Feature #4394
closed
HAproxy and use ACLs from UI to perform a "block"/"http-request deny"
0%
Description
HAproxy currently allows to define ACLs to redirect to specific backends, and to define several frontend -> backend relationships.
When no ACL is matched, HAproxy comes to the conclusion "503 no server is available", which for most purposes is quite fine, but a bit misleading as in most cases people would expect a "403 Forbidden"
It is possible to include custom frontend configuration, but only "before" UI-generated ACLs are declared, so it is not possible to reference them (not to mention the ACL numbers and names might change), so it is not possible to do things like :
# UI-Generated code acl 1_AllowedClient src -f /var/etc/haproxy/ipalias_Clients.lst http-request deny if ! 1_AllowedClient
I could certainly declare custom pass-through configuration :
acl custom_allowed_client src -f /var/etc/haproxy/ipalias_Clients.lst http-request deny if ! custom_allowed_client # UI Generated ACLs # ...
However, then, I run the risk of the file name not being correct anymore once I change the firewall aliases, and I have to modify it in two places.
What I would propose is to allow for a given collection of ACLs, to choose several courses of action :- use_backend <configuredBackEnd> if ...
- http-request allow if ...
- http-request deny if ...
- http-request tarpit if ...
This would make the UI considerably more complex, but I think it would allow for proper error codes when building proxies, and be quite valuable to make the HAproxy package feature complete.
Updated by Pi Ba about 10 years ago
In the new >=0.17 package acl's are written before the user custom config, so acl's should be usable.
As for adding allow/deny/tarpit, ill put it on my 'wish-list'.. But i don't think ill be adding it soon. The name's of the acl's nolonger use a number to start with, so changes shouldn't occur (often) anymore.. As for changing the alias name, it will not update the name in haproxy automatically, dont think i can do anything about that as there is likely no trigger from pfsense that notifies packages of a changed alias name.
Updated by Pi Ba over 9 years ago
Checkout new haproxy-devel package v0.33, it is now be possible to create more elaborate acl/action items.
If you find any action missing or have a idea how to improve the acl system further, please let me know.
Updated by Stéphane Lapie over 9 years ago
I just tested it out. Wow, this is awesome.
It works as intended and expected, it's just one just has to be careful about managing with http-request allow/deny (-> 403), what used to be done by giving a backend (or not -> 503) :)
Also, just one little thing, using http-request actions generates a file that causes this warning to pop :
[WARNING] 309/115206 (57723) : parsing [/var/etc/haproxy/haproxy.cfg:79] : a 'http-request' rule placed after a 'reqadd' rule will still be processed before.
Updated by Chris Buechler over 9 years ago
- Category set to haproxy
- Status changed from New to Resolved
Updated by Pi Ba over 9 years ago
Hi Stéphane,
The 'reqadd' i suppose is in your own textual 'advanced configuration' options? I don't think i should be moving these options around automatically.
But why not use the "http-request add-header" that is available in the 'actions'? I think it works similar to reqadd and even supports fmt format for the value.
Updated by Pi Ba over 9 years ago
hm i add a 'reqadd' in the package to when using forwardfor. ill check where that gets added..
Updated by Stéphane Lapie over 9 years ago
Yes, I am using the automatic SSL redirect function, which does a reqadd :
reqadd X-Forwarded-Proto:\ http if !https reqadd X-Forwarded-Proto:\ https if https