net/haproxy: Allow aliases to be used in conditions

[sorano]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

[X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md

[X] I have searched the existing issues and I'm convinced that mine is new.

[X] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. I'm trying to use Cloudflare in front of HAProxy and would like to create an ACL that only allow Cloudflare IP's.

I've added https://www.cloudflare.com/ips-v4 as an alias but I cannot find a way in the HAProxy webui settings to use that alias with a condition.

Describe the solution you'd like A condition type called "Source IP matches alias" with a dropdown for existing aliases (or just merge it with "Source IP matches specified IP (or alias)"

Additional context I've seen old discussion about this like: https://forum.opnsense.org/index.php?topic=6316.0 I don't know if aliases are still legacy code but might as well keep this feature request open until it's possible.

[fraenki]

would like to create an ACL that only allow Cloudflare IP's.

Just to ensure we're talking about the same thing: you want to create aliases in Firewall: Aliases and use them in the HAProxy plugin?

with a dropdown for existing aliases

I'm not aware of any OPNsense plugin that supports this functionality. Have you seen this functionality somewhere?

but might as well keep this feature request open until it's possible

Well, the contibution policy is that "stale issues are timed out after several months of inactivity".

[sorano]

would like to create an ACL that only allow Cloudflare IP's.

Just to ensure we're talking about the same thing: you want to create aliases in Firewall: Aliases and use them in the HAProxy plugin?

Correct, more specifically use the alias with a condition in the HAProxy plugin.

with a dropdown for existing aliases

I'm not aware of any OPNsense plugin that supports this functionality. Have you seen this functionality somewhere?

No, I was just reaching for the easiest setup, a text field to enter the alias of your choice would work just as fine.

but might as well keep this feature request open until it's possible

Well, the contibution policy is that "stale issues are timed out after several months of inactivity".

Yeah I realised that after opening the issue.

[fraenki]

No, I was just reaching for the easiest setup, a text field to enter the alias of your choice would work just as fine.

I think it's not that easy. AFAICT there is no field type that would support both arbitrary user input as well as firewall aliases. Forcing all users to use firewall aliases would not be desirable in my opinion.

[sorano]

What about using the same code as is currently being used for entering servers and rules on the virtual services in HAProxy but with the aliases instead?

[fraenki]

That would have the same result: enforcing the use of firewall aliases, all other input would no longer work, unfortunately :(

[ThongSong7]

Strangely enough this is available and working well in pfsense community... Block aliases made from pfblockerng and you'll have less messing with your applications... This should then be possible with opnsense, no?

[fichtner]

So did you make it happen in pfSense? Will you make it happen in OPNsense? People forget that people make software. But all people want more software.

[ThongSong7]

:-) Workaround: --- Crontab ---

!/bin/sh

Edit this value to match OPNSense alias name

Usage: ./alias.sh Name_of_Alias_to_Export

Must be either IPs or CIDRs

ALIASNAME=$1 pfctl -t ${ALIASNAME} -T show > "/var/haproxy/${ALIASNAME}.lst" chmod -R 80:80 /var/haproxy exit 0

---< Make the actual condition for HAProxy to read the above: HAProxy: in Conditions --> Custom Condition --> src -f /var/haproxy/Name_of_Alias.lst I believe that it is quite important for the permissions 80:80 (not sure though) ---< Reload haproxy: configctl haproxy reload

This is seemingly working for me, albeit my lists are not bigger than 1.5M, so YRMV, surely there is a limit?

Could we somehow integrate this type of action into OpnSense?
I don't know, possibly a scheduled task that would scan available IP/Network Aliases in DB and with a 'tick' option sync or nightly/hourly export to a list file for haproxy to pickup via the above method?

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

[wrobelda]

So did you make it happen in pfSense? Will you make it happen in OPNsense? People forget that people make software. But all people want more software.

This was unnecessarily offensive. @ThongSong7 was merely noticed that it works fine in pfSense, so technically speaking, this is doable. There's no need for the condescending tone, their input was valid.

EDIT: FYI, the relevant code in pfSense is here: https://github.com/pfsense/pfsense-packages/blob/903855b9b2d726f09594f6caccad8015b6063ca8/config/haproxy1_5/pkg/haproxy.inc#L1319

[fraenki]

Please let's not discuss who said what, it may very well be a related to many of us not being native english speakers. Let's rather focus on the technical problem: someone has to write the code using the OPNsense framework, because the pfSense code is incompatible. :)

[Zenopheus]

I'm currently moving from pfsense to opnsense. I just finished entering about 60 port and host aliases. Then I found this issue and realized I wasted all of that time! Two thoughts:

• It's strange Aliases are listed under Firewall and not in System or their own section (preferred).
• From a UI design perspective, the opnsense edit fields already seem like they can be extended to support alias lookup. I can't speak for the code.

I like the opnsense interface but not being able to use aliases throughout the product is really disappointing. It may make sense to the developers but to a new user it seems like an unfinished feature.

[nzkiwi68]

I've written up a sort of guide on the forum "HAPROXY add GeoIP capability and run rules inside HAPROXY based on GeoIP" that you may be interested to see what we've done.

HAPROXY add GeoIP capability and run rules inside HAPROXY based on GeoIP

In short, we have managed to get GeoIP matching working very well inside HAPROXY using the native OPNsense firewall GeoIP alias function.

[sorano]

Interesting. I'll take a look when I have some time to spare. Thanks for the update.