Without changing anything, and only after restarting haproxy, I'm not seeing the following error (it has been running fine for a week or two):
[ALERT] 045/233516 (61176) : parsing [/usr/local/etc/haproxy.conf:40] : 'bind {REDACTED_DOMAIN_NAME}:443' unknown keyword 'rspadd'. Registered keywords :
...
I am now unable to start haproxy, which is causing me some major grief. any idea what this means? google brings up nothing
no idea why my question posted twice. But i looked into it due to the severity of the issue, and noticed something odd... opnsense has mangled the haproxy.conf file. It does this on save/test.
For example, this is what opnsense writes to haproxy.conf for the frontend:
frontend cloud
bind {DOMAIN_REDACTED_1}:443 name {DOMAIN_REDACTED_1}:443 ssl rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
bind {DOMAIN_REDACTED_2}:443 name {DOMAIN_REDACTED_2}:443 ssl rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
But that does not appear to be valid haproxy config. It's jamming the rspadd in the middle of the ssl directive. When I hand edited haproxy.conf to this, everything worked again:
frontend cloud
bind {DOMAIN_REDACTED_1}:443 name {DOMAIN_REDACTED_1}:443 ssl crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
bind {DOMAIN_REDACTED_2}:443 name {DOMAIN_REDACTED_2}:443 ssl crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
Hello? is anyone maintaining this package?