Feature #10739
open
Update HAproxy-devel package to 2.2 and HAproxy to 2.0
0%
Description
There is bunch of improvements (but breaking futures as well), like:
- Dynamic SSL Certificate Storage with exchanged handling of updating new certificates without reload of HAproxy - maybe can be something reworked on pfSense side
- breaking: if no ssl-min-ver set default TLS will be 1.2 - maybe add this to 1.0 on pfSense by default via dedicated global setting
- ocsp handling enchantments
- Native Response Generator - will be cool to have this in plugin UI
- Dynamic Error Handling - can be implemented in UI maybe
- Health Check Overhaul - now multiply healtchecks are possible for one backend so changes must be updated in plugin UI
- HTTP Actions - add new action type
- breaking: Security Hardening but doesn't think any pfSense users was been used this
- Lua - this can be used to add sepatate LUA section to plugin UI in nice way
- regsub update to allow special characters
- use-server can be added to action list in plugin UI
Thanks in advance
Updated by DRago_Angel [InV@DER] over 3 years ago
Please, can somebody check this? This important and big update.
Updated by Torben Hørup over 3 years ago
As I mentioned in #11216 (Duplicate):
pfSense-pkg-haproxy is still using haproxy18 where as pfSense-pkg-haproxy-devel is using haproxy (which currently points to 2.2)
haproxy 1.8 LTS has a life expectancy until 2022Q4 so if pfsense 2.5 is expected to live beyond that we should probably bump to 2.0 or 2.2 before release
Updated by DRago_Angel [InV@DER] about 3 years ago
Hi Actually my ticket was much before of "duplicate", and my ticket contain details, that now issue with 2.2 in 2.5 pfsense T__T.
[WARNING] 048/042825 (22803) : Proxy 'http-promex': no-sslv3/no-tlsv1x are ignored for bind '0.0.0.0:9001' at [/var/etc/haproxy/haproxy.cfg:75]. Use only 'ssl-min-ver' and 'ssl-max-ver' to fix.
Updated by DRago_Angel [InV@DER] about 3 years ago
1. Now Auto SSL/TLS Compatibility Mode description says:
If unsure leave it as 'Auto'
This totally unclean what will be in result. Need add more details, at least:
- if user will set own SSL parameters in Global Advanced passthru and choose Auto then pfsense will not add own SSL settings
- what SSL TLS version and ciphers will be used by Auto if user will not provide own in Global Advanced passthru
2. Descriptions of: Number of processes to start и Number of threads to start per process need to be changed far ago.
This one specially:
FOR NOW, THREADS SUPPORT IN HAPROXY 1.8 IS HIGHLY EXPERIMENTAL AND IT MUST BE ENABLED WITH CAUTION AND AT YOUR OWN RISK.
Number of threads to start per process now actually RECOMENDED parameter to get multi core support, starting from 2.0, if not from 1.9,
while Number of processes to start recommended to leave at value 1 always.
Updated by DRago_Angel [InV@DER] about 3 years ago
And another point "Health Check Overhaul - now multiply healtchecks are possible for one backend so changes must be updated in plugin UI" mentioned in my ticket: https://redmine.pfsense.org/issues/11491 it bad idea just bump version of package without aligning to package changes at all.
Updated by Viktor Gurov almost 3 years ago
- Tracker changed from Todo to Feature
http-after-response and http-request_replace-path actions support:
https://github.com/pfsense/FreeBSD-ports/pull/1070
Updated by Jim Pingle almost 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho almost 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by DRago_Angel [InV@DER] over 2 years ago
Hi, here many points are still undone.