Feature #9793
closed
Add support for HAProxy ACLs "src -f /ipalias.lst" to use pfBlockerNG IP Alias Native
Added by DRago_Angel [InV@DER] about 5 years ago.
Updated about 4 years ago.
Description
Currently pfBlockerNG is power tool to create any IP aliases you can imagine: from domain resolving, ASNs, parser of IPs from http responses, parsing MaxMind GeoIP DB, etc. This work simple and solid like a rock.
At same time HAProxy can use pfSense Aliases as SourceIP list for ACLs. It has many use-cases, like:
- configure one alias for store all CloudFlare IPs and then respond 503 for any client not from that list
- use GeoIP to determinate client country and redirect he to localized version of website.
Unfortunately currently only static (manually created) aliases at HAProxy works. In case you will try pointing to pfBlockerNG Alias: you will get blank IPs list on filesystem.
Future request: can integrate pfBlockerNG IP Aliases to work with HAProxy?
Maybe additionally add option to pfBlockerNG to reload HAProxy on changes in pfBlockerNG Alias IP List.
Hi Viktor,
I speak with @bbcan177 about this initially and tested changing files on filesystem. Reloading of SrcIPs with new list of IPs require reloading HAproxy. Can this be done as part of this task? As I think it must be part of pfBlockerNG Update reload process.
In ideal i think pfBlockerNG can check if HAproxy config contain SrcIPs which is pointing to pfBlockerNG alias and reload HAproxy only in case the used list was been updated by this Update task. If HAproxy doesn't have aliases which pointing to pfBlockerNG lists it must skip this step. Such scenario will remove unneeded reloads of HAproxy service. Thank you in advance.
This PR adds support for the URL Table alias type, and it can be not only the pfBlockerNG URL, but also a list on your private server for example (like http://192.168.0.10/myiplist.txt).
I think that you need to create a new redmine issue for the pfBlockerNG "Action list" feature (as ACME package has), that allow to run any commands after Update reload process.
Yep, this fine. And yes, I understand what this commit adds, thanks =)
Will try to test it now.
Tested this patch, it works as expected, thanks!
Could you please advice what the best|correct way(command) to recreate files /var/etc/haproxy/*.lst on pfSense for HAproxy and reload config currently supported?
It possible to do it without restarting HAproxy services?
As far as I know HAproxy allows reload configs without restart of service via socket command: https://www.haproxy.com/blog/hitless-reloads-with-haproxy-howto/
It will be cool if HAproxy proxy package will have option to regenerate srcips lists which was been changed (as array of names for example or by comparing modification dates of original alias file and file created in /var/etc/haproxy*.lst without requesting parameters) and hitless reload of configs.
As far I know pfSense doesn't use this way to reload/apply HAproxy configs.
Why I asking all this: to not create mostly same issue which pfSense had now with Unbound and function in DHCP to add client to DNS resolving - which is restarting Unbound each time new client appears in DHCP pool. For HAproxy it will be killer if do not done it correctly as posible.
it would be nice to use "hitless-reloads" with 'action list'
Please create a new redmine issue for this
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Can be changed to Resolved.
- Status changed from Feedback to Resolved
Also available in: Atom
PDF