Update HAproxy-devel package to 2.2 and HAproxy to 2.0
There is bunch of improvements (but breaking futures as well), like:
- Dynamic SSL Certificate Storage with exchanged handling of updating new certificates without reload of HAproxy - maybe can be something reworked on pfSense side
- breaking: if no ssl-min-ver set default TLS will be 1.2 - maybe add this to 1.0 on pfSense by default via dedicated global setting
- ocsp handling enchantments
- Native Response Generator - will be cool to have this in plugin UI
- Dynamic Error Handling - can be implemented in UI maybe
- Health Check Overhaul - now multiply healtchecks are possible for one backend so changes must be updated in plugin UI
- HTTP Actions - add new action type
- breaking: Security Hardening but doesn't think any pfSense users was been used this
- Lua - this can be used to add sepatate LUA section to plugin UI in nice way
- regsub update to allow special characters
- use-server can be added to action list in plugin UI
Thanks in advance
#2 Updated by Torben Hørup 4 months ago
As I mentioned in #11216 (Duplicate):
pfSense-pkg-haproxy is still using haproxy18 where as pfSense-pkg-haproxy-devel is using haproxy (which currently points to 2.2)
haproxy 1.8 LTS has a life expectancy until 2022Q4 so if pfsense 2.5 is expected to live beyond that we should probably bump to 2.0 or 2.2 before release
#3 Updated by DRago_Angel [InV@DER] 3 months ago
Hi Actually my ticket was much before of "duplicate", and my ticket contain details, that now issue with 2.2 in 2.5 pfsense T__T.
[WARNING] 048/042825 (22803) : Proxy 'http-promex': no-sslv3/no-tlsv1x are ignored for bind '0.0.0.0:9001' at [/var/etc/haproxy/haproxy.cfg:75]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.
#4 Updated by DRago_Angel [InV@DER] 3 months ago
1. Now Auto SSL/TLS Compatibility Mode description says:
If unsure leave it as 'Auto'
This totally unclean what will be in result. Need add more details, at least:
- if user will set own SSL parameters in Global Advanced passthru and choose Auto then pfsense will not add own SSL settings
- what SSL TLS version and ciphers will be used by Auto if user will not provide own in Global Advanced passthru
2. Descriptions of: Number of processes to start и Number of threads to start per process need to be changed far ago.
This one specially:
FOR NOW, THREADS SUPPORT IN HAPROXY 1.8 IS HIGHLY EXPERIMENTAL AND IT MUST BE ENABLED WITH CAUTION AND AT YOUR OWN RISK.
Number of threads to start per process now actually RECOMENDED parameter to get multi core support, starting from 2.0, if not from 1.9,
while Number of processes to start recommended to leave at value 1 always.
#5 Updated by DRago_Angel [InV@DER] 2 months ago
And another point "Health Check Overhaul - now multiply healtchecks are possible for one backend so changes must be updated in plugin UI" mentioned in my ticket: https://redmine.pfsense.org/issues/11491 it bad idea just bump version of package without aligning to package changes at all.