Project

General

Profile

Bug #9261

haproxy GUI failure

Added by Suriname Clubcard 11 months ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
haproxy
Target version:
-
Start date:
01/08/2019
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.4.4_1
Affected Architecture:

Description

The GUI is misbehaving. I'm unable to add a specific ACL via the GUI. Simply adding "http-request redirect scheme https code 301 if !{ ssl_fc }" to the "Advanced pass thru" fixed it but that should not have to be done.

I've written extensively on the forum about this problem (with screenprints): see https://forum.netgate.com/topic/139314/haproxy-configuration-problem-gui-causing-it

Basically the steps to reproduce the problem are:

1. Create a frontend, name it "test", save,
2. Open "test", add an ACL, notice there is no "Traffic is ssl (no value needed):" option,
3. Just to continue, name the ACL "https", expression="Host starts with:", value="https", save,
4. Open "test" once again, edit the ACL, notice now there is the "Traffic is ssl (no value needed):" option,
5. Change the expression to "Traffic is ssl (no value needed):", remove the value, save. Result: error (or the ACL was completely removed).

I tried above with both the haproxy package (package version 0.59_15, haproxy version 1.7.11) and the haproxy-devel package (0.59_15, 1.8.14).

History

#1 Updated by Pi Ba 11 months ago

The acl "Traffic is ssl (no value needed)" is using the actual haproxy option: "req.ssl_ver gt 0" this is one that only applies to frontends using mode TCP, and as such is hidden/removed when writing the configuration for a HTTP frontend. That you can see it when editing a old acl isnt supposed to happen, but i guess a little code that actually makes sure of hiding it then is missing.

So with regard to the webgui its 'mostly' working as intended. Changing a existing acl is rarely needed so its not that big an issue that a few 'undesirable' options show up then. imho anyhow. But well i guess it is a little bug.

As for your desired acl option 'ssl_fc', it does currently not exits in the webgui. Which only supports a subset of haproxy's complete feature set.

I guess it could make a good addition though, it seems the ssl_fc is fairly often used in various native haproxy configurations on the web.

Also available in: Atom PDF