Project

General

Profile

Actions

Feature #10739

open

Update HAproxy-devel package to 2.2 and HAproxy to 2.0

Added by DRago_Angel [InV@DER] about 1 year ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
haproxy
Target version:
-
Start date:
07/08/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

Announced new stable version of HAproxy 2.2: https://www.haproxy.com/blog/announcing-haproxy-2-2/
There is bunch of improvements (but breaking futures as well), like:
  • Dynamic SSL Certificate Storage with exchanged handling of updating new certificates without reload of HAproxy - maybe can be something reworked on pfSense side
  • breaking: if no ssl-min-ver set default TLS will be 1.2 - maybe add this to 1.0 on pfSense by default via dedicated global setting
  • ocsp handling enchantments
  • Native Response Generator - will be cool to have this in plugin UI
  • Dynamic Error Handling - can be implemented in UI maybe
  • Health Check Overhaul - now multiply healtchecks are possible for one backend so changes must be updated in plugin UI
  • HTTP Actions - add new action type
  • breaking: Security Hardening but doesn't think any pfSense users was been used this
  • Lua - this can be used to add sepatate LUA section to plugin UI in nice way
  • regsub update to allow special characters
  • use-server can be added to action list in plugin UI

Thanks in advance

Actions #1

Updated by DRago_Angel [InV@DER] 9 months ago

Please, can somebody check this? This important and big update.

Actions #2

Updated by Torben Hørup 7 months ago

As I mentioned in #11216 (Duplicate):
pfSense-pkg-haproxy is still using haproxy18 where as pfSense-pkg-haproxy-devel is using haproxy (which currently points to 2.2)

haproxy 1.8 LTS has a life expectancy until 2022Q4 so if pfsense 2.5 is expected to live beyond that we should probably bump to 2.0 or 2.2 before release

Actions #3

Updated by DRago_Angel [InV@DER] 6 months ago

Hi Actually my ticket was much before of "duplicate", and my ticket contain details, that now issue with 2.2 in 2.5 pfsense T__T.

[WARNING] 048/042825 (22803) : Proxy 'http-promex': no-sslv3/no-tlsv1x are ignored for bind '0.0.0.0:9001' at [/var/etc/haproxy/haproxy.cfg:75]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix. 
Actions #4

Updated by DRago_Angel [InV@DER] 6 months ago

To add:
1. Now Auto SSL/TLS Compatibility Mode description says:
If unsure leave it as 'Auto'
This totally unclean what will be in result. Need add more details, at least:
  • if user will set own SSL parameters in Global Advanced passthru and choose Auto then pfsense will not add own SSL settings
  • what SSL TLS version and ciphers will be used by Auto if user will not provide own in Global Advanced passthru

2. Descriptions of: Number of processes to start и Number of threads to start per process need to be changed far ago.
This one specially:

FOR NOW, THREADS SUPPORT IN HAPROXY 1.8 IS HIGHLY EXPERIMENTAL AND IT MUST BE ENABLED WITH CAUTION AND AT YOUR OWN RISK.

Number of threads to start per process now actually RECOMENDED parameter to get multi core support, starting from 2.0, if not from 1.9,
while Number of processes to start recommended to leave at value 1 always.

Actions #5

Updated by DRago_Angel [InV@DER] 5 months ago

And another point "Health Check Overhaul - now multiply healtchecks are possible for one backend so changes must be updated in plugin UI" mentioned in my ticket: https://redmine.pfsense.org/issues/11491 it bad idea just bump version of package without aligning to package changes at all.

Actions #6

Updated by Viktor Gurov 3 months ago

  • Tracker changed from Todo to Feature

http-after-response and http-request_replace-path actions support:
https://github.com/pfsense/FreeBSD-ports/pull/1070

Actions #7

Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review
Actions #8

Updated by Renato Botelho about 1 month ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Viktor Gurov

PR has been merged. Thanks!

Actions

Also available in: Atom PDF