haproxy stops working 17.7.12

[Julien]

Dear all,
we had the haproxy for multiple http/https. however after we update the box to 17.7.12 we have noticed the https web servers are not working over the internet.
i have checked the value and everything is still there but the interface is a bit different as before.
somehow we can't get the haproxy started.
when i try to start it using the command line
version of haproxy is 2.2
`

Code: [Select]

``
root@firewall:~ # service haproxy restart
haproxy not running? (check /var/run/haproxy.pid).
[ALERT] 026/234026 (48491) : parsing [/usr/local/etc/haproxy.conf:59] : 'tcp-request content accept' : error detected in frontend '443' while parsing 'if' condition : no such ACL : '{req_ssl_hello_type'
[ALERT] 026/234026 (48491) : parsing [/usr/local/etc/haproxy.conf:62] : unknown keyword 'tcp_request' in 'frontend' section
[ALERT] 026/234026 (48491) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 026/234026 (48491) : Fatal errors found in configuration.
/usr/local/etc/rc.d/haproxy: WARNING: failed precmd routine for haproxy
root@firewall:~ #


Code: [Select]

HAProxy config contains critical errors
[ALERT] 027/000844 (7147) : parsing [/usr/local/etc/haproxy.conf:59] : 'tcp-request content accept' : error detected in frontend '443' while parsing 'if' condition : no such ACL : '{req_ssl_hello_type'
[ALERT] 027/000844 (7147) : parsing [/usr/local/etc/haproxy.conf:62] : unknown keyword 'tcp_request' in 'frontend' section
[ALERT] 027/000844 (7147) : Error(s) found in configuration file : /usr/local/etc/haproxy.conf
[ALERT] 027/000844 (7147) : Fatal errors found in configuration.



[fabian]

I made a ticket for that and assigned it to the maintainer:
https://github.com/opnsense/plugins/issues/526

[Julien]

I made a ticket for that and assigned it to the maintainer:
https://github.com/opnsense/plugins/issues/526

Thank you Fabian,
i managed to fix this issue now.
the syntax were changed after the update.
i am using a manul rules, before the updates the option pass-though was "tcp-request inspect-delay 5s" after the updates its changes ti "tcp_request inspect-delay 5s".
the _ broke the haproxy to start.

also the second syntax was " tcp-request content accept if { req_ssl_hello_type 1 }" after the update become " tcp_request content accept if {req_ssl_hello_type 1 }

[fraenki]

the syntax were changed after the update.
i am using a manul rules, before the updates the option pass-though was "tcp-request inspect-delay 5s" after the updates its changes ti "tcp_request inspect-delay 5s".
the _ broke the haproxy to start.

I'm pretty sure this was not caused by the (OPNsense/HAProxy) update. There is no code in the plugin that would change custom rules.


Regards
- Frank

[Julien]

the syntax were changed after the update.
i am using a manul rules, before the updates the option pass-though was "tcp-request inspect-delay 5s" after the updates its changes ti "tcp_request inspect-delay 5s".
the _ broke the haproxy to start.

I'm pretty sure this was not caused by the (OPNsense/HAProxy) update. There is no code in the plugin that would change custom rules.


Regards
- Frank

Hi Fraenki thank you for the answer,
maybe the update won't affect haproxy if there is not syntax on the option pass-through ?
tomorrow i will update one box i have which is not using a syntax and report back.

[fraenki]

tomorrow i will update one box i have which is not using a syntax and report back.

It would be good if you take a backup of your config.xml before attempting the update. This way we will be able to compare it after the update was successful. If there is any update/migration issue, this would reveal it.


Regards
- Frank