Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable Use Offloading (plugins haproxy-declarative, haproxy-ingress-proxy) #19

Open
andruwa13 opened this issue Mar 14, 2022 · 13 comments
Open

enable Use Offloading (plugins haproxy-declarative, haproxy-ingress-proxy) #19

andruwa13 opened this issue Mar 14, 2022 · 13 comments

Comments

@andruwa13
Copy link

How can I enable offloading on the frontend ?
Services- HAProxy - Frontend 2022-03-14 17-42-29
@andruwa13 andruwa13 changed the title enable Use Offloading (plugin haproxy-declarative) enable Use Offloading (plugins haproxy-declarative, haproxy-ingress-proxy) Mar 14, 2022
@travisghansen
Copy link
Owner

I don't think I currently support that feature. It probably would not be too difficult to add and would likely need to be specified as an annotation on the ingress.

@travisghansen
Copy link
Owner

What else do you need to set besides that checkbox?

@travisghansen
Copy link
Owner

travisghansen commented Feb 4, 2023
edited

I've implemented something like this (annotation on per-ingress basis):

haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: '{"ssloffloadcert":"5e99cce0e6dd8","ssloffload":"yes"}'

This is based off of structure that looks like this for the whole entry (note the important things are automatically filled in for you, ie: the acls, etc):

{
  "name":"",
  "desc":"created by kpc - do not edit",
  "status":"active",
  "secondary":"yes",
  "primary_frontend":"http-80-copy",
  "ha_acls":{
     "item":[
        {
           "name":"",
           "expression":"custom",
           "value":"",
           "backendservercountbackend":"",
           "_index":""
        }
     ]
  },
  "a_actionitems":{
     "item":[
        {
           "action":"use_backend",
           "acl":"",
           "use_backendbackend":"",
           "_index":""
        }
     ]
  },
  "ha_certificates":{
     "item":[
        {
           "ssl_certificate":"5e99cce0e6dd8",
           "_index":""
        }
     ]
  },
  "clientcert_ca":"",
  "clientcert_crl":"",
  "a_extaddr":"",
  "a_errorfiles":"",
  "type":"http",
  "httpclose":"http-keep-alive",
  "ssloffloadcert":"5e99cce0e6dd8",
  "ssloffload":"yes",
  "advanced":"",
  "ssloffloadacladditional":"yes"
}

@travisghansen
Copy link
Owner

Released in v0.5.12.

@travisghansen
Copy link
Owner

Better late than never they say ;)

@hansaya
Copy link

hansaya commented Mar 1, 2023

I was trying to add a new ACL to one of the applications. This method did not work for me. I'm guessing only use_backend action is allowed?

      haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: |-
        '"ha_acls":{
          "item":[
              {
                "name":"url_discovery",
                "expression":"custom",
                "value":"path /.well-known/caldav /.well-known/carddav",
              }
          ]
        },
        "a_actionitems":{
          "item":[
              {
                "action":"http-request redirect",
                "acl":"url_discovery",
                "rule":"location /remote.php/dav/ code 301",
              }
          ]
        }'

@travisghansen
Copy link
Owner

Ah! Right now I actually overwrite the acls and actions entirely but I think I can support what you’ve shown. I’ll respond again when I have an updated build.

@hansaya
Copy link

hansaya commented Mar 2, 2023
edited

If it helps, this is the end goal I'm trying to get at

Example:

acl			shared-https-url-discovery	path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301  if  shared-https-url-discovery aclcrt_shared-https

Currently I can apply this to a shared frontend but this is only for a specific app. Thanks again for working on this

@travisghansen
Copy link
Owner

Those rules would need to also have host and prefix (from the ingress) to be effective right? Otherwise potentially across many ingresses you'll end up with a bunch of conflicting rules and it will be first one wins?

@hansaya
Copy link

hansaya commented Mar 6, 2023

Yes, currently I didn't had any conflicts so I kept it on my shared frontend. Ideally this needs to be only apply to a single host/frontend

@travisghansen travisghansen reopened this Mar 6, 2023
@travisghansen
Copy link
Owner

I've put a bit of thought into how the template could have placeholders in it and it seems pretty messy. Instead you'll just need to hard-code the rules in the template directly with host/path as appropriate.

Using v0.5.14 the template acls/actions should not get overwritten: 6a51285

@hansaya
Copy link

hansaya commented Oct 9, 2023
edited

sorry for taking some time to get to this, have you seen this warning on 0.5.14?

2023-10-09T15:44:32+00:00 plugin (pfsense-dns-haproxy-ingress-proxy): /v1/namespaces/network/ConfigMap/kpc-primary-kubernetes-pfsense-controller-store ADDED - 90085857
PHP Warning:  Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275757887Z PHP Warning:  Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
PHP Warning:  Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275778657Z PHP Warning:  Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
2023-10-09T15:44:35.275785168Z PHP Warning:  Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275791748Z PHP Warning:  Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256
PHP Warning:  Undefined array key "ha_acls" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 248
2023-10-09T15:44:35.275806100Z PHP Warning:  Undefined array key "a_actionitems" in phar:///usr/local/bin/kubernetes-pfsense-controller/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php on line 256

We might need to add a safety check around your is_array check

                if (!isset($frontend['ha_acls']) || !is_array($frontend['ha_acls'])) {
                    $frontend['ha_acls'] = ['item' => []];
                }

@hansaya
Copy link

hansaya commented Oct 9, 2023

For anyone stumbling across this post and if you want to add acls and actions. This is my working example:

haproxy-ingress-proxy.pfsense.org/frontendDefinitionTemplate: |-
        {
          "ha_acls": {
              "item": [
                  {
                      "name": "nextcloud-url-discovery",
                      "expression": "custom",
                      "value": "path /.well-known/caldav /.well-known/carddav"
                  }
              ]
          },
          "a_actionitems": {
              "item": [
                  {
                      "action": "http-request_redirect",
                      "acl": "nextcloud-url-discovery",
                      "http-request_redirectrule": "location /remote.php/dav/ code 301"
                  }
              ]
          }
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@travisghansen @andruwa13 @hansaya