document new sni logic/limitations

travisghansen · travisghansen · commit 9c61fb685539 · 2021-09-05T15:08:41.000-06:00
Signed-off-by: Travis Glenn Hansen &lt;travisghansen@yahoo.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+# v0.5.6
+
+Released 2021-09-04
+
+- support for sni based routing in `haproxy-ingress-proxy` when type is `https`
+- handle more stringent type checks by php 8
+
 # v0.5.5
 
 Released 2021-08-01
diff --git a/README.md b/README.md
@@ -105,6 +105,12 @@ To achieve this goal, new 'shared' HAProxy frontends are created and attached to
 created frontend should also set an existing backend.  Note that existing frontend(s)/backend(s) can be created manually
 or using the `haproxy-declarative` plugin.
 
+When creating the parent frontend(s) please note that the selected type should be `http / https(offloading` to fully
+support the feature. If type `ssl / https(TCP mode)` is selected (`SSL Offloading` may be selected or not in the
+`External address` table) `sni` is used for routing logic and **CANNOT** support path-based logic which implies a 1:1
+mapping between `host` entries and backing `service`s. Type `tcp` will not work and any `Ingress` resources that would
+be bound to a frontend of this type are ignored.
+
 Combined with `haproxy-declarative` you can create a dynamic backend service (ie: your ingress controller) and
 subsequently dynamic frontend services based off of cluster ingresses.  This is generally helpful when you cannot or do
 not for whatever reason create wildcard frontend(s) to handle incoming traffic in HAProxy on pfSense.
diff --git a/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php b/src/KubernetesPfSenseController/Plugin/HAProxyIngressProxy.php
@@ -198,7 +198,7 @@ public function doAction()
                     // move along
                     break;
                 default:
-                    $this->log("WARN ${sharedFrontendName} is not a supported type");
+                    $this->log("WARN haproxy frontend ${sharedFrontendName} has unsupported type: ".$sharedFrontend['type']);
                     continue 2;
             }
 
@@ -262,13 +262,13 @@ public function doAction()
                             $frontend['ha_acls']['item'][] = $acl;
                             break;
                         case "https":
-                            $this->log("WARN unexpected behavior may occur when using a shared frontend of type https, path-based routing will not work and ssl offloading must be enabled");
+                            $this->log("WARN unexpected behavior may occur when using a shared frontend of type https, path-based routing will not work");
                             $acl['value'] = "req_ssl_sni -i ${host}";
                             $frontend['ha_acls']['item'][] = $acl;
                             break;
                         default:
                             // should never get here based on checks above, but just in case
-                            $this->log("WARN unsupported shared frontend type: ".$sharedFrontend['type']);
+                            $this->log("WARN haproxy frontend ${sharedFrontendName} has unsupported type: ".$sharedFrontend['type']);
                             continue 3;
                             break;
                     }
