Add support for HAProxy ACLs "src -f /ipalias.lst" to use pfBlockerNG IP Alias Native
At same time HAProxy can use pfSense Aliases as SourceIP list for ACLs. It has many use-cases, like:
- configure one alias for store all CloudFlare IPs and then respond 503 for any client not from that list
- use GeoIP to determinate client country and redirect he to localized version of website.
Unfortunately currently only static (manually created) aliases at HAProxy works. In case you will try pointing to pfBlockerNG Alias: you will get blank IPs list on filesystem.
Future request: can integrate pfBlockerNG IP Aliases to work with HAProxy?
Maybe additionally add option to pfBlockerNG to reload HAProxy on changes in pfBlockerNG Alias IP List.
#2 Updated by DRago_Angel [InV@DER] 2 months ago
I speak with @bbcan177 about this initially and tested changing files on filesystem. Reloading of SrcIPs with new list of IPs require reloading HAproxy. Can this be done as part of this task? As I think it must be part of pfBlockerNG Update reload process.
In ideal i think pfBlockerNG can check if HAproxy config contain SrcIPs which is pointing to pfBlockerNG alias and reload HAproxy only in case the used list was been updated by this Update task. If HAproxy doesn't have aliases which pointing to pfBlockerNG lists it must skip this step. Such scenario will remove unneeded reloads of HAproxy service. Thank you in advance.
#3 Updated by Viktor Gurov 2 months ago
This PR adds support for the URL Table alias type, and it can be not only the pfBlockerNG URL, but also a list on your private server for example (like http://192.168.0.10/myiplist.txt).
I think that you need to create a new redmine issue for the pfBlockerNG "Action list" feature (as ACME package has), that allow to run any commands after Update reload process.
#5 Updated by DRago_Angel [InV@DER] 2 months ago
Tested this patch, it works as expected, thanks!
Could you please advice what the best|correct way(command) to recreate files /var/etc/haproxy/*.lst on pfSense for HAproxy and reload config currently supported?
It possible to do it without restarting HAproxy services?
As far as I know HAproxy allows reload configs without restart of service via socket command: https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/
It will be cool if HAproxy proxy package will have option to regenerate srcips lists which was been changed (as array of names for example or by comparing modification dates of original alias file and file created in /var/etc/haproxy*.lst without requesting parameters) and hitless reload of configs.
As far I know pfSense doesn't use this way to reload/apply HAproxy configs.
Why I asking all this: to not create mostly same issue which pfSense had now with Unbound and function in DHCP to add client to DNS resolving - which is restarting Unbound each time new client appears in DHCP pool. For HAproxy it will be killer if do not done it correctly as posible.