gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(haproxy): Process specific vhosts before wildcard vhosts

Browse Source 
HAProxy evaluates ACL rules in order - first match wins. Wildcard
suffix rules (*.gk2.secubox.in) were catching all subdomains before
specific vhost rules could match.

Fix: Split vhost ACL generation into two passes:
1. First: exact and regex matches (specific domains)
2. Second: suffix matches (wildcards)

This ensures wanted.gk2.secubox.in matches before *.gk2.secubox.in

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-12 10:26:06 +01:00
parent e364595b16
commit 1d084b1439
1 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
package/secubox/secubox-app-haproxy/files/usr/sbin/haproxyctl
View File

@ -580,8 +580,9 @@ EOF
config_foreach _collect_path_acl acl config_foreach _collect_path_acl acl
_emit_sorted_path_acls _emit_sorted_path_acls
# Add vhost ACLs for HTTP # Add vhost ACLs for HTTP (specific domains first, then wildcards)
config_foreach _add_vhost_acl vhost "http" config_foreach _add_vhost_acl vhost "http" "exact"
config_foreach _add_vhost_acl vhost "http" "suffix"
echo " default_backend $default_backend" echo " default_backend $default_backend"
echo "" echo ""
@ -617,8 +618,9 @@ EOF
config_foreach _collect_path_acl acl config_foreach _collect_path_acl acl
_emit_sorted_path_acls _emit_sorted_path_acls
# Add vhost ACLs for HTTPS # Add vhost ACLs for HTTPS (specific domains first, then wildcards)
config_foreach _add_vhost_acl vhost "https" config_foreach _add_vhost_acl vhost "https" "exact"
config_foreach _add_vhost_acl vhost "https" "suffix"
echo " default_backend $default_backend" echo " default_backend $default_backend"
echo "" echo ""
@ -731,6 +733,7 @@ _emit_sorted_path_acls() {
_add_vhost_acl() { _add_vhost_acl() {
local section="$1" local section="$1"
local proto="$2" local proto="$2"
local filter="${3:-all}" # Filter: exact, suffix, regex, or all
local enabled domain backend ssl match_type local enabled domain backend ssl match_type
config_get enabled "$section" enabled "0" config_get enabled "$section" enabled "0"
@ -739,6 +742,17 @@ _add_vhost_acl() {
config_get domain "$section" domain config_get domain "$section" domain
config_get backend "$section" backend config_get backend "$section" backend
config_get match_type "$section" match_type "exact" config_get match_type "$section" match_type "exact"
# Filter by match_type if specified (to process specific vhosts before wildcards)
if [ "$filter" != "all" ]; then
# For "exact" filter, also include regex (both are specific, not wildcard)
if [ "$filter" = "exact" ]; then
[ "$match_type" = "suffix" ] && return
elif [ "$filter" = "suffix" ]; then
[ "$match_type" != "suffix" ] && return
fi
fi
# Validate backend is not IP:port (common misconfiguration) # Validate backend is not IP:port (common misconfiguration)
case "$backend" in case "$backend" in
*:*) log_warn "Vhost $section has IP:port backend , should be backend name"; return ;; *:*) log_warn "Vhost $section has IP:port backend , should be backend name"; return ;;
@ -752,7 +766,7 @@ _add_vhost_acl() {
[ "$proto" = "http" ] && [ "$ssl" = "1" ] && return [ "$proto" = "http" ] && [ "$ssl" = "1" ] && return
local acl_name=$(echo "$domain" | tr "." "_" | tr "-" "_" | tr "*" "wildcard") local acl_name=$(echo "$domain" | tr "." "_" | tr "-" "_" | tr "*" "wildcard")
# Handle different match types # Handle different match types
case "$match_type" in case "$match_type" in
suffix) suffix)