Creating AND conditions in HAProxy's GUI

senseivita · Dec 28, 2022, 9:14 PM

I'd like to create this rule:

Using this UI:

But I'm not sure how to match both ACLs at the same time. Listing them as you would in HAProxy's config file acts the opposite i.e. { } means {||} instead of {&&}. Does that mean the AND/&& operator can be specified now? e.g;

?

Thanks!

viragomann · Dec 29, 2022, 3:30 AM

@senseivita
There are no logic operations allowed in the action conditions.
Simply remove the "&". The negation can be kept.

BTW: I don't know the expression "Traffic is ssl". Maybe you're running a higher HAproxy version.
I have to use a custom value for this in 1.8.x:

michmoor · Dec 28, 2022, 11:37 PM

@senseivita did a lot of googling for this and the documentation is extremely poor for this package on Netgate BUT to do this just keep a space between both rules. So for example I have a rule that matches on a url and a path so if you go to example.com/admin you will be blocked. I had to create a rule (rule1) that matches on the domain and another rule (rule2) that matches on the path. Link them like this … rule1 rule2
Just keep a space
Create 2 rules and when you link them just keep a space. It’s literally that easy.

senseivita · Dec 29, 2022, 3:30 AM

@viragomann I'm sorry, it was meant as NOT rfc1918 and NOT TLS, but I didn't think it mattered since the point was to add both conditions up. Anyway, let's assume they're some other random ACL that both need to match for the rule to apply, I'd like to know how to do it in the boxes that already exist, that's the whole reason I gave up a standalone server that was running HAProxy almost a year old and still was newer than pfSense's. But thanks anyway for helping out.

@michmoor Yeah, I was aware of that. But for what it's worth, the plugin is sort of a community type of thing, once I got help from the guy that wrote it, he was really nice and patient since I knew nothing back then.

Listing the ACLs doesn't AND them up, it ORs them. So, any one of them could (not) match, for instance:

That above is my standard config, the rules apply to everything that's proxied, except in for the last rules, which applies to almost everything except for the two ACLs (sites) listed unrelated to one another.

Using a space works if you put in in the Advanced box, because it's passed with the standard HAProxy syntax, but @viragomann here just said there are no (additional) logic operations, so… yeah. No worries, I'll just have to rethink a couple of things to make it a little more efficient.

Even with a flaw or two, pfSense has the nicest GUI for HAProxy, given the price — I'd put it against HAProxy Enterprise any day, since their price is "first sign up for the trial". I'm trying to make the most out of it while still being somewhat as efficient as editing a single file was.

I'm not walking away empty handed though, posting the screenshots made me notice that an ACL should've been negated and it wasn't, and I now I can move on without trying to "fix" it, breaking things in the process.

Thank you both for answering.
️

senseivita · Dec 29, 2022, 3:33 AM

I just found out 2.7 is out. It's very tempting.

viragomann · Dec 29, 2022, 3:34 PM

@senseivita said in Creating AND conditions in HAProxy's GUI:

Listing the ACLs doesn't AND them up, it ORs them.

Don't agree.
If I enter multiple ACLs separated by spaces into the condition box, the action is applied if both match, not if only one does.
So I'd say, that's an AND conjunction.

You can get an OR adding the same action again, but with the other ACL as condition.

michmoor · Dec 29, 2022, 3:34 PM

@viragomann Thats correct.