HAProxy - Add more Tuning Option in Public Service

[oasisck]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

[x] I have searched the existing issues and I'm convinced that mine is new.

Is your feature request related to a problem? Please describe.
Not able to reverse proxy mode TCP using NSI with GUI without thoses parameters

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

Describe the solution you'd like
Add more Tuning Option in Public Services or a box for adding multiple lines just after mode tcp

Describe alternatives you've considered
Add thoses lines manually in /usr/local/etc/haproxy.conf

frontend https
    bind *:443 name *:443
    mode tcp
    # tuning options
    timeout client 30s
    --> tcp-request inspect-delay 5s <--
    --> tcp-request content accept if { req_ssl_hello_type 1 } <--
    [...]

Additional context
https://forum.opnsense.org/index.php?topic=11362.msg52592#msg52592
Thanks for your amazing work

[MolallaComm]

I'm commenting on this issue because I ran into similar issue configuring haproxy in opnsense for Airsonic as described here:

https://airsonic.github.io/docs/proxy/haproxy/

Oddly, I was able to add the:

http-request set-header X-Forwarded-Host %[req.hdr(Host)]
http-request set-header X-Forwarded-Proto https

to the front end fine using the Advanced mode "option pass thru" text box on the public service so I'm not sure why that doesn't work for the OP as his/hers would be similar I think (I am running latest 19.1 so maybe it didn't exist prior). However, where I ran into problems was on trying to add the:

http-response replace-value Location ^http://(.*)$ https://\1

to the real servers backend config - if you used the advanced pass thru option on that dialog, it appends whatever you type to the end of the server line rather than putting it on its own line(s). I have manually edited the conf file for now, but since it is generated, a fix for the gui would be nice eventually.

Kudos to you all for the work you have done though. Even with this minor issue, the haproxy/letsencrypt setup in opnsense is top notch and allows me to run a bunch of different VMs at my house behind a single ip all with valid certificates - no muss - no fuss.

[fraenki]

@oasisck
I don't speak french, so I'm not 100% sure that I understand the forum post. :) That being said, I'm pretty sure you can achieve this already by using rules and conditions in the HAProxy plugin:

First, add a condition to check if communication is SSL/TLS:

Add a rule to accept the TCP connection if the SSL/TLS condition matches:

Afterwards add this rule to your Public Service (frontend) and apply the configuration change.

Only the "inspect-delay" is missing. I'm not sure if it's absolutely required for this use-case. I'll add support for it to the GUI soon, it will then be available in rules.

---

@MolallaComm
I'd suggest to also have a look at rules and conditions in the HAProxy plugin GUI. To add headers unconditionally, just add one or more rules:

Add another rule to add the X-Forwarded-Proto header. Afterwards add both rules to your Public Service (frontend) and apply the configuration changes.

---

I strongly recommend to remove everything from all "advanced pass thru" options, because this might break your installation in future releases (i.e. when we upgrade HAProxy to a new major release we cannot guarantee that these options are still compatible).

[fraenki]

Only the "inspect-delay" is missing. I'm not sure if it's absolutely required for this use-case. I'll add support for it to the GUI soon, it will then be available in rules.

In the upcoming release os-haproxy 2.15 it will be possible to add rules with TCP inspection delays:

[oasisck]

Hi @fraenki thanks for your support and update
Sadly it's not working. And yes both of tcp-request are required.
This is the conf of my frontend https generated by GUI :

# Frontend: https ()
frontend https
    bind *:443 name *:443
    mode tcp
    # tuning options
    maxconn 100
    timeout client 30s

    # logging options
    option tcplog
    # ACL: cond-HTTPS-check-SSL
    acl acl_5c7794c96913e7.86371237 req.ssl_ver gt 0
    # ACL: cond-HTTPS-WEB1
    acl acl_5c63419cd140a8.74128944 req.ssl_sni -i WEB1
    # ACL: cond-HTTPS-WEB2
    acl acl_5c6341a8755db8.76123983 req.ssl_sni -i WEB2
    # ACL: cond-HTTPS-WEB3
    acl acl_5c634184b69f94.68079095 req.ssl_sni -i WEB3

    # ACTION: rule-HTTPS-tcp-request-accept
    tcp-request connection accept if acl_5c7794c96913e7.86371237
    # ACTION: rule-HTTPS-tcp-request-inspect-delay
    tcp-request inspect-delay 5s if acl_5c7794c96913e7.86371237

    # ACTION: rule-HTTPS-SRV1
    use_backend pool.https.SRV1 if acl_5c63419cd140a8.74128944 || acl_5c6341a8755db8.76123983
    # ACTION: rule-HTTPS-SRV2
    use_backend pool.https.SRV2 if acl_5c634184b69f94.68079095

By the way I got a warning with your rule about tcp request accept ssl

and about the rule inspect-delay (maybe I'm wrong with my cond/rule) it's very slow to load the webpage than directly put in option like tcp request content accept if { req_ssl_hello_type 1 }

Maybe I miss something ?

[fraenki]

@oasisck There was a mistake in my example...

    # ACL: cond-HTTPS-check-SSL
    acl acl_5c7794c96913e7.86371237 req.ssl_ver gt 0

    # ACTION: rule-HTTPS-tcp-request-accept
    tcp-request connection accept if acl_5c7794c96913e7.86371237

Indeed, "tcp-request connection accept" is invalid, because it cannot be used for content inspection.
You have to choose "tcp-request content accept" instead. Your original post contained the correct option already :)

Sorry for the confusion, I've updated the screenshots accordingly.

FWIW, the HAProxy documentation contains a nice section which explains the difference between those two options:
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#tcp-request%20content

[oasisck]

@fraenki it works 👍