plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

WIP: net/haproxy: add SNI support in mapfile-based backend selection

Open cluck opened this issue 1 year ago • 7 comments

This adds two options to the "Map domains to backend pools using a map file". One of the options is addressing https://github.com/opnsense/plugins/issues/3641.

The first option adds all map_dom, map_str, map_beg, map_end and map_reg (regex) support. 2024-06-04_11h33_26

The second option adds SNI support.

2024-06-01_19h38_18

Defaults are chosen such that existing setups don't change behavior.

I am currently testing this in our lab, but the more testing this gets the better.

cluck avatar Jun 01 '24 17:06 cluck

I'm currently investigating why use_backend %[req.ssl_sni,lower,map(..., default_pool)] is not working as expected. When I log req.ssl_sni it is always undefined, while if I remove the default_pool from the use_backend it gets set. Workaround is either to not support defaults with SNI, or to work with e.g. tcp-request content set-var(...,ifnotset).

Also need to swap map_dom with map_str, and add map_dom as match type option.

cluck avatar Jun 03 '24 11:06 cluck

I found that multiple cascaded use_backend don't work as documented; only the first map ever seems to have any effect.

Other People have documented the issue and a fix/workaround: https://discourse.haproxy.org/t/multiple-use-backend-with-with-different-map/3839 (May 2019) https://discourse.haproxy.org/t/using-use-backend-rules-with-map-files/208 (Apr 2016)

I am trying to synthesize matching ACLs, but I totally fail to see where I could properly inject such ACLs from the code.

PS: The currently released Haproxy plugin is also affected.

cluck avatar Jul 09 '24 14:07 cluck

I found that multiple cascaded use_backend don't work as documented; only the first map ever seems to have any effect.

This is now reported at https://github.com/haproxy/haproxy/issues/2698

cluck avatar Aug 29 '24 12:08 cluck

@cluck I'd like to merge this. Would you please have a look at the two review comments? Thanks!

fraenki avatar Dec 03 '24 21:12 fraenki

Meanwhile https://github.com/haproxy/haproxy/issues/2698 was decided to be a wontfix, thus, pairs of multiple use_backend commands really need to be guarded by matching ACLs.

I was looking for advice on where to synthesize the required ACLs in the template. I really can't find my way around there.

cluck avatar Dec 04 '24 09:12 cluck

pairs of multiple use_backend commands really need to be guarded by matching ACLs

Could you provide a example haproxy.conf to demonstrate how this should be "guarded by ACLs"? Then I may be able to offer advice regarding it's implementation in os-haproxy. :blush:

fraenki avatar Dec 04 '24 09:12 fraenki

The current output resembles this:

  [.. other actions..]
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/hostmap1.cfg)]
  [.. other actions..]
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/hostmap2.cfg)]
  [.. other actions..]

The "guard ACLs" should read like this (from https://github.com/haproxy/haproxy/issues/2698):

  acl acl_map_1 req.hdr(host),lower,map(/etc/haproxy/hostmap1.cfg) -m found
  acl acl_map_2 req.hdr(host),lower,map(/etc/haproxy/hostmap2.cfg) -m found
  [.. other actions..]
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/hostmap1.cfg)] if acl_map_1
  [.. other actions..]
  use_backend %[req.hdr(host),lower,map(/etc/haproxy/hostmap2.cfg)] if acl_map_2
  [.. other actions..]

cluck avatar Mar 29 '25 10:03 cluck

closing for now, if plugin owner wants to reopen, we can do so right away.

AdSchellevis avatar Dec 17 '25 08:12 AdSchellevis