Project

General

Profile

Feature #9793

Add support for HAProxy ACLs "src -f /ipalias.lst" to use pfBlockerNG IP Alias Native

Added by DRago_Angel [InV@DER] 11 months ago. Updated about 2 months ago.

Status:
Feedback
Priority:
Normal
Category:
pfBlockerNG
Target version:
-
Start date:
09/25/2019
Due date:
% Done:

100%

Estimated time:

Description

Currently pfBlockerNG is power tool to create any IP aliases you can imagine: from domain resolving, ASNs, parser of IPs from http responses, parsing MaxMind GeoIP DB, etc. This work simple and solid like a rock.
At same time HAProxy can use pfSense Aliases as SourceIP list for ACLs. It has many use-cases, like:
  • configure one alias for store all CloudFlare IPs and then respond 503 for any client not from that list
  • use GeoIP to determinate client country and redirect he to localized version of website.

Unfortunately currently only static (manually created) aliases at HAProxy works. In case you will try pointing to pfBlockerNG Alias: you will get blank IPs list on filesystem.

Future request: can integrate pfBlockerNG IP Aliases to work with HAProxy?
Maybe additionally add option to pfBlockerNG to reload HAProxy on changes in pfBlockerNG Alias IP List.

History

#1 Updated by Viktor Gurov 2 months ago

Allows to use URL Table type alias:
https://github.com/pfsense/FreeBSD-ports/pull/865

#2 Updated by DRago_Angel [InV@DER] 2 months ago

Hi Viktor,
I speak with @bbcan177 about this initially and tested changing files on filesystem. Reloading of SrcIPs with new list of IPs require reloading HAproxy. Can this be done as part of this task? As I think it must be part of pfBlockerNG Update reload process.
In ideal i think pfBlockerNG can check if HAproxy config contain SrcIPs which is pointing to pfBlockerNG alias and reload HAproxy only in case the used list was been updated by this Update task. If HAproxy doesn't have aliases which pointing to pfBlockerNG lists it must skip this step. Such scenario will remove unneeded reloads of HAproxy service. Thank you in advance.

#3 Updated by Viktor Gurov 2 months ago

This PR adds support for the URL Table alias type, and it can be not only the pfBlockerNG URL, but also a list on your private server for example (like http://192.168.0.10/myiplist.txt).

I think that you need to create a new redmine issue for the pfBlockerNG "Action list" feature (as ACME package has), that allow to run any commands after Update reload process.

#4 Updated by DRago_Angel [InV@DER] 2 months ago

Yep, this fine. And yes, I understand what this commit adds, thanks =)
Will try to test it now.

#5 Updated by DRago_Angel [InV@DER] 2 months ago

Tested this patch, it works as expected, thanks!
Could you please advice what the best|correct way(command) to recreate files /var/etc/haproxy/*.lst on pfSense for HAproxy and reload config currently supported?
It possible to do it without restarting HAproxy services?
As far as I know HAproxy allows reload configs without restart of service via socket command: https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/
It will be cool if HAproxy proxy package will have option to regenerate srcips lists which was been changed (as array of names for example or by comparing modification dates of original alias file and file created in /var/etc/haproxy*.lst without requesting parameters) and hitless reload of configs.
As far I know pfSense doesn't use this way to reload/apply HAproxy configs.

Why I asking all this: to not create mostly same issue which pfSense had now with Unbound and function in DHCP to add client to DNS resolving - which is restarting Unbound each time new client appears in DHCP pool. For HAproxy it will be killer if do not done it correctly as posible.

#6 Updated by Viktor Gurov 2 months ago

it would be nice to use "hitless-reloads" with 'action list'

Please create a new redmine issue for this

#7 Updated by DRago_Angel [InV@DER] 2 months ago

Ok, thanks

#8 Updated by Jim Pingle 2 months ago

  • Status changed from New to Pull Request Review

#9 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Also available in: Atom PDF