Feature #9793
closedAdd support for HAProxy ACLs "src -f /ipalias.lst" to use pfBlockerNG IP Alias Native
100%
Description
At same time HAProxy can use pfSense Aliases as SourceIP list for ACLs. It has many use-cases, like:
- configure one alias for store all CloudFlare IPs and then respond 503 for any client not from that list
- use GeoIP to determinate client country and redirect he to localized version of website.
Unfortunately currently only static (manually created) aliases at HAProxy works. In case you will try pointing to pfBlockerNG Alias: you will get blank IPs list on filesystem.
Future request: can integrate pfBlockerNG IP Aliases to work with HAProxy?
Maybe additionally add option to pfBlockerNG to reload HAProxy on changes in pfBlockerNG Alias IP List.
Updated by Viktor Gurov over 4 years ago
Allows to use URL Table type alias:
https://github.com/pfsense/FreeBSD-ports/pull/865
Updated by DRago_Angel [InV@DER] over 4 years ago
Hi Viktor,
I speak with @bbcan177 about this initially and tested changing files on filesystem. Reloading of SrcIPs with new list of IPs require reloading HAproxy. Can this be done as part of this task? As I think it must be part of pfBlockerNG Update reload process.
In ideal i think pfBlockerNG can check if HAproxy config contain SrcIPs which is pointing to pfBlockerNG alias and reload HAproxy only in case the used list was been updated by this Update task. If HAproxy doesn't have aliases which pointing to pfBlockerNG lists it must skip this step. Such scenario will remove unneeded reloads of HAproxy service. Thank you in advance.
Updated by Viktor Gurov over 4 years ago
This PR adds support for the URL Table alias type, and it can be not only the pfBlockerNG URL, but also a list on your private server for example (like http://192.168.0.10/myiplist.txt).
I think that you need to create a new redmine issue for the pfBlockerNG "Action list" feature (as ACME package has), that allow to run any commands after Update reload process.
Updated by DRago_Angel [InV@DER] over 4 years ago
Yep, this fine. And yes, I understand what this commit adds, thanks =)
Will try to test it now.
Updated by DRago_Angel [InV@DER] over 4 years ago
Tested this patch, it works as expected, thanks!
Could you please advice what the best|correct way(command) to recreate files /var/etc/haproxy/*.lst on pfSense for HAproxy and reload config currently supported?
It possible to do it without restarting HAproxy services?
As far as I know HAproxy allows reload configs without restart of service via socket command: https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/
It will be cool if HAproxy proxy package will have option to regenerate srcips lists which was been changed (as array of names for example or by comparing modification dates of original alias file and file created in /var/etc/haproxy*.lst without requesting parameters) and hitless reload of configs.
As far I know pfSense doesn't use this way to reload/apply HAproxy configs.
Why I asking all this: to not create mostly same issue which pfSense had now with Unbound and function in DHCP to add client to DNS resolving - which is restarting Unbound each time new client appears in DHCP pool. For HAproxy it will be killer if do not done it correctly as posible.
Updated by Viktor Gurov over 4 years ago
it would be nice to use "hitless-reloads" with 'action list'
Please create a new redmine issue for this
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Renato Botelho about 4 years ago
- Status changed from Feedback to Resolved