Summary
All HAProxy model and dispatcher classes declare \$this->packages = ['pfSense-pkg-haproxy'] (or \$required_packages for the dispatcher), but most users on pfSense CE run the pfSense-pkg-haproxy-devel variant — the stable pfSense-pkg-haproxy hasn't received maintenance attention in years. As a result, every HAProxy write endpoint returns HTTP 404 MODEL_MISSING_REQUIRED_PACKAGE even when the devel package is fully functional.
Read endpoints work (no package gate) so users see inconsistent behaviour: GET /api/v2/services/haproxy/backends returns live data, but POST /api/v2/services/haproxy/backend returns 404 saying the package isn't installed.
Version tested
- pfSense CE 25.11.1-RELEASE
- pfSense-pkg-RESTAPI v2.7.6
- pfSense-pkg-haproxy-devel 0.66.2 (installed)
- pfSense-pkg-haproxy (NOT installed — conflicts with devel)
Repro
# Confirm devel is installed, stable is not
php -r 'require_once(\"/etc/inc/pkg-utils.inc\"); printf(\"haproxy=%s haproxy-devel=%s\n\", var_export(is_pkg_installed(\"pfSense-pkg-haproxy\"),true), var_export(is_pkg_installed(\"pfSense-pkg-haproxy-devel\"),true));'
# output: haproxy=false haproxy-devel=true
# Any HAProxy write: 404
curl -skX POST -H \"X-API-Key: ...\" -H \"Content-Type: application/json\" \
\"https://pfsense.example/api/v2/services/haproxy/backend\" \
-d '{\"name\":\"test\",\"balance\":\"roundrobin\"}'
# Response:
# {\"code\":404,\"status\":\"not found\",\"response_id\":\"MODEL_MISSING_REQUIRED_PACKAGE\",
# \"message\":\"The requested action requires the 'pfSense-pkg-haproxy' package but it is not installed.\",\"data\":[]}Affected files (v2.7.6)
16 Model files + 1 Dispatcher, each with one occurrence:
Models/HAProxyApply.inc:20
Models/HAProxyBackend.inc:83
Models/HAProxyBackendACL.inc:26
Models/HAProxyBackendAction.inc:33
Models/HAProxyBackendErrorFile.inc:21
Models/HAProxyBackendServer.inc:32
Models/HAProxyDNSResolver.inc:23
Models/HAProxyEmailMailer.inc:23
Models/HAProxyFile.inc:22
Models/HAProxyFrontend.inc:43
Models/HAProxyFrontendACL.inc:26
Models/HAProxyFrontendAction.inc:33
Models/HAProxyFrontendAddress.inc:25
Models/HAProxyFrontendCertificate.inc:20
Models/HAProxyFrontendErrorFile.inc:21
Models/HAProxySettings.inc:53
Dispatchers/HAProxyApplyDispatcher.inc:13
All carry the same ['pfSense-pkg-haproxy'] literal.
Proposed fix
Two options — prior attempt was #732 which got self-closed after no review. Both are viable:
Option A — "any-of" semantics on the packages array (cleaner)
Extend the Model.inc check logic (lines ~1707-1715) to accept nested arrays meaning "any of these":
// Accept either string (single required) or array (any-of).
\$this->packages = [['pfSense-pkg-haproxy', 'pfSense-pkg-haproxy-devel']];
Then the check becomes: for each entry, if string → must be installed; if array → at least one must be installed. Minimal behavioural change for existing single-package declarations; new capability for OR semantics.
Option B — additive string entries with OR wording
Leave the check as pure AND but change HAProxy package names to use the devel variant (what everyone actually runs):
\$this->packages = ['pfSense-pkg-haproxy-devel'];
Simpler patch (17-line sed) but locks users of the legacy stable package out. Only defensible if the stable pfSense-pkg-haproxy is truly abandoned.
Local workaround
For users blocked today, this sed works against v2.7.6:
cd /usr/local/pkg/RESTAPI && \
tar -czf ~/haproxy-model-backup-\$(date +%s).tgz Models/HAProxy*.inc Dispatchers/HAProxyApplyDispatcher.inc && \
find Models Dispatchers -name \"HAProxy*.inc\" \
-exec sed -i '' \"s/'pfSense-pkg-haproxy'/'pfSense-pkg-haproxy-devel'/g\" {} \;Backup tarball in ~ for rollback via tar -xzf. Non-persistent across pfSense-pkg-RESTAPI package upgrades, so operators need to re-apply after pfsense-restapi update.
Related
Impact
Every homelab or production pfSense user who runs pfSense-pkg-haproxy-devel (which, anecdotally, is the majority) cannot use pfSense-pkg-RESTAPI for HAProxy writes without patching. This effectively locks an entire service family out of REST automation.
Happy to open a fresh PR implementing Option A with tests if there's maintainer interest.
Summary
All HAProxy model and dispatcher classes declare
\$this->packages = ['pfSense-pkg-haproxy'](or\$required_packagesfor the dispatcher), but most users on pfSense CE run thepfSense-pkg-haproxy-develvariant — the stablepfSense-pkg-haproxyhasn't received maintenance attention in years. As a result, every HAProxy write endpoint returns HTTP 404MODEL_MISSING_REQUIRED_PACKAGEeven when the devel package is fully functional.Read endpoints work (no package gate) so users see inconsistent behaviour:
GET /api/v2/services/haproxy/backendsreturns live data, butPOST /api/v2/services/haproxy/backendreturns 404 saying the package isn't installed.Version tested
Repro
Affected files (v2.7.6)
16 Model files + 1 Dispatcher, each with one occurrence:
All carry the same
['pfSense-pkg-haproxy']literal.Proposed fix
Two options — prior attempt was #732 which got self-closed after no review. Both are viable:
Option A — "any-of" semantics on the packages array (cleaner)
Extend the
Model.inccheck logic (lines ~1707-1715) to accept nested arrays meaning "any of these":Then the check becomes: for each entry, if string → must be installed; if array → at least one must be installed. Minimal behavioural change for existing single-package declarations; new capability for OR semantics.
Option B — additive string entries with OR wording
Leave the check as pure AND but change HAProxy package names to use the devel variant (what everyone actually runs):
Simpler patch (17-line sed) but locks users of the legacy stable package out. Only defensible if the stable
pfSense-pkg-haproxyis truly abandoned.Local workaround
For users blocked today, this sed works against v2.7.6:
Backup tarball in
~for rollback viatar -xzf. Non-persistent across pfSense-pkg-RESTAPI package upgrades, so operators need to re-apply afterpfsense-restapi update.Related
Impact
Every homelab or production pfSense user who runs
pfSense-pkg-haproxy-devel(which, anecdotally, is the majority) cannot usepfSense-pkg-RESTAPIfor HAProxy writes without patching. This effectively locks an entire service family out of REST automation.Happy to open a fresh PR implementing Option A with tests if there's maintainer interest.