HAProxy order of rules - Missing feature?

[Cangooroo7993]

Hello.

I want my OpnSense to have a single frontend doing the SSL offloading, and some domain-based rules that forward traffic to the appropriate backend, according the the domain name on the request.

However, I also want Let's encrypt challenges for all domains to pass through HAProxy and get directed to a single backend, so I have added a (path-based) rule for that too, amongst the domain rules.

Normally, I would expect this rule to be the first on the list of rules on the HAProxy config file for things to work, but it seems that it is placed last and the ACME challenge fails trying to hit the wrong web-server (at least, that's what I think makes it fail, since I see the traffic pass though the firewall just fine).

Looking at the UI, I don't see any way to give priority to rules on a frontend or priority to frontends (a.k.a. public services).

Am I missing something or this is a known lacking feature?

I have managed to do this in the past on a pfSense firewall.
I have the impression there was some way to set the order of some things there, but it might be just my impression.
However, listing the rules (marked with ACL in the config) in different order and putting the ACME rule first would have solved the problem, right?
I am asking because I am not an expert on HAProxy either...

Thanks.

Update:
On a second review, I should be probably using the term "condition" or "check" instead of "rule" here.
Hopefully, you understand what I am trying to say.

[cmdr.adama]

Could you please post your config so we can have a look?
So for Let's Encrypt you are doing the HTTP-01 challenge from a certain backend? Have a look at this as this might help you get what you're after https://serversforhackers.com/c/letsencrypt-with-haproxy... Alternatively are all of these domains managed by the one account? Would it potentially not be better to do a DNS-01 challenge and then you don't need to worry about trying to pass the challenge through HAPROXY

[Cangooroo7993]

Here is the config (I did some renames to it):

https://mega.nz/file/JF1gBYwI#cbi9rhNeA0Te1I2e4ph3RYo9RHxKwlqVDOHxCf_Au2g

So for Let's Encrypt you are doing the HTTP-01 challenge from a certain backend?

Yes, the backend generated by the Let's Encrypt plugin.

Alternatively are all of these domains managed by the one account?

Yes, all domains are managed by one account.

Would it potentially not be better to do a DNS-01 challenge and then you don't need to worry about trying to pass the challenge through HAPROXY

I can look into that, but I have never used DNS-01 before, and I don't know if I will have other issues.
Most likely I will have problems with it, since most of my domains are on free dynamic DNS and I am limited on my options.

However, shouldn't the ACL order matter?
I was expecting to be able to sort the HAProxy checks somehow, from the OpnSense GUI.
Notice that in my attached file the ACME ACL is last, while it needs to be first.

[Cangooroo7993]

Just took a look at my old pfSense box.
There, I used a primary and some shared frontends, sorted accordingly.
The primary does the SSL offloading and the ACME, and the shared are for each different backend/site.
See attachment.

It seems that none of that is supported on OpnSense (prinamy/shared frontends or sorted frontends). 

[cmdr.adama]

So firstly, obfuscating ports really doesn't help... IP's and domains but ports make it hard to assist in diagnosing the problem.

In regards to the order of rules... You don't need anything fancy and it will currently work in HAProxy on Opnsense... Just drag what you want first to the front of the list. Examples attached.

ACL order should matter because at the moment with your config it'll always hit the third rule and stop there.

I personally prefer to have everything separated... HTTP to HTTPS Upgrades in a separate frontend, HTTPS Offloading on another, but I also use Let's Encrypt with DNS-01 so I don't have to worry about LE needing to traverse HAProxy.

Also I don't know much about PFSense and how the Primary and Shared front ends work but I've always tried to keep it that each front end has one job to do.

[Cangooroo7993]

Sorry for the obfuscation.
But don't worry, you did help, a lot.

I remember trying to reorder the rules with drag and drop but I think the weird effects that I saw (there is an offset between your mouse and the dragged item) made me think it doesn't work.
I also remember removing all the rules and re-adding them in the correct order, but when I reopened the modal they were back to the previous order. I cannot reproduce this today, which is weird.

So, I have managed to make it work eventually!
I reordered the rules to put ACME first and did what you say with the frontends, almost.
I have a frontend for the ACME and the upgrade of HTTP to HTTPS, and another frontend for the site.

It seems to work great!
Thanks a lot.

[nzkiwi68]

I've just run into this problem too.
I know this is an old thread, but, it's the exact issue I am having too.

I have HAPROXY running under opnSense 21.1.5 and I want to have 2 rules;

• match "domain.com" and redirect everything to "newdomain.com" with found 302 redirect
• match "domain.com" and very specific URL "/.well-known/pki-validation/xxxxxxx" and send a custom error message

But!

I cannot order the rules processing in the "Public Service" rules section, nor can I order the rules in the "Rules & Checks" area.

In my case the redirect everything rule is always winning.

pfSense in the frontend allows the rules to be ordered in a top down fashion so what I'm try to do is easily possible.

I believe we are missing the ability to order the rules in the "Public Service" rules section so that we can support more complex HAPROXY solutions.

[nzkiwi68]

ok!

I solved it.

I needed to make a number of changes to HAPROXY, the issue is
[WARNING] 124/175941 (94817) : parsing [/usr/local/etc/haproxy.conf.staging:144] : a 'http-request' rule placed after a 'use_backend' rule will still be processed before.

Essentially, the http-request redirect was always operating before. As soon as I changed everything around and stopped using the http-request redirect by sending domain.com to the internal IIS web server and doing the actual http-request redirect on the IIS web server, and not in HAPROXY, it now all works!

I get it, http-request overrides the rule order and always goes first.

This works:

• match "domain.com" and very specific URL "/.well-known/pki-validation/xxxxxxx" and send a custom error message
• match "domain.com" and send to backend IIS web server "internal_IIS"