Bug #9261
open
haproxy GUI failure
0%
Description
The GUI is misbehaving. I'm unable to add a specific ACL via the GUI. Simply adding "http-request redirect scheme https code 301 if !{ ssl_fc }" to the "Advanced pass thru" fixed it but that should not have to be done.
I've written extensively on the forum about this problem (with screenprints): see https://forum.netgate.com/topic/139314/haproxy-configuration-problem-gui-causing-it
Basically the steps to reproduce the problem are:
1. Create a frontend, name it "test", save,
2. Open "test", add an ACL, notice there is no "Traffic is ssl (no value needed):" option,
3. Just to continue, name the ACL "https", expression="Host starts with:", value="https", save,
4. Open "test" once again, edit the ACL, notice now there is the "Traffic is ssl (no value needed):" option,
5. Change the expression to "Traffic is ssl (no value needed):", remove the value, save. Result: error (or the ACL was completely removed).
I tried above with both the haproxy package (package version 0.59_15, haproxy version 1.7.11) and the haproxy-devel package (0.59_15, 1.8.14).
Updated by Pi Ba over 5 years ago
The acl "Traffic is ssl (no value needed)" is using the actual haproxy option: "req.ssl_ver gt 0" this is one that only applies to frontends using mode TCP, and as such is hidden/removed when writing the configuration for a HTTP frontend. That you can see it when editing a old acl isnt supposed to happen, but i guess a little code that actually makes sure of hiding it then is missing.
So with regard to the webgui its 'mostly' working as intended. Changing a existing acl is rarely needed so its not that big an issue that a few 'undesirable' options show up then. imho anyhow. But well i guess it is a little bug.
As for your desired acl option 'ssl_fc', it does currently not exits in the webgui. Which only supports a subset of haproxy's complete feature set.
I guess it could make a good addition though, it seems the ssl_fc is fairly often used in various native haproxy configurations on the web.