HAPROXY - disable backend server via command line

Zirc75 · Nov 25, 2015, 1:34 PM

Hi,

maybe this is a stupid question, is it possible to disable (state: inactive) one of the servers listed in a backend via command line?
I found the Haproxy commands but it seems to me they're not for the PF plugin, just for the standalone version.

Thanks

Carlo

PiBa · Nov 25, 2015, 7:08 PM

Hi Carlo,
Yes its possible, haproxy socket is already used-created in /tmp/haproxy.socket. Only issue is that all examples use 'socat' which is not installed on pfsense by default, and is quite bloated imho.. ( pkg install socat )

Other option is to make it listen on a tcp port with this setting on the settings tab advanced field:

stats socket 127.0.0.1:3000 level admin

Ten you could use telnet to query that socket.

Anyway haproxy itself on pfsense supports it just like on any other haproxy installation.

Regards,
PiBa-NL

Zirc75 · Nov 27, 2015, 2:46 PM

Hi, thanks for the tips, I've been able to disable a node using socat.
To script all commands I created a new user in order to skip FPSense CLI initial screen.
This user is member of admins, but when I try the following command I get a permission denied error from socat: E connect(5, LEN=21 AF=1 "/tmp/haproxy.socket", 21): Permission denied

echo "disable server mypool/server2" | /usr/local/bin/socat unix-connect:/tmp/haproxy.socket stdio

do I need to change the level in haproxy.cfg? (stats socket /tmp/haproxy.socket level admin)

Thanks for helping me

Carlo

PiBa · Nov 27, 2015, 6:57 PM

Hi Carlo,

I've never tried creating a different user and use the socket from there..

Could try changing some of the settings made by haproxy on the socket using unix-bind option and put that into advanced options on the settings tab.
http://cbonte.github.io/haproxy-dconv/snapshot/configuration-1.6.html#3.1-unix-bind

Changing the actual haproxy.cfg is not wise as the file is recreated from scratch every time something is changed, or restarted..

Regards
PiBa-NL

Zirc75 · Nov 28, 2015, 10:19 AM

Hi,

I installed the sudo package, that solved my problem 8)

echo "disable server mypool/server2" | sudo /usr/local/bin/socat unix-connect:/tmp/haproxy.socket stdio

PiBa · Nov 28, 2015, 6:17 PM

Hi Carlo,

I've been playing with it a bit think this might help.
By putting the config setting below in the advanced settings of haproxy would allow socket access to users in the admins group:

stats socket /tmp/haproxy.adminsocket group admins mode 0020 level admin

echo "show sess" | socat stdio /tmp/haproxy.adminsocket

That way at least the sudo wouldn't be needed.

Regards
PiBa-NL