HAProxy - OR operator with multiple ACLs of the same name

[markes20754]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [X] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe.

In the HAProxy documentation, "You can also create an OR statement by defining multiple ACLs with the same name. Below, the condition is again true if the requested URL path begins with /images/ or the URL path ends with .jpg:"

https://www.haproxy.com/documentation/haproxy-configuration-tutorials/core-concepts/acls/#or-operator

frontend www bind :80 acl images_url path_beg /images/ acl images_url path_end .jpg use_backend static_assets if images_url backend static_assets server s1 192.168.50.20:80

OPNsense's implementation of HAProxy generates a unique ID name for each ACL to build the config rather than to use the actual name that the user gives in the GUI. In my testing, this appears to make the use of this OR operator not possible. For example, let's say that I had two host names for the same website (foo.com and www.foo.com. If I created an ACL with both of these conditions and gave them both the same name, then in a "normal" HAProxy config (including PFSense), I would only need to build one rule. As it stands now, I have to create a unique rule for each condition and add all of those rules to the front-end pool.

If you examine the OPNSense HAProxy config export, both are given a unique system generated ACL which results in the OR condition not being applied.

ACL: h-www_foo_com

acl acl_662818fddd6816.90414207 hdr(host) -i www.foo.com

ACL: h-www_foo_com

acl acl_662830c24229a7.03064246 hdr(host) -i foo.com

ACTION: foo_com_rule

use_backend foo_backend if acl_662818fddd6816.90414207

Describe the solution you'd like Consider the additional use case of combined host/vpath ACLs that use multiple "host starts with" ACLs with the same name AND multiple "path starts with" ACLs with the same name that only require one rule that subsequently is applied to the front-end.

ACLs NAMED "ALLOWED_HOSTS" HostStartsWith: www.foo.com HostStartsWith: foo.com HostStartsWith: www.foo.co.uk

ACLs NAMED "ALLOWED_VPaths" VPathStartsWith: /bar VPathStartsWith: /rest VPathStartsWith: /blah

Without the OR condition on the ACL in OPNSense, you need to create 9 rules to accomplish the allow condition of all three hosts AND all three vPaths. https://www.foo.com/bar, https://foo.com/bar, https://www.foo.co.uk/bar, https://www.foo.com/rest, https://foo.com/rest, https://www.foo.co.uk/rest.... etc.

With the OR condition on the same ACL name you can create one rule that combines the two ACLs "ALLOWED_HOSTS" AND "ALLOWEDVPaths" that effectively says: (HOSTS Start With www.foo.com OR foo.com OR www.foo.co.uk/) AND (VPATH Starts With /bar OR /rest OR /blah)

Additionally, this allows you to add a new ACL with the same name without creating yet another new rule and having to add that rule to the front-end config.

Would it be possible to have the system generated ACL names be the same if the user inputted ACL name is the same? This would allow for the OR condition to be used on OPNSense like it does with PFSense and other implementations of HAProxy.

Describe alternatives you've considered I'm currently having to create many ACLs and Rule combinations and adding all of those rules to each front end listener. While it works, it's very time consuming.

Additional context For context, PFSense's implementation of HAProxy usees this logic. Thank you!

[fraenki]

Note to myself: related forum post https://forum.opnsense.org/index.php?topic=40248.0