Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAPROXY strange things in latest pfSense

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 2 Posters 576 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      planetinse
      last edited by planetinse

      With package 0.63_1 and 23.09.1 .. (haproxy-2.8.2)

      I was trying to make us of new things that could replace my old custom acl's in dropdown (by edit existing ACL)

      f80f6919-aaa5-403c-a53e-9d0613eb1644-image.png

      But when saving the frontend - the ACL dissapears (and if i try restart HA - the rule is not existing)

      So I thought I might need to create those from ACL's from scratch - but then - the option(s) is not in the dropdown.

      fbb10497-5d44-4082-a0fd-65428f55e42b-image.png

      FYI - I'am reffering to the Server Name Indication expressions

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @planetinse
        last edited by

        @planetinse
        Which type of frontend is this?

        I'd expect to see the SNI ACL only in tcp frontends. In http frontends you can better use host name instead.

        P 1 Reply Last reply Reply Quote 0
        • P
          planetinse @viragomann
          last edited by

          @viragomann This is from an existing https frontend

          Basically iam using this setup since years back with SNI termination based on some guide back from the HA 1.8 days.

          a TCP frontend takes first blow > routes traffic to a backend that returns traffic back to a HTTPS frontend (what i think happens here is some kind of TLS termination?

          in the HTTPS frontend I got ssl_fc_sni custom rules, to figure out based on subdomain where to send the traffic - all this to support DDP (websocket traffic) from IOT devices as well as web browser clients accessing the same backend.

          using host here (historically) does not work for the IOT devices, only for webbrowsers - ssl_fc_sni has been the only stable way.

          I was hoping to ditch this now with the newer HA :)

          P 1 Reply Last reply Reply Quote 0
          • P
            planetinse @planetinse
            last edited by

            @planetinse

            Funny thing is even when they are "gone" - the ACL's using these - briefly show up when loading the frontend, so this must be a bug one way or the other.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.