HAProxy actions order



  • While configuring HAProxy fronted, it is possible to rearrange actions in any order.
    However when config file is generated, package moves all http-request directives first and then adds use_backend regardles of the sort in UI.
    Can someone explain why package is doing this? There is nothing in HAProxy documentation I can find which would require http-request to be before use_backend.

    This creates couple of issues:

    • Prevents some types of configuration - for example, I needed to forward specific requests to a backend before redirecting everything else to https

    • Package UI is not matching actual config being created

    
    acl           https        ssl_fc
    acl			unsecure	path_beg -i /app/
    acl			host-web	hdr_reg(host) -i ^web\.web\.com(:([0-9]){1,5})?$
    use_backend Unsecure_http_ipvANY  if  host-web unsecure
    http-request redirect scheme https  if  host-web !https
    
    

    Because of this, I am forced to workaround, complicating rules:

    
    acl           https        ssl_fc
    acl			unsecure	path_beg -i /app/
    acl			host-web	hdr_reg(host) -i ^web\.web\.com(:([0-9]){1,5})?$
    http-request redirect scheme https  if  host-web !https !unsecure
    use_backend Unsecure_http_ipvANY  if  host-web unsecure
    
    

    This is a sample, in larger configurations it can become more complex.

    There was a bug logged a year ago: https://redmine.pfsense.org/issues/7022 but is marked as "Not a Bug" for some reason.
    If UI representation of actions does not match generated configuration, I'd consider this a bug still.

    If package author insists on separating certain actions, there should be separate sections in UI (like ACLs are separated), however I do not really see any reason for this…



  • As the haproxy binary would say:

    a 'http-request' rule placed after a 'use_backend' rule will still be processed before.



  • @PiBa:

    As the haproxy binary would say:

    a 'http-request' rule placed after a 'use_backend' rule will still be processed before.

    Interesting, can you point me to where this is documented?
    Technically, I do not see why this would be a requirement - all these rues use the the same set of ACLs…
    I don't mind if this is how it works, but again, HAProxy package UI has to reflect that rule as well :)



  • Documented.. not really that i could find..
    When haproxy is loaded with a configuration like proposed it will return the warning generated by code.:
    https://github.com/haproxy/haproxy/blob/397131093f03c8cebc433ffba6beca3ee8641773/src/cfgparse.c#L461

    But i agree not having the webgui 'automagically' move rules to places where the user did not intend them to be is worth checking if that can be changed. Just having haproxy generate a warning to the user is probably better than having the webgui 'hide' the possible configuration issue. But i think it was done for the 'shared frontend' webgui implementation to avoid user 'unsolvable' startup warnings..



  • Thank you for the link…
    Interesting behavior, I might be able to test this by editing config manually and see for myself :)

    Still, not telling UI user that his order of actions won't work is bad :(