From e201bd35511e1a000ffa21a4194d234634cfd76c Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Fri, 19 May 2023 09:57:11 +0000
Subject: T5222: Refactoring load-balancing reverse-proxy

Improve and refactoring "load-balancing reverse-proxy"

 - replace 'reverse-proxy server <tag>'
        => 'reverse-proxy service <tag>'

 - replace 'reverse-proxy global-parameters tls <xxx>'
        => 'reverse-proxy global-parameters tls-version-min xxx'
        => 'reverse-proxy global-parameters ssl-bind-ciphers xxx'

 - replace 'reverse-proxy service https rule <tag> set server 'xxx'
        => 'reverse-proxy service https rule <tag> set backend 'xxx'

  'service https rule <tag> domain-name xxx' set as multinode
---
 .../include/haproxy/rule-backend.xml.i             | 131 +++++++++++++++++++
 .../include/haproxy/rule-frontend.xml.i            | 131 +++++++++++++++++++
 interface-definitions/include/haproxy/rule.xml.i   | 130 -------------------
 .../load-balancing-haproxy.xml.in                  | 141 ++++++++++-----------
 4 files changed, 329 insertions(+), 204 deletions(-)
 create mode 100644 interface-definitions/include/haproxy/rule-backend.xml.i
 create mode 100644 interface-definitions/include/haproxy/rule-frontend.xml.i
 delete mode 100644 interface-definitions/include/haproxy/rule.xml.i

(limited to 'interface-definitions')

diff --git a/interface-definitions/include/haproxy/rule-backend.xml.i b/interface-definitions/include/haproxy/rule-backend.xml.i
new file mode 100644
index 000000000..a6832d693
--- /dev/null
+++ b/interface-definitions/include/haproxy/rule-backend.xml.i
@@ -0,0 +1,131 @@
+<!-- include start from haproxy/rule.xml.i -->
+<tagNode name="rule">
+  <properties>
+    <help>Proxy rule number</help>
+    <valueHelp>
+      <format>u32:1-10000</format>
+      <description>Number for this proxy rule</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-10000"/>
+    </constraint>
+    <constraintErrorMessage>Proxy rule number must be between 1 and 10000</constraintErrorMessage>
+  </properties>
+  <children>
+    <leafNode name="domain-name">
+      <properties>
+        <help>Domain name to match</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Domain address to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="fqdn"/>
+        </constraint>
+        <multi/>
+      </properties>
+    </leafNode>
+    <node name="set">
+      <properties>
+        <help>Proxy modifications</help>
+      </properties>
+      <children>
+        <leafNode name="redirect-location">
+          <properties>
+            <help>Set URL location</help>
+            <valueHelp>
+              <format>url</format>
+              <description>Set URL location</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+          </properties>
+        </leafNode>
+        <leafNode name="server">
+          <properties>
+            <help>Server name</help>
+            <constraint>
+              <regex>[-_a-zA-Z0-9]+</regex>
+            </constraint>
+            <constraintErrorMessage>Server name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <leafNode name="ssl">
+      <properties>
+        <help>SSL match options</help>
+        <completionHelp>
+          <list>req-ssl-sni ssl-fc-sni</list>
+        </completionHelp>
+        <valueHelp>
+          <format>req-ssl-sni</format>
+          <description>SSL Server Name Indication (SNI) request match</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ssl-fc-sni</format>
+          <description>SSL frontend connection Server Name Indication match</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ssl-fc-sni-end</format>
+          <description>SSL frontend match end of connection Server Name Indication</description>
+        </valueHelp>
+        <constraint>
+          <regex>(req-ssl-sni|ssl-fc-sni|ssl-fc-sni-end)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <node name="url-path">
+      <properties>
+        <help>URL path match</help>
+      </properties>
+      <children>
+        <leafNode name="begin">
+          <properties>
+            <help>Begin URL match</help>
+            <valueHelp>
+              <format>url</format>
+              <description>Begin URL</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+            <multi/>
+          </properties>
+        </leafNode>
+        <leafNode name="end">
+          <properties>
+            <help>End URL match</help>
+            <valueHelp>
+              <format>url</format>
+              <description>End URL</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+            <multi/>
+          </properties>
+        </leafNode>
+        <leafNode name="exact">
+          <properties>
+            <help>Exactly URL match</help>
+            <valueHelp>
+              <format>url</format>
+              <description>Exactly URL</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+            <multi/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/haproxy/rule-frontend.xml.i b/interface-definitions/include/haproxy/rule-frontend.xml.i
new file mode 100644
index 000000000..001ae2d80
--- /dev/null
+++ b/interface-definitions/include/haproxy/rule-frontend.xml.i
@@ -0,0 +1,131 @@
+<!-- include start from haproxy/rule.xml.i -->
+<tagNode name="rule">
+  <properties>
+    <help>Proxy rule number</help>
+    <valueHelp>
+      <format>u32:1-10000</format>
+      <description>Number for this proxy rule</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-10000"/>
+    </constraint>
+    <constraintErrorMessage>Proxy rule number must be between 1 and 10000</constraintErrorMessage>
+  </properties>
+  <children>
+    <leafNode name="domain-name">
+      <properties>
+        <help>Domain name to match</help>
+        <valueHelp>
+          <format>txt</format>
+          <description>Domain address to match</description>
+        </valueHelp>
+        <constraint>
+          <validator name="fqdn"/>
+        </constraint>
+        <multi/>
+      </properties>
+    </leafNode>
+    <node name="set">
+      <properties>
+        <help>Proxy modifications</help>
+      </properties>
+      <children>
+        <leafNode name="redirect-location">
+          <properties>
+            <help>Set URL location</help>
+            <valueHelp>
+              <format>url</format>
+              <description>Set URL location</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+          </properties>
+        </leafNode>
+        <leafNode name="backend">
+          <properties>
+            <help>Backend name</help>
+            <constraint>
+              <regex>[-_a-zA-Z0-9]+</regex>
+            </constraint>
+            <constraintErrorMessage>Server name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+    <leafNode name="ssl">
+      <properties>
+        <help>SSL match options</help>
+        <completionHelp>
+          <list>req-ssl-sni ssl-fc-sni</list>
+        </completionHelp>
+        <valueHelp>
+          <format>req-ssl-sni</format>
+          <description>SSL Server Name Indication (SNI) request match</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ssl-fc-sni</format>
+          <description>SSL frontend connection Server Name Indication match</description>
+        </valueHelp>
+        <valueHelp>
+          <format>ssl-fc-sni-end</format>
+          <description>SSL frontend match end of connection Server Name Indication</description>
+        </valueHelp>
+        <constraint>
+          <regex>(req-ssl-sni|ssl-fc-sni|ssl-fc-sni-end)</regex>
+        </constraint>
+      </properties>
+    </leafNode>
+    <node name="url-path">
+      <properties>
+        <help>URL path match</help>
+      </properties>
+      <children>
+        <leafNode name="begin">
+          <properties>
+            <help>Begin URL match</help>
+            <valueHelp>
+              <format>url</format>
+              <description>Begin URL</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+            <multi/>
+          </properties>
+        </leafNode>
+        <leafNode name="end">
+          <properties>
+            <help>End URL match</help>
+            <valueHelp>
+              <format>url</format>
+              <description>End URL</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+            <multi/>
+          </properties>
+        </leafNode>
+        <leafNode name="exact">
+          <properties>
+            <help>Exactly URL match</help>
+            <valueHelp>
+              <format>url</format>
+              <description>Exactly URL</description>
+            </valueHelp>
+            <constraint>
+              <regex>^\/[\w\-.\/]+$</regex>
+            </constraint>
+            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
+            <multi/>
+          </properties>
+        </leafNode>
+      </children>
+    </node>
+  </children>
+</tagNode>
+<!-- include end -->
diff --git a/interface-definitions/include/haproxy/rule.xml.i b/interface-definitions/include/haproxy/rule.xml.i
deleted file mode 100644
index 9d9f63c9c..000000000
--- a/interface-definitions/include/haproxy/rule.xml.i
+++ /dev/null
@@ -1,130 +0,0 @@
-<!-- include start from haproxy/rule.xml.i -->
-<tagNode name="rule">
-  <properties>
-    <help>Proxy rule number</help>
-    <valueHelp>
-      <format>u32:1-10000</format>
-      <description>Number for this proxy rule</description>
-    </valueHelp>
-    <constraint>
-      <validator name="numeric" argument="--range 1-10000"/>
-    </constraint>
-    <constraintErrorMessage>Proxy rule number must be between 1 and 10000</constraintErrorMessage>
-  </properties>
-  <children>
-    <leafNode name="domain-name">
-      <properties>
-        <help>Domain name to match</help>
-        <valueHelp>
-          <format>txt</format>
-          <description>Domain address to match</description>
-        </valueHelp>
-        <constraint>
-          <validator name="fqdn"/>
-        </constraint>
-      </properties>
-    </leafNode>
-    <node name="set">
-      <properties>
-        <help>Proxy modifications</help>
-      </properties>
-      <children>
-        <leafNode name="redirect-location">
-          <properties>
-            <help>Set URL location</help>
-            <valueHelp>
-              <format>url</format>
-              <description>Set URL location</description>
-            </valueHelp>
-            <constraint>
-              <regex>^\/[\w\-.\/]+$</regex>
-            </constraint>
-            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
-          </properties>
-        </leafNode>
-        <leafNode name="server">
-          <properties>
-            <help>Server name</help>
-            <constraint>
-              <regex>[-_a-zA-Z0-9]+</regex>
-            </constraint>
-            <constraintErrorMessage>Server name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
-          </properties>
-        </leafNode>
-      </children>
-    </node>
-    <leafNode name="ssl">
-      <properties>
-        <help>SSL match options</help>
-        <completionHelp>
-          <list>req-ssl-sni ssl-fc-sni</list>
-        </completionHelp>
-        <valueHelp>
-          <format>req-ssl-sni</format>
-          <description>SSL Server Name Indication (SNI) request match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ssl-fc-sni</format>
-          <description>SSL frontend connection Server Name Indication match</description>
-        </valueHelp>
-        <valueHelp>
-          <format>ssl-fc-sni-end</format>
-          <description>SSL frontend match end of connection Server Name Indication</description>
-        </valueHelp>
-        <constraint>
-          <regex>(req-ssl-sni|ssl-fc-sni|ssl-fc-sni-end)</regex>
-        </constraint>
-      </properties>
-    </leafNode>
-    <node name="url-path">
-      <properties>
-        <help>URL path match</help>
-      </properties>
-      <children>
-        <leafNode name="begin">
-          <properties>
-            <help>Begin URL match</help>
-            <valueHelp>
-              <format>url</format>
-              <description>Begin URL</description>
-            </valueHelp>
-            <constraint>
-              <regex>^\/[\w\-.\/]+$</regex>
-            </constraint>
-            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
-            <multi/>
-          </properties>
-        </leafNode>
-        <leafNode name="end">
-          <properties>
-            <help>End URL match</help>
-            <valueHelp>
-              <format>url</format>
-              <description>End URL</description>
-            </valueHelp>
-            <constraint>
-              <regex>^\/[\w\-.\/]+$</regex>
-            </constraint>
-            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
-            <multi/>
-          </properties>
-        </leafNode>
-        <leafNode name="exact">
-          <properties>
-            <help>Exactly URL match</help>
-            <valueHelp>
-              <format>url</format>
-              <description>Exactly URL</description>
-            </valueHelp>
-            <constraint>
-              <regex>^\/[\w\-.\/]+$</regex>
-            </constraint>
-            <constraintErrorMessage>Incorrect URL format</constraintErrorMessage>
-            <multi/>
-          </properties>
-        </leafNode>
-      </children>
-    </node>
-  </children>
-</tagNode>
-<!-- include end -->
diff --git a/interface-definitions/load-balancing-haproxy.xml.in b/interface-definitions/load-balancing-haproxy.xml.in
index f0c0ee8ce..e295dcb63 100644
--- a/interface-definitions/load-balancing-haproxy.xml.in
+++ b/interface-definitions/load-balancing-haproxy.xml.in
@@ -7,9 +7,9 @@
           <help>Configure reverse-proxy</help>
         </properties>
         <children>
-          <tagNode name="server">
+          <tagNode name="service">
             <properties>
-              <help>Frontend server name</help>
+              <help>Frontend service name</help>
               <constraint>
                 #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
               </constraint>
@@ -37,7 +37,7 @@
               #include <include/listen-address.xml.i>
               #include <include/haproxy/mode.xml.i>
               #include <include/port-number.xml.i>
-              #include <include/haproxy/rule.xml.i>
+              #include <include/haproxy/rule-frontend.xml.i>
               <leafNode name="redirect-http-to-https">
                 <properties>
                   <help>Redirect HTTP to HTTPS</help>
@@ -102,7 +102,7 @@
                   </leafNode>
                 </children>
               </node>
-              #include <include/haproxy/rule.xml.i>
+              #include <include/haproxy/rule-backend.xml.i>
               <tagNode name="server">
                 <properties>
                   <help>Backend server name</help>
@@ -161,78 +161,71 @@
                   </constraint>
                 </properties>
               </leafNode>
-              <node name="tls">
+              <leafNode name="ssl-bind-ciphers">
                 <properties>
-                  <help>Transport Layer Security (TLS) options</help>
+                  <help>Cipher algorithms ("cipher suite") used during SSL/TLS handshake for all frontend servers</help>
+                  <completionHelp>
+                    <list>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>ecdhe-ecdsa-aes128-gcm-sha256</format>
+                    <description>ecdhe-ecdsa-aes128-gcm-sha256</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ecdhe-rsa-aes128-gcm-sha256</format>
+                    <description>ecdhe-rsa-aes128-gcm-sha256</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ecdhe-ecdsa-aes256-gcm-sha384</format>
+                    <description>ecdhe-ecdsa-aes256-gcm-sha384</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ecdhe-rsa-aes256-gcm-sha384</format>
+                    <description>ecdhe-rsa-aes256-gcm-sha384</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ecdhe-ecdsa-chacha20-poly1305</format>
+                    <description>ecdhe-ecdsa-chacha20-poly1305</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ecdhe-rsa-chacha20-poly1305</format>
+                    <description>ecdhe-rsa-chacha20-poly1305</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dhe-rsa-aes128-gcm-sha256</format>
+                    <description>dhe-rsa-aes128-gcm-sha256</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>dhe-rsa-aes256-gcm-sha384</format>
+                    <description>dhe-rsa-aes256-gcm-sha384</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(ecdhe-ecdsa-aes128-gcm-sha256|ecdhe-rsa-aes128-gcm-sha256|ecdhe-ecdsa-aes256-gcm-sha384|ecdhe-rsa-aes256-gcm-sha384|ecdhe-ecdsa-chacha20-poly1305|ecdhe-rsa-chacha20-poly1305|dhe-rsa-aes128-gcm-sha256|dhe-rsa-aes256-gcm-sha384)</regex>
+                  </constraint>
+                  <multi/>
                 </properties>
-                <children>
-                  <leafNode name="ssl-bind-ciphers">
-                    <properties>
-                      <help>Cipher algorithms ("cipher suite") used during SSL/TLS handshake for all frontend servers</help>
-                      <completionHelp>
-                        <list>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</list>
-                      </completionHelp>
-                      <valueHelp>
-                        <format>ecdhe-ecdsa-aes128-gcm-sha256</format>
-                        <description>ecdhe-ecdsa-aes128-gcm-sha256</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>ecdhe-rsa-aes128-gcm-sha256</format>
-                        <description>ecdhe-rsa-aes128-gcm-sha256</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>ecdhe-ecdsa-aes256-gcm-sha384</format>
-                        <description>ecdhe-ecdsa-aes256-gcm-sha384</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>ecdhe-rsa-aes256-gcm-sha384</format>
-                        <description>ecdhe-rsa-aes256-gcm-sha384</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>ecdhe-ecdsa-chacha20-poly1305</format>
-                        <description>ecdhe-ecdsa-chacha20-poly1305</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>ecdhe-rsa-chacha20-poly1305</format>
-                        <description>ecdhe-rsa-chacha20-poly1305</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>dhe-rsa-aes128-gcm-sha256</format>
-                        <description>dhe-rsa-aes128-gcm-sha256</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>dhe-rsa-aes256-gcm-sha384</format>
-                        <description>dhe-rsa-aes256-gcm-sha384</description>
-                      </valueHelp>
-                      <constraint>
-                        <regex>(ecdhe-ecdsa-aes128-gcm-sha256|ecdhe-rsa-aes128-gcm-sha256|ecdhe-ecdsa-aes256-gcm-sha384|ecdhe-rsa-aes256-gcm-sha384|ecdhe-ecdsa-chacha20-poly1305|ecdhe-rsa-chacha20-poly1305|dhe-rsa-aes128-gcm-sha256|dhe-rsa-aes256-gcm-sha384)</regex>
-                      </constraint>
-                      <multi/>
-                    </properties>
-                    <defaultValue>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</defaultValue>
-                  </leafNode>
-                  <leafNode name="tls-version-min">
-                    <properties>
-                      <help>Specify the minimum required TLS version</help>
-                      <completionHelp>
-                        <list>1.2 1.3</list>
-                      </completionHelp>
-                      <valueHelp>
-                        <format>1.2</format>
-                        <description>TLS v1.2</description>
-                      </valueHelp>
-                      <valueHelp>
-                        <format>1.3</format>
-                        <description>TLS v1.3</description>
-                      </valueHelp>
-                      <constraint>
-                        <regex>(1.2|1.3)</regex>
-                      </constraint>
-                    </properties>
-                    <defaultValue>1.3</defaultValue>
-                  </leafNode>
-                </children>
-              </node>
+                <defaultValue>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</defaultValue>
+              </leafNode>
+              <leafNode name="tls-version-min">
+                <properties>
+                  <help>Specify the minimum required TLS version</help>
+                  <completionHelp>
+                    <list>1.2 1.3</list>
+                  </completionHelp>
+                  <valueHelp>
+                    <format>1.2</format>
+                    <description>TLS v1.2</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>1.3</format>
+                    <description>TLS v1.3</description>
+                  </valueHelp>
+                  <constraint>
+                    <regex>(1.2|1.3)</regex>
+                  </constraint>
+                </properties>
+                <defaultValue>1.3</defaultValue>
+              </leafNode>
             </children>
           </node>
           #include <include/interface/vrf.xml.i>
-- 
cgit v1.2.3