Project

General

Profile

Actions

Feature #4394

closed

HAproxy and use ACLs from UI to perform a "block"/"http-request deny"

Added by Stéphane Lapie about 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
02/08/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

HAproxy currently allows to define ACLs to redirect to specific backends, and to define several frontend -> backend relationships.
When no ACL is matched, HAproxy comes to the conclusion "503 no server is available", which for most purposes is quite fine, but a bit misleading as in most cases people would expect a "403 Forbidden"

It is possible to include custom frontend configuration, but only "before" UI-generated ACLs are declared, so it is not possible to reference them (not to mention the ACL numbers and names might change), so it is not possible to do things like :

# UI-Generated code
acl 1_AllowedClient    src -f /var/etc/haproxy/ipalias_Clients.lst
http-request deny if ! 1_AllowedClient

I could certainly declare custom pass-through configuration :

acl custom_allowed_client src -f /var/etc/haproxy/ipalias_Clients.lst
http-request deny if ! custom_allowed_client
# UI Generated ACLs
# ...

However, then, I run the risk of the file name not being correct anymore once I change the firewall aliases, and I have to modify it in two places.

What I would propose is to allow for a given collection of ACLs, to choose several courses of action :
  • use_backend <configuredBackEnd> if ...
  • http-request allow if ...
  • http-request deny if ...
  • http-request tarpit if ...

This would make the UI considerably more complex, but I think it would allow for proper error codes when building proxies, and be quite valuable to make the HAproxy package feature complete.

Actions #1

Updated by Pi Ba about 9 years ago

In the new >=0.17 package acl's are written before the user custom config, so acl's should be usable.
As for adding allow/deny/tarpit, ill put it on my 'wish-list'.. But i don't think ill be adding it soon. The name's of the acl's nolonger use a number to start with, so changes shouldn't occur (often) anymore.. As for changing the alias name, it will not update the name in haproxy automatically, dont think i can do anything about that as there is likely no trigger from pfsense that notifies packages of a changed alias name.

Actions #2

Updated by Pi Ba over 8 years ago

Checkout new haproxy-devel package v0.33, it is now be possible to create more elaborate acl/action items.
If you find any action missing or have a idea how to improve the acl system further, please let me know.

Actions #3

Updated by Stéphane Lapie over 8 years ago

I just tested it out. Wow, this is awesome.

It works as intended and expected, it's just one just has to be careful about managing with http-request allow/deny (-> 403), what used to be done by giving a backend (or not -> 503) :)

Also, just one little thing, using http-request actions generates a file that causes this warning to pop :

[WARNING] 309/115206 (57723) : parsing [/var/etc/haproxy/haproxy.cfg:79] : a 'http-request' rule placed after a 'reqadd' rule will still be processed before.

Actions #4

Updated by Chris Buechler over 8 years ago

  • Category set to haproxy
  • Status changed from New to Resolved
Actions #5

Updated by Pi Ba over 8 years ago

Hi Stéphane,
The 'reqadd' i suppose is in your own textual 'advanced configuration' options? I don't think i should be moving these options around automatically.
But why not use the "http-request add-header" that is available in the 'actions'? I think it works similar to reqadd and even supports fmt format for the value.

Actions #6

Updated by Pi Ba over 8 years ago

hm i add a 'reqadd' in the package to when using forwardfor. ill check where that gets added..

Actions #7

Updated by Stéphane Lapie over 8 years ago

Yes, I am using the automatic SSL redirect function, which does a reqadd :

reqadd X-Forwarded-Proto:\ http if !https
reqadd X-Forwarded-Proto:\ https if https

Actions

Also available in: Atom PDF