HAProxy configuration problem (GUI causing it?)



  • I ran into a problem with HAProxy on pfSense. This is a new installation (2.4.4p1) with a clean configuration. Current HAProxy config is as follows:

    # Automaticaly generated, dont edit manually.
    # Generated on: 2019-01-05 10:43
    global
    	maxconn			10
    	stats socket /tmp/haproxy.socket level admin 
    	uid			80
    	gid			80
    	nbproc			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	2048
    	server-state-file /tmp/haproxy_server_state
    	userlist UsersFor_esxi
    	  user **** insecure-password ****
    	
    	
    
    frontend repro_8443
    	bind			0.0.0.0:8443 name 0.0.0.0:8443   ssl crt-list /var/etc/haproxy/repro_8443.crt_list  
    	bind			0.0.0.0:8080 name 0.0.0.0:8080   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			esxi	var(txn.txnhost) -m beg -i esxi
    	acl			syno	var(txn.txnhost) -m beg -i syno
    	acl			aclcrt_repro_8443	var(txn.txnhost) -m reg -i ^([^\.]*)\.uberguru\.eu(:([0-9]){1,5})?$
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend esxi_backend_ipvANY  if  esxi aclcrt_repro_8443
    	use_backend syno_backend_ipvANY  if  syno aclcrt_repro_8443
    	use_backend www_backend_ipvANY  if   aclcrt_repro_8443
    
    backend esxi_backend_ipvANY
    	mode			http
    	id			100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	acl			AuthOkay_esxi	http_auth(UsersFor_esxi)
    	http-request auth realm ESXi  if  !AuthOkay_esxi 
    	server			esxi 172.22.7.5:443 id 101 ssl  verify none 
    
    backend syno_backend_ipvANY
    	mode			http
    	id			102
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			syno 172.22.7.40:5001 id 101 ssl  verify none 
    
    backend www_backend_ipvANY
    	mode			http
    	id			103
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			www 172.22.7.40:443 id 104 ssl  verify none
    


    The GUI shows the ACLs for the front end as follows:


    Now I'd like to add a redirect from http to https. I'm looking for "Traffic is ssl" or "Traffic is http". However, the pull down initially doesn't show that option:

    Please note that there is no scrollbar on the right! I checked the DOM in the browser and "Custom acl:" is indeed the final element in the <select>...</select>.


    To continue, I selected "SSL Client certificate valid." and named it "https". Saved and committed, no problem.


    Now, if I edit that same setting, and look at the pull down items, the check for ssl is there!?!?:

    Please notice that there is a scrollbar!


    If I now select that "Traffic is ssl (no value needed):" item and try to save, it fails:


    This is all very confusing to me. Is there a problem with my config or is the GUI invalid?



  • Replying to myself: I just did a clean install of pfSense 2.4.4p1 and tried above with the haproxy-devel package:

    1. Create a frontend, name it "test", save,
    2. Open "test", add an ACL, notice there is no "Traffic is ssl (no value needed):" option,
    3. Just to continue, name the ACL "https", expression="Host starts with:", value="https", save,
    4. Open "test" once again, edit the ACL, notice now there is the "Traffic is ssl (no value needed):" option,
    5. Change the expression to "Traffic is ssl (no value needed):", remove the value, save, same error. Or the ACL was completely removed.

    Either something is broken or I am completely not understanding this user interface?