[SOLVED] HAProxy Deleting ACL on modify - Bug or am I missing something?

coatmaker618

Summary:

When you modify an existing ACL in a Shared Frontend, instead of modifying the ACL it seems to delete it (yes I'm hitting save--see steps below).

Steps to Reproduce:

1. Open New/existing Shared Frontend in Services/HAProxy/Frontend)
2. Edit HAProxy Frontend
   1. Name frontend
   2. Add description (optional)
   3. Status <-- Active
   4. Check Shared Frontend checkbox (enabled)
   5. Select Primary FrontEnd
3. Create an entry in the Access Control List table (in Default backend, access control lists and actions)
   1. Add Name & Value to new entry
   2. to this same entry, click on dropdown, you will see limited collection from figure 1
4. In same section (different table) add an action (if needed).
   1. Action: Use Backend
   2. Condtional ACL name MUST be same as one we just created.
   3. Connect to backend if desired.
5. Scroll to bottom of page & click save.

• (Note: Clicking apply here makes no difference)

6. Reopen Shared Frontend we just created
7. go to ACL list (same as previous step) & edit value we just created in table
8. Clicking on Expression dropdown we should see the long list shown in figure 2 (below).
   • I have not tried selecting an item that existed on short list from fig 1 (step 3.2)
9. Scroll down to bottom of page and save.
10. Click Apply. You should see error in fig 3 rather than the expected success.

Figures:

Figure 1: Short ACL as seen on creating new table entry
[ACL List on create](

Figure 2: LongACL as seen on modifying existing table entry
[ACL List on modify](

Figure 3: Error shown on apply saved changes
[Error Message]( )

PiBa

@coatmaker618
What is the 'type' of your frontend? Several options are not 'available' for TCP frontends. Options that inspect headers/paths/urls can only be used in HTTP frontends as only then haproxy fully parses the http-traffic/headers.

coatmaker618

@PiBa said in HAProxy Deleting ACL on modify - Bug or am I missing something?:

What is the 'type' of your frontend? Several options are not 'available' for TCP frontends. Options that inspect headers/paths/urls can only be used in HTTP frontends as only then haproxy fully parses the http-traffic/headers.

Thanks for the reply @PiBa

I have 2 primary FrontEnds:

1. is "tcp" for http traffic.
2. is "ssl/https" for https traffic.

This issue seems to be true for both of them.

I should say that the overarching goal here is to have HAProxy redirect traffic as it comes in (which sounds easy). I specifically do not want it to intercept HTTPS traffic as the certs are on the backend servers. My understanding was that I needed a rule to match the hostname (which I noticed was available on modify but not create, hence my issue).

PiBa

@coatmaker618
'ssl/https' is also a TCP kinda frontend, when looking from haproxy.cfg config perspective, so the host header cannot be inspected there..

1- why not use type 'HTTP'? Seems to me it fits the http traffic requirement nicely ;).

2- For SSL its impossible to see the host-header as that header is part of the HTTP-protocol-level-traffic which is encrypted, meaning you cannot read it unless you decrypt it, which needs the certificates and negotiated keys there. You can usually use SNI to point traffic for different domain-names to different servers though..

coatmaker618

@PiBa the part that concerned me about type "HTTP" is that it's listed as "HTTP/HTTPS (offloading" and it's that offloading that I'm concerned about. If that's misguided I will happily change it.

When you say "For SSL its impossible to see the host-header as that header is part of the HTTP-protocol-level-traffic which is encrypted, meaning you cannot read it unless you decrypt it"

Ok then maybe Host-Header isn't the right requirement if that requires decryption? I may well be saying the wrong things as I'm mostly clueless >_> But surely the internet somehow knows to route HTTPS traffic so there must be some way I can forward/route/direct/whatever HTTPS request based on the subdomain in the requested URL without HAProxy needing to have the cert.

PiBa

@coatmaker618

I understood your first frontend listens on :80 ? If so type 'HTTP/HTTP(offloading)' would be the correct choice.

For your second frontend on :443, you can use 'SNI' meaning use the acl choice for "Server Name Indication".

coatmaker618

@PiBa said in HAProxy Deleting ACL on modify - Bug or am I missing something?:

I understood your first frontend listens on :80 ? If so type 'HTTP/HTTP(offloading)' would be the correct choice.

BAM! Nailed it (for HTTP)! I need to add a 2nd server to be 100% sure but this seems to work perfectly right now :) Thank you :)

@PiBa said in HAProxy Deleting ACL on modify - Bug or am I missing something?:

For your second frontend on :443, you can use 'SNI' meaning use the acl choice for "Server Name Indication".
As for HTTPS, not so much. First question, should that be set to offloading too or keep it at https?

Second Question (assuming https NOT offloading for 1st question): The only SNI options I see are "SNI TLS extension". If I go for matched/contains how much of a full URL does that include?

PiBa

@coatmaker618
The SNI TLS extension only contains the hostname, and sometimes the port.. so 'www.domain.tld' or 'www.domain.tld:443' could be send in there depending on the client and actual port used..

coatmaker618

@PiBa that was my guess, but that's strange. Because typing in the FQDN (https://subdomain.mydomain.com) takes me to an apache landing page (which is correct, though admittedly not unique). But typing in (https://subdomain.mydomain.com/folder) seems to hang.....

update: Chrome reports "ERR_EMPTY_RESPONSE"

PiBa

@coatmaker618
Hmm thats a bit strange.. can you check in chrome developer network window the network-requests and check the 'preserve log' checkbox..
I wonder if perhaps its sending a redirect for your folder request to some unexpected (direct) location.?.

coatmaker618

This post is deleted!

coatmaker618

@PiBa I PMed you. Check that & we'll go from there.

coatmaker618

It's working!! Everything above was enough to get HAProxy working. The rest was issues with the services (moving around on the network was part of the issue, but not all of it).

@PiBa THANK YOU!!!!

coatmaker618

Now, final order of business, is there a "mark as solved" button or do I just rename the topic to include the word solved?

PiBa

@coatmaker618
Indeed just rename the topic. There is no 'solved' button.