ansible-pfsense
ansible-pfsense copied to clipboard
opoplawski
support for managing haproxy hosts
I would find really useful to be able to edit pfsense haproxy entries using this module.
I know that haproxy is an optional module but I observed that this is the one that I need to touch most often for adding SSL offloading for backend services running on VMs and containers.
HAproxy happens to run on pfsense and does all the SSL offloading for these, avoiding the need to manage certificates for each of these services.
I took a quick look and it seems to be quite some work (there are a lot of settings on backend and frontend entries).
If I write some minimalists modules, would you be ok to implement the extra settings you need ?
The lack of API on pfsense for editing its configuration items makes me wonder if I will not endup switching from pfsense to something else in the future.
Still if I will continue using it I will be more than happy to contibute to it. Obviously that configuring haproxy counts as a corner case.
For the moment updating the haproxy settings is something I still do by hand.
In pfSense 3, there will be a CLI that we will use to manage pfSense like other ansible network modules are doing with their devices (there will even be a RESTCONF api, see: https://www.reddit.com/r/PFSENSE/comments/6wosx8/a_very_short_preview_of_30_cli_and_restconf/). Then it will be a lot more easy for us to handle settings (we won't have to check user input).
Do you need both backend and frontend modules for haproxy ?
@f-bor Well, Reddit goes back 3-4 years about pfsense 3, and https://www.pfsense.org/snapshots/ does not look like something we will soon(ever?) see.
Yep, i need both because my main use for haproxy is to use it as SSL frontent for services running on containers on one of my homelab network. The DNS has wildcard assignment for my homelab domain so I only need to add "foo-service.homelab" -> IP:PORT somewhere on intranet.
This assures that I can access my services using a globally recognized SSL certificate without needing to deploy the certificate to each ofthem (or to update it). Everything happenson pfsense side, end cerrtificate refresh with letsencrypt works well.
Would anyone be willing to share the
I need to finish two modules to manage ipsec proposals and phase 2 options for my own usage, and then I will work on haproxy.
Since then I switched to opnsense but that's not signifiantly better either. I am willing to migrate to a completely new router-os if I find one that can be nicely managed with ansible and that has the ability to add DNS entries and SSL-offloading for services that I spawn internally. I am inclined to close thet ticket as I lost my interest but I think others may be upset.
Since some other folks did upvote the request, I would prefer if you let it open.
For the DNS entries, you mean managing Bind records ?
As a start, I wrote two modules to manage backends. You can find documentation for those modules in the wiki: pfsense_haproxy_backend and pfsense_haproxy_backend_server
There is a lot of options there. I did everything for the server objects but not for the backend objects. Just tell me if there is anything missing.
Since I'm not a haproxy user, I need someone to validate the generation of a working configuration (I have tested the configuration generation but not the real haproxy job behind).
I'll move to frontends after that.
Hi @f-bor,
Since I'm not a haproxy user, I need someone to validate the generation of a working configuration (I have tested the configuration generation but not the real haproxy job behind).
I'm using pfsense_haproxy_backend_server (via Ansible collection) to update the server pool and it works well.
I hate to revive an old issue, but I'd love to see some sort of Ansible modules or collections for managing haproxy rules as well.
Closing this repo down. Please file new requests at https://github.com/pfsensible/core