haproxy package: how to reject tcp connections if backend is down?

  • Greetings!

    I'm using the HaProxy package in pfsense and would like to configure a frontend to reject tcp connections if the respective backend has no servers up. What is a good way to achieve this?

    Apparently, the config directives would be something like:

    acl site_dead nbsrv(my_backend) lt 1
    tcp-request reject if site_dead

    It's not obvious to me how I can implement something equivalent in the UI for the haproxy package.

    On a related note, on the frontend edit page, I've been playing around with ACLs as I suspect this is where I can accomplish my objective. I see the Custom acl: option. If I select this option, would I then add the acl line in the above snippet, sans the acl site_dead portion? e.g. add:

    nbsrv(my_backend) lt 1

    to the 'value' field? Else I don't see how to make use of the Custom acl: selection.

  • If no one has specific experience with setting up ACLs to reject connections in the UI, can anyone provide guidance on how to properly use the Custom acl: option in the UI?

    I've tried several different approaches: including putting certain portions of what I would put into a config file, into the 'value' field, but it always fails to parse when I attempt to apply. Is there something I'm missing?

  • If it fails to parse, what did you put exactly and what does it say.?
    0_1527944187567_2018-06-02 14_55_15-Services_ HAProxy_ Frontend_ Edit - pfSe.localdomain.png
    produces this for me (p.s. note the backend name in my case is vhost3 but the config has some additional suffix your backend name might also have a additional _http_ in between.. check the config file for the exact name if needed.. but gui should do it automatically ) :

    acl			myBackAlive	nbsrv(vhost3_ipvANY) ge 1
    tcp-request connection reject  if  !myBackAlive

    Custom acl could also be used.. but still make sure to use the backendname exactly as it gets written to the haproxy.conf file..

  • Thanks for your response PiBa.

    I've made some good progress on this and think I have a working solution. I've found a working ACL combination:
    That is, when all backends are down, I get a match on the kdemo_dead ACL that says "!minCountUsableServers ge 1" and haproxy uses the tpc-request connection reject as desired.

    Interestingly, at first when I initially had SSL offload enabled for the frontend, I had a lot of errors when the package attempted to create the haproxy.cfg, and when I finally got past that I no longer got the desired behavior: despite the ACLs, haproxy still initiated a TCP connection and returned a 503. I really don't know what's changed,: perhaps it was because I had some of the boxes checked that created additional ACLs?

    It seems the haproxy package is dynamically generating a haproxy.cfg when I apply UI changes and sometimes the content and sequence of entries causes unintended consequences.

    At any rate, seems to be working now, so I'm happy:)

Log in to reply