Project

General

Profile

Actions

Bug #8438

open

haproxy: can't use ACL for cert with http-response actions

Added by Petr H over 6 years ago. Updated over 6 years ago.

Status:
New
Priority:
High
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
04/05/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.4.3
Affected Plus Version:
Affected Architecture:
amd64

Description

pfSense 2.4.3, pfSense-pkg-haproxy 0.54_2, haproxy 1.7.10

1. Primary frontend used by other shared ones
2. SSL-enabled
3. Option "Add ACL for certificate Subject Alternative Names." enabled
4. Action "http-response header replace" used

Upon saving such configuration I'm getting:
"[WARNING] 094/235036 (95194) : parsing [/var/etc/haproxy/haproxy.cfg:46] : acl 'aclcrt_main-SSL' will never match because it only involves keywords that are incompatible with 'frontend http-response header rule'"

And the configuration doesn't work as expected.

- If I deselect the "Add ACL for certificate Subject Alternative Names." option the issue doesn't occur.
- Or If I move the rule to any of the shared ones where the ACL option doesn't have effect the issue doesn't occur.
- Or (just for test purposes) if I change the action from "http-response header replace" to "http-request header replace" the issue doesn't occur (however the configuration doesn't work properly of course).

I think that ACLs generated via the "Add ACL for certificate Subject Alternative Names." (or "Add ACL for certificate CommonName.") option shouldn't be applied to actions affecting HTTP (or TCP) responses.


Files

haproxy.cfg (2.56 KB) haproxy.cfg sample haproxy.cfg, warning at lines 48 and 49 Petr H, 04/06/2018 02:29 PM
Actions

Also available in: Atom PDF