mysterious os-haproxy critical error

[rnicholus]

Without changing anything, and only after restarting haproxy, I'm not seeing the following error (it has been running fine for a week or two):

[ALERT] 045/233516 (61176) : parsing [/usr/local/etc/haproxy.conf:40] : 'bind {REDACTED_DOMAIN_NAME}:443' unknown keyword 'rspadd'. Registered keywords :
...

I am now unable to start haproxy, which is causing me some major grief. any idea what this means? google brings up nothing

[rnicholus]

no idea why my question posted twice. But i looked into it due to the severity of the issue, and noticed something odd... opnsense has mangled the haproxy.conf file. It does this on save/test.

For example, this is what opnsense writes to haproxy.conf for the frontend:

frontend cloud
    bind {DOMAIN_REDACTED_1}:443 name {DOMAIN_REDACTED_1}:443 ssl rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
    bind {DOMAIN_REDACTED_2}:443 name {DOMAIN_REDACTED_2}:443 ssl rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s


But that does not appear to be valid haproxy config. It's jamming the rspadd in the middle of the ssl directive. When I hand edited haproxy.conf to this, everything worked again:

frontend cloud
    bind {DOMAIN_REDACTED_1}:443 name {DOMAIN_REDACTED_1}:443 ssl crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
    bind {DOMAIN_REDACTED_2}:443 name {DOMAIN_REDACTED_2}:443 ssl crt-list /tmp/haproxy/ssl/{CERTLIST_PATH_REDACTED}
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
    mode http
    option http-keep-alive
    option forwardfor
    # tuning options
    timeout client 30s

[rnicholus]

Hello? is anyone maintaining this package?