From cac1fa71aef398e35ae51f6f41f90fc94061de9f Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 22 Dec 2025 21:04:51 +0100 Subject: [PATCH 01/31] net/haproxy: add support for http-request silent-drop --- net/haproxy/pkg-descr | 3 +++ .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 1 + .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf | 2 ++ 3 files changed, 6 insertions(+) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 13a4f948b6..348f8e5b15 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -6,6 +6,9 @@ very high loads while needing persistence or Layer7 processing. Plugin Changelog ================ +Added: +* add support for "http-request silent-drop" + 4.6 Changed: diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index e1a40e1c57..aad51398ed 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -2259,6 +2259,7 @@ http-request header replace value http-request set-path http-request set-var + http-request silent-drop http-response allow http-response deny http-response lua script diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 642a84e4a6..a11ba548d3 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -561,6 +561,8 @@ {% set action_enabled = '0' %} # ERROR: missing parameters {% endif %} +{% elif action_data.type == 'http-request_silent-drop' %} +{% do action_options.append('http-request silent-drop') %} {% elif action_data.type == 'http-response_allow' %} {% do action_options.append('http-response allow') %} {% elif action_data.type == 'http-response_deny' %} From b3ab4e7dd325235302f959f18c677877c278e532 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 22 Dec 2025 21:43:53 +0100 Subject: [PATCH 02/31] net/haproxy: add new condition: HTTP method --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogAcl.xml | 11 +++++++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 16 ++++++++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 7 +++++++ 4 files changed, 35 insertions(+) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 348f8e5b15..78424afb27 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -8,6 +8,7 @@ Plugin Changelog Added: * add support for "http-request silent-drop" +* add new condition: HTTP method 4.6 diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml index 895bd6e4b2..849a44e850 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml @@ -88,6 +88,17 @@ text + + + + header + + + + acl.http_method + + select_multiple + header diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index aad51398ed..8c43890cf5 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -1728,6 +1728,7 @@ HTTP Header matches HTTP Header regex HTTP Header contains + HTTP Method URL parameter contains SSL Client certificate is valid SSL Client certificate verify error result @@ -2195,6 +2196,21 @@ Y N + + N + Y + + CONNECT + DELETE + GET + HEAD + OPTIONS + PATCH + POST + PUT + TRACE + + diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index a11ba548d3..1c352d83e9 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -136,6 +136,13 @@ {% set acl_enabled = '0' %} # ERROR: missing parameters {% endif %} +{% elif acl_data.expression == 'http_method' %} +{% if acl_data.http_method|default("") != "" %} +{% do acl_options.append('method ' ~ acl_data.http_method|replace(',', ' ')) %} +{% else %} +{% set acl_enabled = '0' %} + # ERROR: missing parameters +{% endif %} {% elif acl_data.expression == 'path_beg' %} {% if acl_data.path_beg|default("") != "" %} {% do acl_options.append('path_beg') %} From 7877d225adc27139106b2bb8d675f4bb272dab1e Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 22 Dec 2025 22:03:30 +0100 Subject: [PATCH 03/31] net/haproxy: support deny_status in http-request deny --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogAction.xml | 11 +++++++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 6 ++++++ .../service/templates/OPNsense/HAProxy/haproxy.conf | 6 +++++- 4 files changed, 23 insertions(+), 1 deletion(-) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 78424afb27..257dd3590d 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -9,6 +9,7 @@ Plugin Changelog Added: * add support for "http-request silent-drop" * add new condition: HTTP method +* support custom HTTP status code in "http-request deny" rules 4.6 diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index 0386b9f1ae..cfc4cbf392 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -80,6 +80,17 @@ text + + + header + + + + action.http_request_deny_status + + text + + header diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 8c43890cf5..59d863b431 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -2340,6 +2340,12 @@ /^.{1,4096}$/u N + + 100 + 999 + Please specify a value between 100 and 999. + N + /^.{1,4096}$/u diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 1c352d83e9..aa7fd84419 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -489,7 +489,11 @@ {% elif action_data.type == 'http-request_allow' %} {% do action_options.append('http-request allow') %} {% elif action_data.type == 'http-request_deny' %} -{% do action_options.append('http-request deny') %} +{% if action_data.http_request_deny_status|default("") != "" %} +{% do action_options.append('http-request deny deny_status ' ~ action_data.http_request_deny_status) %} +{% else %} +{% do action_options.append('http-request deny') %} +{% endif %} {% elif action_data.type == 'http-request_tarpit' %} {% do action_options.append('http-request tarpit') %} {% elif action_data.type == 'http-request_auth' %} From 1c84ca6f491bf453175b74a8d15c29f285059f9b Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 22 Dec 2025 22:43:51 +0100 Subject: [PATCH 04/31] net/haproxy: bump version --- net/haproxy/Makefile | 3 +-- net/haproxy/pkg-descr | 4 +++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 15a0d1ec64..eea1ecd8b1 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -1,6 +1,5 @@ PLUGIN_NAME= haproxy -PLUGIN_VERSION= 4.6 -PLUGIN_REVISION= 2 +PLUGIN_VERSION= 4.7 PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer PLUGIN_DEPENDS= haproxy30 py${PLUGIN_PYTHON}-haproxy-cli PLUGIN_MAINTAINER= opnsense@moov.de diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 257dd3590d..d3c0881644 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -6,8 +6,10 @@ very high loads while needing persistence or Layer7 processing. Plugin Changelog ================ +4.7 + Added: -* add support for "http-request silent-drop" +* add new rule: http-request silent-drop * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules From 0220a8fb7971bc1f275770d9e10da4c33499b588 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Mon, 19 Jan 2026 16:53:45 +0100 Subject: [PATCH 05/31] net/haproxy: switch to HAProxy 3.2, refs #5147 --- net/haproxy/Makefile | 2 +- net/haproxy/pkg-descr | 3 +++ .../controllers/OPNsense/HAProxy/forms/dialogAcl.xml | 1 - .../OPNsense/HAProxy/forms/dialogAction.xml | 12 ++++++------ .../OPNsense/HAProxy/forms/dialogBackend.xml | 12 ++++++------ .../OPNsense/HAProxy/forms/dialogFcgi.xml | 2 +- .../OPNsense/HAProxy/forms/dialogFrontend.xml | 6 +++--- .../OPNsense/HAProxy/forms/dialogMapfile.xml | 2 +- .../mvc/app/views/OPNsense/HAProxy/index.volt | 10 +++++----- 9 files changed, 26 insertions(+), 24 deletions(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index eea1ecd8b1..65a0022a09 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -1,7 +1,7 @@ PLUGIN_NAME= haproxy PLUGIN_VERSION= 4.7 PLUGIN_COMMENT= Reliable, high performance TCP/HTTP load balancer -PLUGIN_DEPENDS= haproxy30 py${PLUGIN_PYTHON}-haproxy-cli +PLUGIN_DEPENDS= haproxy py${PLUGIN_PYTHON}-haproxy-cli PLUGIN_MAINTAINER= opnsense@moov.de .include "../../Mk/plugins.mk" diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index d3c0881644..60b84f6c01 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -13,6 +13,9 @@ Added: * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules +Changed: +* upgrade to HAProxy 3.2 release series (#5147) + 4.6 Changed: diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml index 849a44e850..18298899ef 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml @@ -88,7 +88,6 @@ text - header diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index cfc4cbf392..9748247d63 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -100,7 +100,7 @@ action.http_request_redirect text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -139,7 +139,7 @@ action.http_request_add_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -156,7 +156,7 @@ action.http_request_set_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -262,7 +262,7 @@ action.http_response_add_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -279,7 +279,7 @@ action.http_response_set_header_content text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> @@ -479,6 +479,6 @@ action.fcgi_set_param text - Custom Log format rules. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]> + Custom Log format rules. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]> diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml index 014b959aeb..8b607d6c7c 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml @@ -28,7 +28,7 @@ backend.algorithm dropdown - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> Choose a load balancing algorithm. @@ -42,7 +42,7 @@ backend.proxyProtocol dropdown - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> true @@ -186,7 +186,7 @@ true true - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> backend.forwardFor @@ -213,7 +213,7 @@ backend.persistence_cookiemode dropdown - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> backend.persistence_cookiename @@ -235,14 +235,14 @@ backend.stickiness_pattern dropdown - HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> + HAProxy documentation for a full description.
NOTE: Consider not using this feature in multi-process mode, it can result in random behaviours.
]]> Choose a persistence type. backend.stickiness_dataTypes select_multiple - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> backend.stickiness_expire diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml index 4ad9d1e94e..d8883e203c 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFcgi.xml @@ -33,7 +33,7 @@ fcgi.path_info text - HAProxy's documentation for further details and examples.]]> + HAProxy's documentation for further details and examples.]]> fcgi.log_stderr diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index ded45f08c2..c40928fda2 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -350,14 +350,14 @@ frontend.stickiness_pattern dropdown - HAProxy documentation for further information.]]> + HAProxy documentation for further information.]]> Choose a stick-table type. frontend.stickiness_dataTypes select_multiple - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> frontend.stickiness_expire @@ -384,7 +384,7 @@ frontend.stickiness_counter_key text - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> true diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml index 554246fa45..76f22f2285 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml @@ -15,6 +15,6 @@ mapfile.content textbox - HAProxy documentation for a full description.]]> + HAProxy documentation for a full description.]]> diff --git a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt index cb6eea31a4..8ab604f663 100644 --- a/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt +++ b/net/haproxy/src/opnsense/mvc/app/views/OPNsense/HAProxy/index.volt @@ -702,7 +702,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('Lastly, enable HAProxy using the %sService%s settings page.') | format('', '') }}

    • {{ lang._('Please be aware that you need to %smanually%s add the required firewall rules for all configured services.') | format('', '') }}

    -

    {{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '') }}

    +

    {{ lang._('Further information is available in the %sofficial HAProxy documentation%s. Be sure to report bugs and request features on our %sGitHub issue page%s. Code contributions are also very welcome!') | format('', '', '', '') }}


    @@ -744,7 +744,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('%sConditions:%s HAProxy is capable of extracting data from requests, responses and other connection data and match it against predefined patterns. Use these powerful patterns to compose a condition that may be used in multiple Rules.') | format('', '') }}
  • {{ lang._('%sRules:%s Perform a large set of actions if one or more %sConditions%s match. These Rules may be used in %sBackend Pools%s as well as %sPublic Services%s.') | format('', '', '', '', '', '', '', '') }}
    • -

    {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    +

    {{ lang._("For more information on HAProxy's %sACL feature%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    {{ lang._('Note that it is possible to directly add options to the HAProxy configuration by using the "option pass-through", a setting that is available for several configuration items. It allows you to implement configurations that are currently not officially supported by this plugin. It is strongly discouraged to rely on this feature. Please report missing features on our GitHub page!') | format('', '') }}


    @@ -759,7 +759,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._('%sGroup:%s A optional list containing one or more users. Groups usually make it easier to manage permissions for a large number of users') | format('', '') }}

    • {{ lang._('Note that users and groups must be selected from the Backend Pool or Public Service configuration in order to be used for authentication. In addition to this users and groups may also be used in Rules/Conditions.') }}

    -

    {{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('', '', '', '') }}

    +

    {{ lang._("For more information on HAProxy's %suser/group management%s see the %sofficial documentation%s.") | format('', '', '', '') }}


    @@ -777,7 +777,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._("%sCache:%s HAProxy's cache which was designed to perform cache on small objects (favicon, css, etc.). This is a minimalist low-maintenance cache which runs in RAM.") | format('', '', '', '') }}
  • {{ lang._("%sPeers:%s Configure a communication channel between two HAProxy instances. This will propagate entries of any data-types in stick-tables between these HAProxy instances over TCP connections in a multi-master fashion. Useful when aiming for a seamless failover in a HA setup.") | format('', '', '', '') }}
    • -

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('', '', '', '', '', '') }}

    +

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sStatistics%s, %sCache%s and %sPeers%s features.") | format('', '', '', '', '', '') }}


    @@ -795,7 +795,7 @@ POSSIBILITY OF SUCH DAMAGE.
  • {{ lang._("%sResolvers:%s This feature allows in-depth configuration of how HAProxy handles name resolution and interacts with name resolvers (DNS). Each resolver configuration can be used in %sBackend Pools%s to apply individual name resolution configurations.") | format('', '', '', '') }}
  • {{ lang._("%sE-Mail Alerts:%s It is possible to send email alerts when the state of servers changes. Each configuration can be used in %sBackend Pools%s to send e-mail alerts to the configured recipient.") | format('', '', '', '') }}
    • -

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('', '', '', '', '', '' ,'', '' ,'', '' ,'', '','', '') }}

    +

    {{ lang._("For more details visit HAProxy's official documentation regarding the %sError Messages%s, %sLua Script%s and the %sMap Files%s features. More information on HAProxy's CPU Affinity is also available %shere%s, %shere%s and %shere%s. A detailed explanation of the resolvers feature can be found %shere%s.") | format('', '', '', '', '', '' ,'', '' ,'', '' ,'', '','', '') }}


    From 36ef9648e2140c1bff59f2899465cf030552e768 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Tue, 20 Jan 2026 13:42:03 +0100 Subject: [PATCH 06/31] net/haproxy: control PROXY protocol for health checks, closes #2909 --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogBackend.xml | 7 +++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 9 +++++++++ .../service/templates/OPNsense/HAProxy/haproxy.conf | 11 +++++++++-- 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 60b84f6c01..b29727da13 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -12,6 +12,7 @@ Added: * add new rule: http-request silent-drop * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules +* add new backend option to control PROXY protocol for health checks (#2909) Changed: * upgrade to HAProxy 3.2 release series (#5147) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml index 8b607d6c7c..40d46a123d 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogBackend.xml @@ -147,6 +147,13 @@ dropdown + + backend.healthCheckProxyProto + + dropdown + + true + header diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 59d863b431..a6779063e7 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -1079,6 +1079,15 @@ N N + + N + backend + + Follow Backend Pool settings [default] + Enable for Health Check + Disable for Health Check + + 1 N diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index aa7fd84419..0bfcb5f3d5 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -1944,12 +1944,19 @@ backend {{backend.name}} {% elif server_data.source|default("") != "" %} {% do server_options.append('source ' ~ server_data.source) %} {% endif %} -{# # PROXY protocol #} +{# # PROXY protocol for server connections #} {% if backend.proxyProtocol|default("") == "v1" %} {% do server_options.append('send-proxy') %} -{% do server_options.append('check-send-proxy') %} {% elif backend.proxyProtocol|default("") == "v2" %} {% do server_options.append('send-proxy-v2') %} +{% endif %} +{# # PROXY protocol for health checks #} +{% if backend.healthCheckProxyProto|default("") == "" or backend.healthCheckProxyProto|default("") == "backend" %} +{% if backend.proxyProtocol|default("") != "" %} +{# # enable PROXY protocol if activated in backend #} +{% do server_options.append('check-send-proxy') %} +{% endif %} +{% elif backend.healthCheckProxyProto|default("") == "enable" %} {% do server_options.append('check-send-proxy') %} {% endif %} {# # cookie-based persistence #} From 4a030864229f2aa7258d76dd623a7fe39d4f582d Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Tue, 20 Jan 2026 14:22:49 +0100 Subject: [PATCH 07/31] net/haproxy: add support for map_reg, closes #3641 --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogMapfile.xml | 6 ++++++ .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 8 ++++++++ .../service/templates/OPNsense/HAProxy/haproxy.conf | 10 +++++++++- 4 files changed, 24 insertions(+), 1 deletion(-) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index b29727da13..2b1a0af29c 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -13,6 +13,7 @@ Added: * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules * add new backend option to control PROXY protocol for health checks (#2909) +* add support for new map file type: reg (#3641) Changed: * upgrade to HAProxy 3.2 release series (#5147) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml index 76f22f2285..8c7d74b414 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogMapfile.xml @@ -11,6 +11,12 @@ text Description for this map file. + + mapfile.type + + dropdown + The type of the map data. + mapfile.content diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index a6779063e7..4af8285da3 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -2745,6 +2745,14 @@ Should be a string between 1 and 255 characters. N + + Y + dom + + Domains (dom) + Regular Expressions (reg) + + Y diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 0bfcb5f3d5..01bce31410 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -459,6 +459,14 @@ {% if action_data.map_use_backend_file|default("") != "" %} {% set mapfile_data = helpers.getUUID(action_data.map_use_backend_file) %} {% set mapfile_path = '/tmp/haproxy/mapfiles/' ~ mapfile_data.id ~ '.txt' %} +{# # Determine map type #} +{% set mapfile_type = mapfile_data.type %} +{% if mapfile_data.type|default("") == "reg" %} +{% set mapfile_config = 'map_' ~ mapfile_type %} +{% else %} +{# # Default to map_dom #} +{% set mapfile_config = 'lower,map_dom' %} +{% endif %} {# # Check if a default backend is specified #} {% if action_data.map_use_backend_default|default("") != "" %} {% set defaultbackend_data = helpers.getUUID(action_data.map_use_backend_default) %} @@ -467,7 +475,7 @@ {% set defaultbackend_option = '' %} {% endif %} {# # Finally add map file to config #} -{% do action_options.append('use_backend %[req.hdr(host),lower,map_dom(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %} +{% do action_options.append('use_backend %[req.hdr(host),' ~ mapfile_config ~ '(' ~ mapfile_path ~ defaultbackend_option ~ ')]') %} {% else %} {% set action_enabled = '0' %} # ERROR: missing parameters From 512a24fb5893e6bb6b25904469f630953d817174 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Tue, 20 Jan 2026 15:25:10 +0100 Subject: [PATCH 08/31] net/haproxy: support more sample fetches, closes #3702 --- net/haproxy/pkg-descr | 1 + .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 3 +++ .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf | 5 +++++ 3 files changed, 9 insertions(+) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 2b1a0af29c..a949284066 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -14,6 +14,7 @@ Added: * support custom HTTP status code in "http-request deny" rules * add new backend option to control PROXY protocol for health checks (#2909) * add support for new map file type: reg (#3641) +* add support for more sample fetches: quic_enabled, stopping, wait_end (#3702) Changed: * upgrade to HAProxy 3.2 release series (#5147) diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 4af8285da3..cd2facaa27 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -1720,6 +1720,7 @@ Y + HAProxy process is currently stopping HTTP Basic Auth: username/password from client matches selected User/Group Host starts with Host ends with @@ -1738,6 +1739,8 @@ HTTP Header regex HTTP Header contains HTTP Method + Inspection period is over (WAIT_END) + QUIC transport protocol is enabled URL parameter contains SSL Client certificate is valid SSL Client certificate verify error result diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 01bce31410..6e46f610f3 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -41,6 +41,7 @@ {# Macro expects a CSV list of Actions and validates them. #} {%- macro AclsAndActions(linkedData) -%} {% if linkedData is defined %} +{% set acl_boolean_types = ['quic_enabled', 'stopping', 'wait_end'] %} {# # remember all ACLs to avoid duplicate declarations #} {% set acls_seen = [] %} {% set global_action_options = [] %} @@ -411,6 +412,10 @@ {% set acl_enabled = '0' %} # ERROR: missing parameters {% endif %} +{# # handle boolean ACL types that do not require any input #} +{% elif acl_data.expression in acl_boolean_types %} +{% do acl_options.append(acl_data.expression) %} +{# # handle custom ACL types #} {% elif acl_data.expression == 'custom_acl' %} {% if acl_data.custom_acl|default("") != "" %} {% do acl_options.append(acl_data.custom_acl) %} From c367618fee799918cf7a98cf2bcb4dbcf076ab43 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Tue, 20 Jan 2026 18:09:36 +0100 Subject: [PATCH 09/31] net/haproxy: add support for HTTP/3 over QUIC, closes #4341 --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogFrontend.xml | 4 +-- .../app/models/OPNsense/HAProxy/HAProxy.xml | 5 ++-- .../templates/OPNsense/HAProxy/haproxy.conf | 27 ++++++++++++++++--- 4 files changed, 29 insertions(+), 8 deletions(-) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index a949284066..2ab84561cf 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -9,6 +9,7 @@ Plugin Changelog 4.7 Added: +* add support for HTTP/3 over QUIC to frontends (#4341) * add new rule: http-request silent-drop * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml index c40928fda2..6d2ecee8a1 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogFrontend.xml @@ -23,7 +23,7 @@ select_multiple true - + Enter address:port here. Finish with TAB. @@ -203,7 +203,7 @@ true true - + frontend.forwardFor diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index cd2facaa27..09becb6532 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -515,9 +515,9 @@ Y Y - /^((([0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u + /^((([quic4@|quic6@]*[0-9a-zA-Z._\-\*:\[\]]+:+[0-9]+(-[0-9]+)?|unix@[0-9a-z_\-]+)([,]){0,1}))*/u lower - Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443 or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240. + Please provide a valid listen address, i.e. 127.0.0.1:8080, [::1]:8080, www.example.com:443, quic4@www.example.com or unix@socket-name. Port range as start-end, i.e. 127.0.0.1:1220-1240. N @@ -853,6 +853,7 @@ Y Y +

    HTTP/3

    HTTP/2

    HTTP/1.1 HTTP/1.0 diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 6e46f610f3..5ae3c9ad57 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -1013,6 +1013,8 @@ global {% if helpers.exists('OPNsense.HAProxy.general.tuning.maxConnections') %} maxconn {{OPNsense.HAProxy.general.tuning.maxConnections}} {% endif %} +{# # TODO: remove this option when OpenSSL 3.5 is available on OPNsense #} + limited-quic {# # check if OCSP is enabled #} {% if OPNsense.HAProxy.general.tuning.ocspUpdateEnabled|default('') == '1' %} {% if helpers.exists('OPNsense.HAProxy.general.tuning.ocspUpdateMinDelay') %} @@ -1420,9 +1422,8 @@ frontend {{frontend.name}} {% endif %} {# # HTTP/2 with TLS enabled #} {% if frontend.http2Enabled|default("") == '1' and frontend.advertised_protocols|default("") != "" %} -{# # convert protocols to HAProxy-compatible format #} -{% set alpn_options = frontend.advertised_protocols|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %} -{% do ssl_options.append('alpn ' ~ alpn_options) %} +{# # To ensure proper handling of each HTTP protocol, these #} +{# # entries will be processed when parsing individual bind lines. #} {% else %} {# # disable ALPN to enforce the GUI settings #} {% do ssl_options.append('no-alpn') %} @@ -1448,6 +1449,8 @@ frontend {{frontend.name}} {# # bind/listen configuration #} {% if frontend.bind|default("") != "" %} {% for bind in frontend.bind.split(",") %} +{# # alpn advertisements are specific to each bind line #} +{% set alpn_options = [] %} {# # check if this is a unix socket #} {% set unix_bind = bind | regex_replace ("^unix@.*","TRUE") %} {% if unix_bind == "TRUE" %} @@ -1459,7 +1462,23 @@ frontend {{frontend.name}} {% set bind_address = bind %} {% set bind_name = bind %} {% endif %} - bind {{bind_address}} name {{bind_name}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %} +{# # handle incompatible alpn advertisements #} +{% if bind.startswith('quic4@') or bind.startswith('quic6@') %} +{# # strip incompatible advertisement for QUIC bind lines #} +{% set alpn_incompatible = ['h2', 'http11', 'http10'] %} +{% set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %} +{% else %} +{# # strip incompatible advertisement for non-QUIC bind lines #} +{% set alpn_incompatible = ['h3'] %} +{% set alpn_filtered = frontend.advertised_protocols.split(',') | reject('in', alpn_incompatible) | join(',') %} +{% endif %} +{# # add alpn advertisements #} +{% if alpn_filtered|default("") != "" %} +{# # convert alpn protocols to HAProxy-compatible format #} +{% set alpn_conv = alpn_filtered|replace('http10', 'http/1.0')|replace('http11', 'http/1.1') %} +{% do alpn_options.append('alpn ' ~ alpn_conv) %} +{% endif %} + bind {{bind_address}} name {{bind_name}} {% if frontend.bindOptions|default("") != "" %}{{ frontend.bindOptions }} {% endif %}{% if frontend.ssl_enabled == '1' and ssl_certs|default("") != "" %}ssl {{ ssl_options|join(' ') }} {{ alpn_options|join(' ') }} {{ ssl_certs|join(' ') }} {% endif %}{% if adv_options|length > 0 %} {{ adv_options|join(' ') }} {% endif %} {% endfor %} {% endif %} From 5fb8a58d933ec6ba44dc51beee37998f2e028beb Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Tue, 20 Jan 2026 18:16:09 +0100 Subject: [PATCH 10/31] net/haproxy: bump model version --- .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 09becb6532..734c95c709 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -1,6 +1,6 @@ //OPNsense/HAProxy - 4.1.0 + 4.2.0 the HAProxy load balancer From add84716cad456ac1bd60404ea38b9d258c4f810 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Thu, 22 Jan 2026 00:17:32 +0100 Subject: [PATCH 11/31] net/haproxy: add support for HTTP compression, closes #4867 --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogAction.xml | 59 ++++++++++++++++++ .../app/models/OPNsense/HAProxy/HAProxy.xml | 60 +++++++++++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 41 ++++++++++++- 4 files changed, 160 insertions(+), 1 deletion(-) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 2ab84561cf..46c6e7a492 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -16,6 +16,7 @@ Added: * add new backend option to control PROXY protocol for health checks (#2909) * add support for new map file type: reg (#3641) * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702) +* add support for HTTP compression (#4867) Changed: * upgrade to HAProxy 3.2 release series (#5147) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index 9748247d63..6dd920eb81 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -481,4 +481,63 @@ text Custom Log format rules. With this directive, it is possible to overwrite the value of default FastCGI parameters.]]>     + + + header + + + + action.compression_direction + + dropdown + + + + action.compression_algo_res + + dropdown + + + + action.compression_algo_req + + dropdown + + + + action.compression_mime_res + + select_multiple + + true + + Enter MIME types here. Finish with TAB. + + + action.compression_mime_req + + select_multiple + + true + + Enter MIME types here. Finish with TAB. + + + action.compression_minsize_res + + text + + + + action.compression_minsize_req + + text + + + + action.compression_offloading + + checkbox + + diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 734c95c709..8fd95f2756 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -2272,6 +2272,7 @@ Use specified Backend Pool Override server in Backend Pool Map domains to backend pools using a map file + Enable compression for HTTP responses/requests FastCGI pass-header FastCGI set-param http-request allow @@ -2586,6 +2587,65 @@ N N + + N + gzip + + gzip [default] + deflate + raw-deflate + + + + N + gzip + + gzip [default] + deflate + raw-deflate + + + + N + Y + /^((([0-9a-zA-Z]+\/+[0-9a-zA-Z]+)([,]){0,1}))*/u + lower + Please provide valid MIME types, i.e. text/css, text/html, application/json. + + + N + Y + /^((([0-9a-zA-Z]+\/+[0-9a-zA-Z]+)([,]){0,1}))*/u + lower + Please provide valid MIME types, i.e. text/css, text/html, application/json. + + + 0 + N + + + 1500 + 0 + 1000000 + Please specify a number between 0 and 1000000. + N + + + 1500 + 0 + 1000000 + Please specify a number between 0 and 1000000. + N + + + N + response + + Compress responses [default] + Compress requests + Compress both + + diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 5ae3c9ad57..59c7ddcd86 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -442,6 +442,7 @@ {# # because doing otherwise would lead to unpredictable behaviour. #} {% if acl_errors|int == 0 %} {% set action_enabled = '1' %} +{% set action_multiline = '0' %} {% set action_options = [] %} {% if action_data.type == 'use_backend' %} {% if action_data.use_backend|default("") != "" %} @@ -709,6 +710,36 @@ {% set action_enabled = '0' %} # ERROR: missing parameters {% endif %} +{% elif action_data.type == 'compression' %} +{% set action_multiline = '1' %} +{% if action_data.compression_mime_resp|default("") != "" or action_data.compression_mime_req|default("") != "" %} +{% do action_options.append('filter compression') %} +{% do action_options.append('compression direction ' ~ action_data.compression_direction) %} +{% if action_data.compression_direction|default("") == "response" or action_data.compression_direction|default("") == "both" %} +{% do action_options.append('compression algo-res ' ~ action_data.compression_algo_res) %} +{% if action_data.compression_mime_res|default("") != "" %} +{% do action_options.append('compression type-res ' ~ action_data.compression_mime_res|replace(",", " ")) %} +{% endif %} +{% if action_data.compression_minsize_res|default("") != "0" %} +{% do action_options.append('compression minsize-res ' ~ action_data.compression_minsize_res) %} +{% endif %} +{% endif %} +{% if action_data.compression_direction|default("") == "request" or action_data.compression_direction|default("") == "both" %} +{% do action_options.append('compression algo-req ' ~ action_data.compression_algo_req) %} +{% if action_data.compression_mime_req|default("") != "" %} +{% do action_options.append('compression type-req ' ~ action_data.compression_mime_req|replace(",", " ")) %} +{% endif %} +{% if action_data.compression_minsize_req|default("") != "0" %} +{% do action_options.append('compression minsize-req ' ~ action_data.compression_minsize_req) %} +{% endif %} +{% endif %} +{% if action_data.compression_offloading|default("") == "1" %} +{% do action_options.append('compression offload') %} +{% endif %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} {% elif action_data.type == 'custom' %} {% if action_data.custom|default("") != "" %} {% do action_options.append(action_data.custom) %} @@ -736,8 +767,16 @@ {% set comment_lines = comment_lines + [' # NOTE: actions with no ACLs/conditions will always match'] %} {% endif %} {% if action_options|length > 0 %} +{# # handle multiline options #} +{% if action_multiline == '1' %} +{% set join_char = '\n ' %} +{# # ACLs are unsupported in multiline options, remove them #} +{% set acl_line = '' %} +{% else %} +{% set join_char = ' ' %} +{% endif %} {% do global_action_options.append(comment_lines|join('\n')) -%} -{% do global_action_options.append(([action_options|join(' '), acl_line]|join(' '))) %} +{% do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %} {% endif %} {% else %} # ACTION INVALID: {{action_data.name}} From 5e39080312bd83c53440374290e279601bd818d8 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Thu, 22 Jan 2026 00:32:51 +0100 Subject: [PATCH 12/31] net/haproxy: use GUI names in config comments --- .../templates/OPNsense/HAProxy/haproxy.conf | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 59c7ddcd86..5463a11f28 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -749,7 +749,7 @@ {% endif %} {% else %} {% set action_enabled = '0' %} - # ERROR: unsupported action type + # ERROR: unsupported rule type {% endif %} {# # check if action is valid #} {% if action_enabled == '1' %} @@ -759,12 +759,12 @@ {% set join_operator = ' ' %} {% endif %} {# # check if action depends on ACLs #} -{% set comment_lines = ['# ACTION: ' + action_data.name] %} +{% set comment_lines = ['# RULE: ' + action_data.name] %} {% if action_acls|length > 0 %} {% set acl_line = [action_data.testType, action_acls|join(join_operator)]|join(' ') %} {% else %} {% set acl_line = '' %} -{% set comment_lines = comment_lines + [' # NOTE: actions with no ACLs/conditions will always match'] %} +{% set comment_lines = comment_lines + [' # NOTE: Rules with no Conditions will always match'] %} {% endif %} {% if action_options|length > 0 %} {# # handle multiline options #} @@ -779,11 +779,11 @@ {% do global_action_options.append(([action_options|join(join_char), acl_line]|join(' '))) %} {% endif %} {% else %} - # ACTION INVALID: {{action_data.name}} + # RULE INVALID: {{action_data.name}} {% endif %} {% else %} - # ACTION INVALID: {{action_data.name}} - # ACL ERROR COUNT: {{acl_errors}} + # RULE INVALID: {{action_data.name}} + # CONDITIONS WITH ERRORS: {{acl_errors}} {% endif %} {% endfor %} @@ -1395,7 +1395,7 @@ mailers {{mailer.id}} {% if helpers.exists('OPNsense.HAProxy.frontends') %} {% for frontend in helpers.toList('OPNsense.HAProxy.frontends.frontend') %} {% if frontend.enabled == '1' %} -# Frontend: {{frontend.name}} ({{frontend.description}}) +# Public Service: {{frontend.name}} ({{frontend.description}}) frontend {{frontend.name}} {% set ssl_certs = [] %} {% set ssl_options = [] %} @@ -1601,7 +1601,7 @@ frontend {{frontend.name}} {% endif %} {% else %} -# Frontend (DISABLED): {{frontend.name}} ({{frontend.description}}) +# Public Service (DISABLED): {{frontend.name}} ({{frontend.description}}) {% endif %} {% endfor %} @@ -1615,10 +1615,10 @@ frontend {{frontend.name}} {% for backend in helpers.toList('OPNsense.HAProxy.backends.backend') %} {# # ignore disabled backends #} {% if backend.enabled == '1' %} -# Backend: {{backend.name}} ({{backend.description}}) +# Backend Pool: {{backend.name}} ({{backend.description}}) backend {{backend.name}} {% if backend.linkedServers|default("") == "" %} - # HINT: no servers configured for this backend. + # HINT: no servers configured for this backend pool. {% endif %} {# # store additional parameters for the "server" entries #} {% set healthcheck_additions = [] %} @@ -2048,7 +2048,7 @@ backend {{backend.name}} {% endif %} {% else %} -# Backend (DISABLED): {{backend.name}} ({{backend.description}}) +# Backend Pool (DISABLED): {{backend.name}} ({{backend.description}}) {% endif %} {% endfor %} From 6dbefe5481b5e55deff62e50179abf80a212d367 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Thu, 22 Jan 2026 22:32:46 +0100 Subject: [PATCH 13/31] net/haproxy: add support for http-after-response rules --- net/haproxy/pkg-descr | 1 + .../OPNsense/HAProxy/forms/dialogAction.xml | 15 +++++++++ .../app/models/OPNsense/HAProxy/HAProxy.xml | 32 +++++++++++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 10 ++++++ 4 files changed, 58 insertions(+) diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index 46c6e7a492..f979807b33 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -11,6 +11,7 @@ Plugin Changelog Added: * add support for HTTP/3 over QUIC to frontends (#4341) * add new rule: http-request silent-drop +* add new rule: http-after-response * add new condition: HTTP method * support custom HTTP status code in "http-request deny" rules * add new backend option to control PROXY protocol for health checks (#2909) diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index 6dd920eb81..951b42f26d 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -540,4 +540,19 @@ checkbox + + + header + + + + action.http_after_response_action + + dropdown + + + action.http_after_response_option + + text + diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 8fd95f2756..9174d0b06f 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -2275,6 +2275,7 @@ Enable compression for HTTP responses/requests FastCGI pass-header FastCGI set-param + http-after-response http-request allow http-request deny http-request tarpit @@ -2350,6 +2351,37 @@ Should be a string between 1 and 1024 characters. N + + N + + add-header + allow + capture + del-header + del-map + do-log + replace-header + replace-value + sc-add-gpc + sc-inc-gpc + sc-inc-gpc0 + sc-inc-gpc1 + sc-set-gpt + sc-set-gpt0 + set-header + set-log-level + set-map + set-status + set-var + set-var-fmt + strict-mode + unset-var + + + + /^.{1,4096}$/u + N + /^.{1,4096}$/u N diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf index 5463a11f28..6f05023321 100644 --- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf +++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf @@ -500,6 +500,16 @@ {% set action_enabled = '0' %} # ERROR: missing parameters {% endif %} +{% elif action_data.type == 'http-after-response' %} +{% if action_data.http_after_response_action|default('') != '' %} +{% do action_options.append('http-after-response ' ~ action_data.http_after_response_action) %} +{% if action_data.http_after_response_option|default('') != '' %} +{% do action_options.append(action_data.http_after_response_option) %} +{% endif %} +{% else %} +{% set action_enabled = '0' %} + # ERROR: missing parameters +{% endif %} {% elif action_data.type == 'http-request_allow' %} {% do action_options.append('http-request allow') %} {% elif action_data.type == 'http-request_deny' %} From 76805d1eb1c9dc099160d0798a023048aae91f53 Mon Sep 17 00:00:00 2001 From: Frank Wall Date: Fri, 23 Jan 2026 13:58:02 +0100 Subject: [PATCH 14/31] net/haproxy: refactor http/tcp rules --- net/haproxy/pkg-descr | 3 + .../OPNsense/HAProxy/forms/dialogAction.xml | 443 ++++-------------- .../app/models/OPNsense/HAProxy/HAProxy.xml | 312 ++++++++++-- .../OPNsense/HAProxy/Migrations/M4_2_0.php | 310 ++++++++++++ .../templates/OPNsense/HAProxy/haproxy.conf | 253 +++------- 5 files changed, 720 insertions(+), 601 deletions(-) create mode 100644 net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/Migrations/M4_2_0.php diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr index f979807b33..ec9cad2399 100644 --- a/net/haproxy/pkg-descr +++ b/net/haproxy/pkg-descr @@ -18,9 +18,12 @@ Added: * add support for new map file type: reg (#3641) * add support for more sample fetches: quic_enabled, stopping, wait_end (#3702) * add support for HTTP compression (#4867) +* add all action keywords for http-request/-response and tcp-request/-response rules Changed: * upgrade to HAProxy 3.2 release series (#5147) +* refactor http/tcp rules to make extensions easier +* rename some labels in rules 4.6 diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml index 951b42f26d..c2e70417f3 100644 --- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml +++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml @@ -15,33 +15,33 @@ header - - action.testType - - dropdown - - action.linkedAcls select_multiple + + action.testType + + dropdown + + action.operator - + dropdown - + - + header action.type - + dropdown - + @@ -69,302 +69,6 @@ info - - - header - - - - action.http_request_auth - - text - - - - - header - - - - action.http_request_deny_status - - text - - - - - header - - - - action.http_request_redirect - - text - HAProxy's documentation for further details and examples.]]> - - - - header - - - - action.http_request_lua - - text - - - - - header - - - - action.http_request_use_service - - text - - - - - header - - - - action.http_request_add_header_name - - text - - - - action.http_request_add_header_content - - text - HAProxy's documentation for further details and examples.]]> - - - - header - - - - action.http_request_set_header_name - - text - - - - action.http_request_set_header_content - - text - HAProxy's documentation for further details and examples.]]> - - - - header - - - - action.http_request_del_header_name - - text - - - - - header - - - - action.http_request_replace_header_name - - text - - - - action.http_request_replace_header_regex - - text - - - - - header - - - - action.http_request_replace_value_name - - text - - - - action.http_request_replace_value_regex - - text - - - - - header - - - - action.http_request_set_path - - text - - - - - header - - - - action.http_request_set_var_scope - - dropdown - - - - action.http_request_set_var_name - - text - - - action.http_request_set_var_expr - - text - - - - - header - - - - action.http_response_lua - - text - - - - - header - - - - action.http_response_add_header_name - - text - - - - action.http_response_add_header_content - - text - HAProxy's documentation for further details and examples.]]> - - - - header - - - - action.http_response_set_header_name - - text - - - - action.http_response_set_header_content - - text - HAProxy's documentation for further details and examples.]]> - - - - header - - - - action.http_response_del_header_name - - text - - - - - header - - - - action.http_response_replace_header_name - - text - - - - action.http_response_replace_header_regex - - text - - - - - header - - - - action.http_response_replace_value_name - - text - - - - action.http_response_replace_value_regex - - text - - - - - header - - - - action.http_response_set_status_code - - text - - - - action.http_response_set_status_reason - - text - - - - - header - - - - action.http_response_set_var_scope - - dropdown - - - - action.http_response_set_var_name - - text - - - action.http_response_set_var_expr - - text - - header @@ -376,61 +80,6 @@ text - - - header - - - - action.tcp_request_content_lua - - text - - - - - header - - - - action.tcp_request_content_use_service - - text - - - - - header - - - - action.tcp_request_inspect_delay - - text - - - - - header - - - - action.tcp_response_content_lua - - text - - - - - header - - - - action.tcp_response_inspect_delay - - text - - header @@ -549,10 +198,80 @@ action.http_after_response_action dropdown + HAProxy's documentation.]]> action.http_after_response_option text + HAProxy's documentation.]]> + + + + header + + + + action.http_request_action + + dropdown + HAProxy's documentation.]]> + + + action.http_request_option + + text + HAProxy's documentation.]]> + + + + header + + + + action.http_response_action + + dropdown + HAProxy's documentation.]]> + + + action.http_response_option + + text + HAProxy's documentation.]]> + + + + header + + + + action.tcp_request_action + + dropdown + HAProxy's documentation.]]> + + + action.tcp_request_option + + text + HAProxy's documentation.]]> + + + + header + + + + action.tcp_response_action + + dropdown + HAProxy's documentation.]]> + + + action.tcp_response_option + + text + HAProxy's documentation.]]> diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml index 9174d0b06f..fe49d5d225 100644 --- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml +++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml @@ -2269,13 +2269,20 @@ Y - Use specified Backend Pool - Override server in Backend Pool - Map domains to backend pools using a map file - Enable compression for HTTP responses/requests + Compression for HTTP responses/requests FastCGI pass-header FastCGI set-param http-after-response + http-request + http-response + Map domains to backend pools using a map file + monitor fail: report failure to a monitor request + tcp-request + tcp-response + Use specified Backend Pool + Override server in Backend Pool + Custom rule (option pass-through) + @@ -2351,6 +2357,14 @@ Should be a string between 1 and 1024 characters. N + + /^.{1,4096}$/u + N + + + /^.{1,4096}$/u + N + N @@ -2382,6 +2396,248 @@ /^.{1,4096}$/u N + + N + + add-acl + add-header + allow + auth + cache-use + capture + del-acl + del-header + del-map + deny + disable-l7-retry + do-log + do-resolve + early-hint + normalize-uri + redirect + reject + replace-header + replace-path + replace-pathq + replace-uri + replace-value + return + sc-add-gpc + sc-inc-gpc + sc-inc-gpc0 + sc-inc-gpc1 + sc-set-gpt + sc-set-gpt0 + send-spoe-group + set-dst + set-dst-port + set-fc-mark + set-fc-tos + set-header + set-log-level + set-map + set-method + set-nice + set-path + set-pathq + set-priority-class + set-priority-offset + set-query + set-src + set-src-port + set-timeout + set-uri + set-var + set-var-fmt + silent-drop + strict-mode + tarpit + track-sc0 + track-sc1 + track-sc2 + track-sc + unset-var + use-service + wait-for-body + wait-for-handshake + + + + /^.{1,4096}$/u + N + + + N + + add-acl + add-header + allow + cache-store + capture + del-acl + del-header + del-map + deny + do-log + redirect + replace-header + replace-value + return + sc-add-gpc + sc-inc-gpc + sc-inc-gpc0 + sc-inc-gpc1 + sc-set-gpt + sc-set-gpt0 + send-spoe-group + set-fc-mark + set-fc-tos + set-header + set-log-level + set-map + set-nice + set-status + set-timeout + set-var + set-var-fmt + silent-drop + strict-mode + track-sc0 + track-sc1 + track-sc2 + track-sc + unset-var + wait-for-body + + + + /^.{1,4096}$/u + N + + + N + + connection accept + connection expect-netscaler-cip + connection expect-proxy + connection fc-silent-drop + connection reject + connection sc-add-gpc + connection sc-inc-gpc + connection sc-inc-gpc0 + connection sc-inc-gpc1 + connection sc-set-gpt + connection sc-set-gpt0 + connection send-spoe-group + connection set-dst + connection set-dst-port + connection set-fc-mark + connection set-fc-tos + connection set-log-level + connection set-src + connection set-src-port + connection set-var + connection set-var-fmt + connection silent-drop + connection track-sc + connection track-sc0 + connection track-sc1 + connection track-sc2 + connection unset-var + content accept + content capture + content do-resolve + content lua + content reject + content sc-add-gpc + content sc-inc-gpc + content sc-inc-gpc0 + content sc-inc-gpc1 + content sc-set-gpt + content sc-set-gpt0 + content send-spoe-group + content set-dst + content set-dst-port + content set-fc-mark + content set-fc-tos + content set-log-level + content set-nice + content set-priority-class + content set-priority-offset + content set-src + content set-src-port + content set-var + content set-var-fmt + content silent-drop + content switch-mode + content track-sc + content track-sc0 + content track-sc1 + content track-sc2 + content unset-var + content use-service + inspect-delay + session accept + session attach-srv + session reject + session sc-add-gpc + session sc-inc-gpc + session sc-inc-gpc0 + session sc-inc-gpc1 + session sc-set-gpt + session sc-set-gpt0 + session send-spoe-group + session set-dst + session set-dst-port + session set-fc-mark + session set-fc-tos + session set-log-level + session set-src + session set-src-port + session set-var + session set-var-fmt + session silent-drop + session track-sc + session track-sc0 + session track-sc1 + session track-sc2 + session unset-var + + + + /^.{1,4096}$/u + N + + + N + + content accept + content close + content lua + content reject + content sc-add-gpc + content sc-inc-gpc + content sc-inc-gpc0 + content sc-inc-gpc1 + content sc-set-gpt + content sc-set-gpt0 + content send-spoe-group + content set-fc-mark + content set-fc-tos + content set-log-level + content set-nice + content set-var + content set-var-fmt + content silent-drop + content unset-var + inspect-delay + + + + /^.{1,4096}$/u + N + + /^.{1,4096}$/u N @@ -2392,7 +2648,6 @@ Please specify a value between 100 and 999. N - /^.{1,4096}$/u N @@ -2533,10 +2788,6 @@ /^.{1,4096}$/u N - - /^.{1,4096}$/u - N - /^.{1,4096}$/u N @@ -2557,44 +2808,7 @@ /^.{1,32}$/u N - - /^.{1,4096}$/u - N - - - - - - - Related backend item not found - Y - N - - - - - - Related server item not found - Y - N - - - N - - - N - - - N - +