Bug #14460
closed
PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/pkg/haproxy/haproxy.inc:2158
0%
Description
PHP Errors:
[07-Jun-2023 22:30:25 Europe/Berlin] PHP Fatal error: Uncaught
TypeError: Cannot access offset of type string on string in
/usr/local/pkg/haproxy/haproxy.inc:2158
Stack trace:
#0 /usr/local/pkg/haproxy/haproxy.inc(1490):
use_transparent_clientip_proxying()
#1 /usr/local/pkg/haproxy/haproxy.inc(2353):
haproxy_writeconf('/var/etc/haprox...')
#2 /usr/local/pkg/haproxy/haproxy.inc(653): haproxy_check_run(1)
#3 /etc/inc/pkg-utils.inc(783) : eval()'d code(1):
haproxy_custom_php_install_command()
#4 /etc/inc/pkg-utils.inc(783): eval()
#5 /etc/inc/pkg-utils.inc(901): eval_once('haproxy_custom_...')
#6 /etc/rc.packages(76): install_package_xml('haproxy')
#7 {main}
Updated by Danilo Zrenjanin about 1 year ago
Here is the forum thread https://forum.netgate.com/post/1109155
Updated by Danilo Zrenjanin about 1 year ago
Here is the configuration that triggers PHP errors.
<haproxy>
<configversion>00.58</configversion>
<ha_backends>
<item>
<name>HAproxy-ACME</name>
<status>active</status>
<secondary></secondary>
<primary_frontend></primary_frontend>
<type>http</type>
<forwardfor></forwardfor>
<httpclose>http-keep-alive</httpclose>
<extaddr></extaddr>
<backend_serverpool></backend_serverpool>
<max_connections></max_connections>
<client_timeout></client_timeout>
<port></port>
<advanced_bind></advanced_bind>
<ssloffloadcert>XXXXX</ssloffloadcert>
<dcertadv></dcertadv>
<ssloffload></ssloffload>
<ssloffloadacl></ssloffloadacl>
<ssloffloadacl_an>yes</ssloffloadacl_an>
<ssloffloadacladditional></ssloffloadacladditional>
<ssloffloadacladditional_an></ssloffloadacladditional_an>
<sslclientcert-none></sslclientcert-none>
<sslclientcert-invalid></sslclientcert-invalid>
<sslocsp></sslocsp>
<socket-stats></socket-stats>
<dontlognull></dontlognull>
<dontlog-normal></dontlog-normal>
<log-separate-errors></log-separate-errors>
<log-detailed></log-detailed>
<advanced></advanced>
<ha_acls>
<item>
<name>ACL1</name>
<expression>path_starts_with</expression>
<not></not>
<value>/.well-known/acme-challenge</value>
<url_parameterparameter></url_parameterparameter>
<backendservercountbackend></backendservercountbackend>
<_index></_index>
</item>
</ha_acls>
<ha_certificates></ha_certificates>
<clientcert_ca></clientcert_ca>
<clientcert_crl></clientcert_crl>
<a_extaddr>
<item>
<extaddr>wan_ipv4</extaddr>
<extaddr_custom></extaddr_custom>
<extaddr_port>80</extaddr_port>
<extaddr_ssl></extaddr_ssl>
<extaddr_advanced></extaddr_advanced>
<_index></_index>
</item>
</a_extaddr>
<a_actionitems>
<item>
<action>http-request_use-service</action>
<parameters></parameters>
<acl>ACL1</acl>
<use_backendbackend></use_backendbackend>
<use_serverserver></use_serverserver>
<customcustomaction></customcustomaction>
<http-request_authrealm></http-request_authrealm>
<http-request_redirectrule></http-request_redirectrule>
<http-request_lualua-function></http-request_lualua-function>
<http-request_use-servicelua-function>acme-http01</http-request_use-servicelua-function>
<http-request_add-headername></http-request_add-headername>
<http-request_add-headerfmt></http-request_add-headerfmt>
<http-request_set-headername></http-request_set-headername>
<http-request_set-headerfmt></http-request_set-headerfmt>
<http-request_del-headername></http-request_del-headername>
<http-request_replace-headername></http-request_replace-headername>
<http-request_replace-headerfind></http-request_replace-headerfind>
<http-request_replace-headerreplace></http-request_replace-headerreplace>
<http-request_replace-valuename></http-request_replace-valuename>
<http-request_replace-valuefind></http-request_replace-valuefind>
<http-request_replace-valuereplace></http-request_replace-valuereplace>
<http-response_lualua-function></http-response_lualua-function>
<http-response_add-headername></http-response_add-headername>
<http-response_add-headerfmt></http-response_add-headerfmt>
<http-response_set-headername></http-response_set-headername>
<http-response_set-headerfmt></http-response_set-headerfmt>
<http-response_del-headername></http-response_del-headername>
<http-response_replace-headername></http-response_replace-headername>
<http-response_replace-headerfind></http-response_replace-headerfind>
<http-response_replace-headerreplace></http-response_replace-headerreplace>
<http-response_replace-valuename></http-response_replace-valuename>
<http-response_replace-valuefind></http-response_replace-valuefind>
<http-response_replace-valuereplace></http-response_replace-valuereplace>
<tcp-request_content_lualua-function></tcp-request_content_lualua-function>
<tcp-request_content_use-servicelua-function></tcp-request_content_use-servicelua-function>
<tcp-response_content_lualua-function></tcp-response_content_lualua-function>
<_index></_index>
</item>
</a_actionitems>
<a_errorfiles></a_errorfiles>
<descr></descr>
</item>
</ha_backends>
<ha_pools>
<item>1</item>
</ha_pools>
<email_mailers></email_mailers>
<dns_resolvers></dns_resolvers>
<files>
<item>
<name>acme-http01-webroot.lua</name>
<type>luascript</type>
<content>LS0gQUNNRSBodHRwLTAxIGRvbWFpbiB2YWxpZGF0aW9uIHBsdWdpbiBmb3IgSGFwcm94eSAxLjYrDQotLSBjb3B5cmlnaHQgKEMpIDIwMTUgSmFuIEJyb2VyDQotLQ0KLS0gdXNhZ2U6DQotLQ0KLS0gMSkgY29weSBhY21lLXdlYnJvb3QubHVhIGluIHlvdXIgaGFwcm94eSBjb25maWcgZGlyDQotLSANCi0tIDIpIEludm9rZSB0aGUgcGx1Z2luIGJ5IGFkZGluZyBpbiB0aGUgJ2dsb2JhbCcgc2VjdGlvbiBvZiBoYXByb3h5LmNmZzoNCi0tIA0KLS0gICAgbHVhLWxvYWQgL2V0Yy9oYXByb3h5L2FjbWUtd2Vicm9vdC5sdWENCi0tIA0KLS0gMykgaW5zZXJ0IHRoZXNlIHR3byBsaW5lcyBpbiBldmVyeSBodHRwIGZyb250ZW5kIHRoYXQgaXMNCi0tICAgIHNlcnZpbmcgZG9tYWlucyBmb3Igd2hpY2ggeW91IHdhbnQgdG8gY3JlYXRlIGNlcnRpZmljYXRlczoNCi0tIA0KLS0gICAgYWNsIHVybF9hY21lX2h0dHAwMSBwYXRoX2JlZyAvLndlbGwta25vd24vYWNtZS1jaGFsbGVuZ2UvDQotLSAgICBodHRwLXJlcXVlc3QgdXNlLXNlcnZpY2UgbHVhLmFjbWUtaHR0cDAxIGlmIE1FVEhfR0VUIHVybF9hY21lX2h0dHAwMQ0KLS0NCi0tIDQpIHJlbG9hZCBoYXByb3h5DQotLQ0KLS0gNSkgY3JlYXRlIGEgY2VydGlmaWNhdGU6DQotLQ0KLS0gLi9sZXRzZW5jcnlwdC1hdXRvIGNlcnRvbmx5IC0tdGV4dCAtLXdlYnJvb3QgLS13ZWJyb290LXBhdGggL3Zhci90bXAgLWQgYmxhaC5leGFtcGxlLmNvbSAtLXJlbmV3LWJ5LWRlZmF1bHQgLS1hZ3JlZS10b3MgLS1lbWFpbCBteUBlbWFpbC5jb20NCi0tDQoNCmFjbWUgPSB7fQ0KYWNtZS52ZXJzaW9uID0gIjAuMS4xIg0KDQotLQ0KLS0gQ29uZmlndXJhdGlvbg0KLS0NCi0tIFdoZW4gSEFQcm94eSBpcyAqbm90KiBjb25maWd1cmVkIHdpdGggdGhlICdjaHJvb3QnIG9wdGlvbiB5b3UgbXVzdCBzZXQgYW4gYWJzb2x1dGUgcGF0aCBoZXJlIGFuZCBwYXNzIA0KLS0gdGhhdCBhcyAnd2Vicm9vdC1wYXRoJyB0byB0aGUgbGV0c2VuY3J5cHQgY2xpZW50DQoNCmFjbWUuY29uZiA9IHsNCglbIm5vbl9jaHJvb3Rfd2Vicm9vdCJdID0gIiINCn0NCg0KLS0NCi0tIFN0YXJ0dXANCi0tICANCmFjbWUuc3RhcnR1cCA9IGZ1bmN0aW9uKCkNCgljb3JlLkluZm8oIlthY21lXSBodHRwLTAxIHBsdWdpbiB2IiAuLiBhY21lLnZlcnNpb24pOw0KZW5kDQoNCi0tDQotLSBBQ01FIGh0dHAtMDEgdmFsaWRhdGlvbiBlbmRwb2ludA0KLS0NCmFjbWUuaHR0cDAxID0gZnVuY3Rpb24oYXBwbGV0KQ0KCWxvY2FsIHJlc3BvbnNlID0gIiINCglsb2NhbCByZXFQYXRoID0gYXBwbGV0LnBhdGgNCglsb2NhbCBzcmMgPSBhcHBsZXQuc2Y6c3JjKCkNCglsb2NhbCB0b2tlbiA9IHJlcVBhdGg6bWF0Y2goICIuKy8oLiopJCIgKQ0KDQoJaWYgdG9rZW4gdGhlbg0KCQl0b2tlbiA9IHNhbml0aXplVG9rZW4odG9rZW4pDQoJZW5kDQoNCglpZiAodG9rZW4gPT0gbmlsIG9yIHRva2VuID09ICcnKSB0aGVuDQoJCXJlc3BvbnNlID0gImJhZCByZXF1ZXN0XG4iDQoJCWFwcGxldDpzZXRfc3RhdHVzKDQwMCkNCgkJY29yZS5XYXJuaW5nKCJbYWNtZV0gbWFsZm9ybWVkIHJlcXVlc3QgKGNsaWVudC1pcDogIiAuLiB0b3N0cmluZyhzcmMpIC4uICIpIikNCgllbHNlDQoJCWF1dGggPSBnZXRLZXlBdXRoKHRva2VuKQ0KCQlpZiAoYXV0aDpsZW4oKSA+PSAxKSB0aGVuDQoJCQlyZXNwb25zZSA9IGF1dGggLi4gIlxuIg0KCQkJYXBwbGV0OnNldF9zdGF0dXMoMjAwKQ0KCQkJY29yZS5JbmZvKCJbYWNtZV0gc2VydmVkIGh0dHAtMDEgdG9rZW46ICIgLi4gdG9rZW4gLi4gIiAoY2xpZW50LWlwOiAiIC4uIHRvc3RyaW5nKHNyYykgLi4gIikiKQ0KCQllbHNlDQoJCQlyZXNwb25zZSA9ICJyZXNvdXJjZSBub3QgZm91bmRcbiINCgkJCWFwcGxldDpzZXRfc3RhdHVzKDQwNCkNCgkJCWNvcmUuV2FybmluZygiW2FjbWVdIGh0dHAtMDEgdG9rZW4gbm90IGZvdW5kOiAiIC4uIHRva2VuIC4uICIgKGNsaWVudC1pcDogIiAuLiB0b3N0cmluZyhzcmMpIC4uICIpIikNCgkJZW5kDQoJZW5kDQoNCglhcHBsZXQ6YWRkX2hlYWRlcigiU2VydmVyIiwgImhhcHJveHkvYWNtZS1odHRwMDEtYXV0aGVudGljYXRvciIpDQoJYXBwbGV0OmFkZF9oZWFkZXIoIkNvbnRlbnQtTGVuZ3RoIiwgc3RyaW5nLmxlbihyZXNwb25zZSkpDQoJYXBwbGV0OmFkZF9oZWFkZXIoIkNvbnRlbnQtVHlwZSIsICJ0ZXh0L3BsYWluIikNCglhcHBsZXQ6c3RhcnRfcmVzcG9uc2UoKQ0KCWFwcGxldDpzZW5kKHJlc3BvbnNlKQ0KZW5kDQoNCi0tDQotLSBzdHJpcCBjaGFycyB0aGF0IGFyZSBub3QgaW4gdGhlIFVSTC1zYWZlIEJhc2U2NCBhbHBoYWJldA0KLS0gc2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9sZXRzZW5jcnlwdC9hY21lLXNwZWMvYmxvYi9tYXN0ZXIvZHJhZnQtYmFybmVzLWFjbWUubWQNCi0tDQpmdW5jdGlvbiBzYW5pdGl6ZVRva2VuKHRva2VuKQ0KCV9zdHJpcD0iW14lYSVkJSslLSVfPV0iDQoJdG9rZW4gPSB0b2tlbjpnc3ViKF9zdHJpcCwnJykNCglyZXR1cm4gdG9rZW4NCmVuZA0KDQotLQ0KLS0gZ2V0IGtleSBhdXRoIGZyb20gdG9rZW4gZmlsZQ0KLS0NCmZ1bmN0aW9uIGdldEtleUF1dGgodG9rZW4pDQogICAgICAgIGxvY2FsIGtleUF1dGggPSAiIg0KICAgICAgICBsb2NhbCBwYXRoID0gYWNtZS5jb25mLm5vbl9jaHJvb3Rfd2Vicm9vdCAuLiAiLy53ZWxsLWtub3duL2FjbWUtY2hhbGxlbmdlLyIgLi4gdG9rZW4NCiAgICAgICAgbG9jYWwgZiA9IGlvLm9wZW4ocGF0aCwgInJiIikNCiAgICAgICAgaWYgZiB+PSBuaWwgdGhlbg0KICAgICAgICAgICAgICAgIGtleUF1dGggPSBmOnJlYWQoIiphbGwiKQ0KICAgICAgICAgICAgICAgIGY6Y2xvc2UoKQ0KICAgICAgICBlbmQNCiAgICAgICAgcmV0dXJuIGtleUF1dGgNCmVuZA0KDQpjb3JlLnJlZ2lzdGVyX2luaXQoYWNtZS5zdGFydHVwKQ0KY29yZS5yZWdpc3Rlcl9zZXJ2aWNlKCJhY21lLWh0dHAwMSIsICJodHRwIiwgYWNtZS5odHRwMDEp</content>
<_index></_index>
</item>
</files>
<enable></enable>
<maxconn>100</maxconn>
<logfacility>local0</logfacility>
<loglevel>info</loglevel>
<localstats_refreshtime></localstats_refreshtime>
<localstats_sticktable_refreshtime></localstats_sticktable_refreshtime>
<log-send-hostname></log-send-hostname>
<ssldefaultdhparam></ssldefaultdhparam>
<email_level></email_level>
<email_myhostname></email_myhostname>
<email_from></email_from>
<email_to></email_to>
<resolver_retries></resolver_retries>
<resolver_timeoutretry></resolver_timeoutretry>
<resolver_holdvalid></resolver_holdvalid>
</haproxy>
Updated by Stefan Weichinger about 1 year ago
Thanks for creating this issue.
Could it be that the lua-script used in the HAproxy-config triggers these errors?
That script is used for a minimal LetsEncrypt-challenge and is quite old. It might be outdated now. So far I don't know of any safer alternative without hosting the challenge on a separate/dedicated webserver.
I wonder if I could temporarily remove it from the non-working HAproxy to at least make the reinstallation work again (and re-add the script after the installation succeeded).
Just wondering.
Updated by Stefan Weichinger about 1 year ago
May I ask for help again? We'd like to see this issue solved ... thanks
Updated by Jim Pingle about 1 year ago
This is your problem, the configuration is invalid:
<ha_pools>
<item>1</item>
</ha_pools>
If you delete those three lines from your configuration it would work.
The PHP code could handle that better, but in your case it's better to fix the root of the problem in your configuration.
Updated by Stefan Weichinger about 1 year ago
Jim Pingle wrote in #note-5:
This is your problem, the configuration is invalid:
[...]
If you delete those three lines from your configuration it would work.
The PHP code could handle that better, but in your case it's better to fix the root of the problem in your configuration.
Great, thanks. How would I do this? HAproxy isn't available in the GUI right now, and as far as I see there is now HAproxy-section in "Backup/Export" to only export/edit/import this.
Can I import only a partial xml ... ? or edit the xml in the live system on the shell? thanks!
Updated by Jim Pingle about 1 year ago
Stefan Weichinger wrote in #note-6:
Jim Pingle wrote in #note-5:
Great, thanks. How would I do this? HAproxy isn't available in the GUI right now, and as far as I see there is now HAproxy-section in "Backup/Export" to only export/edit/import this.Can I import only a partial xml ... ? or edit the xml in the live system on the shell? thanks!
It's in the config backup. You can backup, edit, restore, or edit it in-place carefully: https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html#manually-editing-the-configuration
Alternately, you can try deleting it using PHP code from Diagnostics > Command:
config_del_path('installedpackages/haproxy/ha_pools');
write_config('Remove broken HAProxy configuration tags');
Updated by Stefan Weichinger about 1 year ago
Tried editing with `viconfig`: as HAproxy is down, ACME couldn't pull a LetsEncrypt-Cert, so no GUI right now ... edited, rebooted.
I have a corrected `config.xml` now, I assume I would now have to reinstall HAproxy from the shell, then trigger acme to pull a cert again (I have the command in my notes somewhere). I continue my efforts, thanks.
Updated by Stefan Weichinger about 1 year ago
Found my way: fixed now. Thanks for your help.
Updated by Danilo Zrenjanin about 1 year ago
I can confirm that after removing the lines, there are no PHP errors, and the service starts successfully.
Updated by Stefan Weichinger about 1 year ago
I have the exact same block of three lines on another appliance. So this might be some result of upgrades and changes over time (I didn't add these lines manually). Just noting.
Updated by Stefan Weichinger 10 months ago
I have a 2nd pfSense (SG1100) that also has HAproxy not starting.
Should I open a new issue in TAC, may I post the relevant part of config.xml here .. pls advise.
I find no "ha_pools" in there, so it might be a different error ;-) thanks
Updated by Jim Pingle 10 months ago
Stefan Weichinger wrote in #note-12:
I have a 2nd pfSense (SG1100) that also has HAproxy not starting.
Should I open a new issue in TAC, may I post the relevant part of config.xml here .. pls advise.I find no "ha_pools" in there, so it might be a different error ;-) thanks
If you don't have that tag it's probably a different issue, so yes, please raise a new issue with TAC and pass long the haproxy config section(s) from your config.xml along with any errors you see in the logs/notices in the GUI and so on.
Updated by Stefan Weichinger 10 months ago
Will open issue in TAC asap.
Currently I don't have a GUI ... because the LE-Cert-Renewal fails because of the non-working HAproxy ...
thanks
edit: issue filed in TAC
Updated by Danilo Zrenjanin 4 months ago
- Status changed from New to Resolved
I am closing this case because it appears to be more of a configuration issue rather than a bug.