fix(haproxy): Process specific vhosts before wildcard vhosts

HAProxy evaluates ACL rules in order - first match wins. Wildcard suffix rules (*.gk2.secubox.in) were catching all subdomains before specific vhost rules could match. Fix: Split vhost ACL generation into two passes: 1. First: exact and regex matches (specific domains) 2. Second: suffix matches (wildcards) This ensures wanted.gk2.secubox.in matches before *.gk2.secubox.in Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-12 10:26:06 +01:00 · 2026-02-12 10:26:06 +01:00 · 1d084b1439
commit 1d084b1439
parent e364595b16
1 changed files with 19 additions and 5 deletions
--- a/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
+++ b/package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
@ -580,8 +580,9 @@ EOF
 	config_foreach _collect_path_acl acl
 	_emit_sorted_path_acls

-	# Add vhost ACLs for HTTP
-	config_foreach _add_vhost_acl vhost "http"
+	# Add vhost ACLs for HTTP (specific domains first, then wildcards)
+	config_foreach _add_vhost_acl vhost "http" "exact"
+	config_foreach _add_vhost_acl vhost "http" "suffix"

 	echo "    default_backend $default_backend"
 	echo ""
@ -617,8 +618,9 @@ EOF
 		config_foreach _collect_path_acl acl
 		_emit_sorted_path_acls

-		# Add vhost ACLs for HTTPS
-		config_foreach _add_vhost_acl vhost "https"
+		# Add vhost ACLs for HTTPS (specific domains first, then wildcards)
+		config_foreach _add_vhost_acl vhost "https" "exact"
+		config_foreach _add_vhost_acl vhost "https" "suffix"

 		echo "    default_backend $default_backend"
 		echo ""
@ -731,6 +733,7 @@ _emit_sorted_path_acls() {
 _add_vhost_acl() {
 	local section="$1"
 	local proto="$2"
+	local filter="${3:-all}"  # Filter: exact, suffix, regex, or all
 	local enabled domain backend ssl match_type

 	config_get enabled "$section" enabled "0"
@ -739,6 +742,17 @@ _add_vhost_acl() {
 	config_get domain "$section" domain
 	config_get backend "$section" backend
 	config_get match_type "$section" match_type "exact"
+
+	# Filter by match_type if specified (to process specific vhosts before wildcards)
+	if [ "$filter" != "all" ]; then
+		# For "exact" filter, also include regex (both are specific, not wildcard)
+		if [ "$filter" = "exact" ]; then
+			[ "$match_type" = "suffix" ] && return
+		elif [ "$filter" = "suffix" ]; then
+			[ "$match_type" != "suffix" ] && return
+		fi
+	fi
+
 	# Validate backend is not IP:port (common misconfiguration)
 	case "$backend" in
 		*:*) log_warn "Vhost $section has IP:port backend , should be backend name"; return ;;
@ -752,7 +766,7 @@ _add_vhost_acl() {
 	[ "$proto" = "http" ] && [ "$ssl" = "1" ] && return

 	local acl_name=$(echo "$domain" | tr "." "_" | tr "-" "_" | tr "*" "wildcard")
-	
+
 	# Handle different match types
 	case "$match_type" in
 		suffix)