.4.x) that consists of 7 hosts.  The hosts are configured as FQDNs that are all updated using ddns.  mysub1.mydom.info, mysub2.mydom.info, etc.

    When I look at Diagnostics/Tables, infoddns is there and the correctly resolved IP addresses are listed in the table.

    I used that alias name as the value for a front end ACL of type "Source IP matches IP or Alias".  When I look at the generated HAProxy config, all looks correct:
    acl        infoacl  src -f /var/etc/haproxy/ipalias_infoddns.lst

    If I add the ACL to an action, those IPs (and all IPs) are blocked and return a 503.

    When I look at the file /var/etc/haproxy/ipalias_infoddns.lst it is only 2 bytes long and contains no IPs.

    It seems that everything is set up correctly, but the resolved alias IPs are never written to the HAProxy acl src file.  I have re-started HAProxy and rebooted pfSense with no change.

    It's likely that I missed some configuration step, but I'm stumped at the moment.  Suggestions would be appreciated.

    Jerry



  • Not missing a step.. just that haproxy isn't going to resolve the names in a list to IP's, so the 'alias support' is limited to fixed IP's and subnets a.t.m.. It could be possible i suppose to resolve a list of names to IP's by the package when reloading the config, but when a dns record changes it wouldn't take effect until the config is reloaded.. so really it would still be of limited use.



  • Thanks PiBa.

    Is it possible to read the contents of a pfSense table from a shell script?  If so, I could simply run a cron job to read the table contents which is being resolved correctly and write the HAProxy src file which is being configured correctly, but not populated.



  • Your cron job would be to late if its going to edit the file as it is only read on haproxy startup..

    There might still be a possibility though, if you manage to read the ip's from pfSense.

    pfctl -t bogons -T show
    

    And then add them to the haproxy in memory list.

    /usr/local/pkg/haproxy/haproxy_socket.sh add acl /var/etc/haproxy/ipalias_infoddns.lst 1.2.3.4/31
    


  • That works perfectly!  Thanks very much for your help.



  • Here's the script I added to cron.  There might be more efficient / better ways to do it, but this works for my case with a fairly small number of IPs in the alias.

    #!/bin/sh

    Update an HAProxy acl with ddns addresses from a pfsense table

    #Edit this value to match pfSense alias name
    ALIASNAME="infoddns"

    #Force update on first run - acl will be empty after restart
    /usr/local/pkg/haproxy/haproxy_socket.sh show acl "/var/etc/haproxy/ipalias_${ALIASNAME}.lst" > "/tmp/${ALIASNAME}-acl"
    rc=wc -l < "/tmp/${ALIASNAME}-acl" | awk '{print $1}'
    if [ $rc -lt 2 ]; then echo "X" > "/tmp/${ALIASNAME}-cur"; fi

    #Dump the alias table to a temp file
    pfctl -t ${ALIASNAME} -T show > "/tmp/${ALIASNAME}-new"

    #Check new alias table against current
    diff "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur" >/dev/null 2>&1

    #If no change, just exit
    rc=$?; if [ $rc == 0 ]; then exit 0; fi

    #Clear current acl
    /usr/local/pkg/haproxy/haproxy_socket.sh clear acl "/var/etc/haproxy/ipalias_${ALIASNAME}.lst"

    #read each alias table line and add to HAproxy acl IP values
    while read -r line; do
    /usr/local/pkg/haproxy/haproxy_socket.sh add acl "/var/etc/haproxy/ipalias_${ALIASNAME}.lst ${line}/31"
    done < "/tmp/${ALIASNAME}-new"

    #Set current alias file to the updated values
    mv "/tmp/${ALIASNAME}-new" "/tmp/${ALIASNAME}-cur"

    exit 0