HAProxy configuration problem (GUI causing it?)

surinameclubcard · Jan 5, 2019, 8:18 PM

I ran into a problem with HAProxy on pfSense. This is a new installation (2.4.4p1) with a clean configuration. Current HAProxy config is as follows:

# Automaticaly generated, dont edit manually.
# Generated on: 2019-01-05 10:43
global
	maxconn			10
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	userlist UsersFor_esxi
	  user **** insecure-password ****
	
	

frontend repro_8443
	bind			0.0.0.0:8443 name 0.0.0.0:8443   ssl crt-list /var/etc/haproxy/repro_8443.crt_list  
	bind			0.0.0.0:8080 name 0.0.0.0:8080   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			esxi	var(txn.txnhost) -m beg -i esxi
	acl			syno	var(txn.txnhost) -m beg -i syno
	acl			aclcrt_repro_8443	var(txn.txnhost) -m reg -i ^([^\.]*)\.uberguru\.eu(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend esxi_backend_ipvANY  if  esxi aclcrt_repro_8443
	use_backend syno_backend_ipvANY  if  syno aclcrt_repro_8443
	use_backend www_backend_ipvANY  if   aclcrt_repro_8443

backend esxi_backend_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	acl			AuthOkay_esxi	http_auth(UsersFor_esxi)
	http-request auth realm ESXi  if  !AuthOkay_esxi 
	server			esxi 172.22.7.5:443 id 101 ssl  verify none 

backend syno_backend_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			syno 172.22.7.40:5001 id 101 ssl  verify none 

backend www_backend_ipvANY
	mode			http
	id			103
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			www 172.22.7.40:443 id 104 ssl  verify none

The GUI shows the ACLs for the front end as follows:

Now I'd like to add a redirect from http to https. I'm looking for "Traffic is ssl" or "Traffic is http". However, the pull down initially doesn't show that option:

Please note that there is no scrollbar on the right! I checked the DOM in the browser and "Custom acl:" is indeed the final element in the <select>...</select>.

To continue, I selected "SSL Client certificate valid." and named it "https". Saved and committed, no problem.

Now, if I edit that same setting, and look at the pull down items, the check for ssl is there!?!?:

Please notice that there is a scrollbar!

If I now select that "Traffic is ssl (no value needed):" item and try to save, it fails:

This is all very confusing to me. Is there a problem with my config or is the GUI invalid?

surinameclubcard · Jan 6, 2019, 8:49 AM

Replying to myself: I just did a clean install of pfSense 2.4.4p1 and tried above with the haproxy-devel package:

Create a frontend, name it "test", save,
Open "test", add an ACL, notice there is no "Traffic is ssl (no value needed):" option,
Just to continue, name the ACL "https", expression="Host starts with:", value="https", save,
Open "test" once again, edit the ACL, notice now there is the "Traffic is ssl (no value needed):" option,
Change the expression to "Traffic is ssl (no value needed):", remove the value, save, same error. Or the ACL was completely removed.

Either something is broken or I am completely not understanding this user interface?