diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index c18a998b8..5137966c1 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -1,218 +1,231 @@
### Autogenerated by load-balancing_reverse-proxy.py ###
global
- log /dev/log local0
- log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
{% if global_parameters is vyos_defined %}
+{% if global_parameters.logging is vyos_defined %}
+{% for facility, facility_config in global_parameters.logging.facility.items() %}
+ log /dev/log {{ facility }} {{ facility_config.level }}
+{% endfor %}
+{% endif %}
{% if global_parameters.max_connections is vyos_defined %}
maxconn {{ global_parameters.max_connections }}
{% endif %}
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
{% if global_parameters.ssl_bind_ciphers is vyos_defined %}
# https://ssl-config.mozilla.org/#server=haproxy&version=2.6.12-1&config=intermediate&openssl=3.0.8-1&guideline=5.6
ssl-default-bind-ciphers {{ global_parameters.ssl_bind_ciphers | join(':') | upper }}
{% endif %}
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
{% if global_parameters.tls_version_min is vyos_defined('1.3') %}
ssl-default-bind-options force-tlsv13
{% else %}
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
{% endif %}
{% endif %}
defaults
log global
mode http
option dontlognull
timeout connect 10s
timeout client 50s
timeout server 50s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Frontend
{% if service is vyos_defined %}
{% for front, front_config in service.items() %}
frontend {{ front }}
{% set ssl_front = [] %}
{% if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
{% for cert in front_config.ssl.certificate %}
{% set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
{% endfor %}
{% endif %}
{% set ssl_directive = 'ssl' if ssl_front else '' %}
{% if front_config.listen_address is vyos_defined %}
{% for address in front_config.listen_address %}
bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
{% endfor %}
{% else %}
bind [::]:{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
{% endif %}
{% if front_config.redirect_http_to_https is vyos_defined %}
http-request redirect scheme https unless { ssl_fc }
+{% endif %}
+{% if front_config.logging is vyos_defined %}
+{% for facility, facility_config in front_config.logging.facility.items() %}
+ log /dev/log {{ facility }} {{ facility_config.level }}
+{% endfor %}
{% endif %}
mode {{ front_config.mode }}
{% if front_config.tcp_request.inspect_delay is vyos_defined %}
tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }}
{% endif %}
{# add tcp-request related directive if ssl is configured #}
{% if front_config.mode == 'tcp' and front_config.rule is vyos_defined %}
{% for rule, rule_config in front_config.rule.items() %}
{% if rule_config.ssl is vyos_defined %}
tcp-request content accept if { req_ssl_hello_type 1 }
{% break %}
{% endif %}
{% endfor %}
{% endif %}
{% if front_config.http_response_headers is vyos_defined %}
{% for header, header_config in front_config.http_response_headers.items() %}
http-response set-header {{ header }} '{{ header_config['value'] }}'
{% endfor %}
{% endif %}
{% if front_config.rule is vyos_defined %}
{% for rule, rule_config in front_config.rule.items() %}
# rule {{ rule }}
{% if rule_config.domain_name is vyos_defined %}
{% set rule_options = 'hdr(host)' %}
{% if rule_config.ssl is vyos_defined %}
{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
{% endif %}
{% for domain in rule_config.domain_name %}
acl {{ rule }} {{ rule_options }} -i {{ domain }}
{% endfor %}
{% endif %}
{# path url #}
{% if rule_config.url_path is vyos_defined %}
{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
{% for path, path_config in rule_config.url_path.items() %}
{% for url in path_config %}
acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
{% endfor %}
{% endfor %}
{% endif %}
{% if rule_config.set.backend is vyos_defined %}
use_backend {{ rule_config.set.backend }} if {{ rule }}
{% endif %}
{% if rule_config.set.redirect_location is vyos_defined %}
http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
{% endif %}
{# endpath #}
{% endfor %}
{% endif %}
{% if front_config.backend is vyos_defined %}
{% for backend in front_config.backend %}
default_backend {{ backend }}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
# Backend
{% if backend is vyos_defined %}
{% for back, back_config in backend.items() %}
backend {{ back }}
{% if back_config.health_check is vyos_defined %}
{% if back_config.health_check == 'smtp' %}
option smtpchk
{% else %}
option {{ back_config.health_check }}-check
{% endif %}
{% endif %}
{% if back_config.http_check is vyos_defined %}
option httpchk
{% endif %}
{% set send = '' %}
{% if back_config.http_check.method is vyos_defined %}
{% set send = send + ' meth ' + back_config.http_check.method | upper %}
{% endif %}
{% if back_config.http_check.uri is vyos_defined %}
{% set send = send + ' uri ' + back_config.http_check.uri %}
{% endif %}
{% if send != '' %}
http-check send{{ send }}
{% endif %}
{% if back_config.http_check.expect is vyos_defined %}
{% if back_config.http_check.expect.status is vyos_defined %}
http-check expect status {{ back_config.http_check.expect.status }}
{% elif back_config.http_check.expect.string is vyos_defined %}
http-check expect string {{ back_config.http_check.expect.string }}
{% endif %}
{% endif %}
{% if back_config.balance is vyos_defined %}
{% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %}
balance {{ balance_translate[back_config.balance] }}
{% endif %}
{# If mode is HTTP add X-Forwarded headers #}
{% if back_config.mode == 'http' %}
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
+{% endif %}
+{% if back_config.logging is vyos_defined %}
+{% for facility, facility_config in back_config.logging.facility.items() %}
+ log /dev/log {{ facility }} {{ facility_config.level }}
+{% endfor %}
{% endif %}
mode {{ back_config.mode }}
{% if back_config.http_response_headers is vyos_defined %}
{% for header, header_config in back_config.http_response_headers.items() %}
http-response set-header {{ header }} '{{ header_config['value'] }}'
{% endfor %}
{% endif %}
{% if back_config.rule is vyos_defined %}
{% for rule, rule_config in back_config.rule.items() %}
{% if rule_config.domain_name is vyos_defined and rule_config.set.server is vyos_defined %}
{% set rule_options = 'hdr(host)' %}
{% if rule_config.ssl is vyos_defined %}
{% set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
{% set rule_options = ssl_rule_translate[rule_config.ssl] %}
{% endif %}
{% for domain in rule_config.domain_name %}
acl {{ rule }} {{ rule_options }} -i {{ domain }}
{% endfor %}
use-server {{ rule_config.set.server }} if {{ rule }}
{% endif %}
{# path url #}
{% if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
{% set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
{% for path, path_config in rule_config.url_path.items() %}
{% for url in path_config %}
acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
{% endfor %}
{% endfor %}
http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
{% endif %}
{# endpath #}
{% endfor %}
{% endif %}
{% if back_config.server is vyos_defined %}
{% set ssl_back = 'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else ('ssl verify none' if back_config.ssl.no_verify is vyos_defined else '') %}
{% for server, server_config in back_config.server.items() %}
server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
{% endfor %}
{% endif %}
{% if back_config.timeout.check is vyos_defined %}
timeout check {{ back_config.timeout.check }}s
{% endif %}
{% if back_config.timeout.connect is vyos_defined %}
timeout connect {{ back_config.timeout.connect }}s
{% endif %}
{% if back_config.timeout.server is vyos_defined %}
timeout server {{ back_config.timeout.server }}s
{% endif %}
{% endfor %}
{% endif %}
diff --git a/interface-definitions/include/haproxy/logging.xml.i b/interface-definitions/include/haproxy/logging.xml.i
new file mode 100644
index 000000000..e0af54fa4
--- /dev/null
+++ b/interface-definitions/include/haproxy/logging.xml.i
@@ -0,0 +1,10 @@
+<!-- include start from haproxy/logging.xml.i -->
+<node name="logging">
+ <properties>
+ <help>Logging parameters</help>
+ </properties>
+ <children>
+ #include <include/syslog-facility.xml.i>
+ </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/load-balancing_reverse-proxy.xml.in b/interface-definitions/load-balancing_reverse-proxy.xml.in
index 1a432be6d..18274622c 100644
--- a/interface-definitions/load-balancing_reverse-proxy.xml.in
+++ b/interface-definitions/load-balancing_reverse-proxy.xml.in
@@ -1,341 +1,344 @@
<?xml version="1.0"?>
<interfaceDefinition>
<node name="load-balancing">
<children>
<node name="reverse-proxy" owner="${vyos_conf_scripts_dir}/load-balancing_reverse-proxy.py">
<properties>
<help>Configure reverse-proxy</help>
<priority>900</priority>
</properties>
<children>
<tagNode name="service">
<properties>
<help>Frontend service name</help>
<constraint>
#include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
</constraint>
<constraintErrorMessage>Server name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
</properties>
<children>
<leafNode name="backend">
<properties>
<help>Backend member</help>
<constraint>
#include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
</constraint>
<constraintErrorMessage>Backend name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
<valueHelp>
<format>txt</format>
<description>Name of reverse-proxy backend system</description>
</valueHelp>
<completionHelp>
<path>load-balancing reverse-proxy backend</path>
</completionHelp>
<multi/>
</properties>
</leafNode>
#include <include/generic-description.xml.i>
#include <include/listen-address.xml.i>
+ #include <include/haproxy/logging.xml.i>
#include <include/haproxy/mode.xml.i>
#include <include/port-number.xml.i>
#include <include/haproxy/rule-frontend.xml.i>
#include <include/haproxy/tcp-request.xml.i>
#include <include/haproxy/http-response-headers.xml.i>
<leafNode name="redirect-http-to-https">
<properties>
<help>Redirect HTTP to HTTPS</help>
<valueless/>
</properties>
</leafNode>
<node name="ssl">
<properties>
<help>SSL Certificate, SSL Key and CA</help>
</properties>
<children>
#include <include/pki/certificate-multi.xml.i>
</children>
</node>
</children>
</tagNode>
<tagNode name="backend">
<properties>
<help>Backend server name</help>
<constraint>
#include <include/constraint/alpha-numeric-hyphen-underscore.xml.i>
</constraint>
<constraintErrorMessage>Backend name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage>
</properties>
<children>
<leafNode name="balance">
<properties>
<help>Load-balancing algorithm</help>
<completionHelp>
<list>source-address round-robin least-connection</list>
</completionHelp>
<valueHelp>
<format>source-address</format>
<description>Based on hash of source IP address</description>
</valueHelp>
<valueHelp>
<format>round-robin</format>
<description>Round robin</description>
</valueHelp>
<valueHelp>
<format>least-connection</format>
<description>Least connection</description>
</valueHelp>
<constraint>
<regex>(source-address|round-robin|least-connection)</regex>
</constraint>
</properties>
<defaultValue>round-robin</defaultValue>
</leafNode>
#include <include/generic-description.xml.i>
+ #include <include/haproxy/logging.xml.i>
#include <include/haproxy/mode.xml.i>
#include <include/haproxy/http-response-headers.xml.i>
<node name="http-check">
<properties>
<help>HTTP check configuration</help>
</properties>
<children>
<leafNode name="method">
<properties>
<help>HTTP method used for health check</help>
<completionHelp>
<list>options head get post put</list>
</completionHelp>
<valueHelp>
<format>options|head|get|post|put</format>
<description>HTTP method used for health checking</description>
</valueHelp>
<constraint>
<regex>(options|head|get|post|put)</regex>
</constraint>
</properties>
</leafNode>
<leafNode name="uri">
<properties>
<help>URI used for HTTP health check (Example: '/' or '/health')</help>
<constraint>
<regex>^\/([^?#\s]*)(\?[^#\s]*)?$</regex>
</constraint>
</properties>
</leafNode>
<node name="expect">
<properties>
<help>Expected response for the health check to pass</help>
</properties>
<children>
<leafNode name="status">
<properties>
<help>Expected response status code for the health check to pass</help>
<valueHelp>
<format>u32:200-399</format>
<description>Expected response code</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 200-399"/>
</constraint>
<constraintErrorMessage>Status code must be in range 200-399</constraintErrorMessage>
</properties>
</leafNode>
<leafNode name="string">
<properties>
<help>Expected to be in response body for the health check to pass</help>
<valueHelp>
<format>txt</format>
<description>A string expected to be in the response</description>
</valueHelp>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
<leafNode name="health-check">
<properties>
<help>Non HTTP health check options</help>
<completionHelp>
<list>ldap mysql pgsql redis smtp</list>
</completionHelp>
<valueHelp>
<format>ldap</format>
<description>LDAP protocol check</description>
</valueHelp>
<valueHelp>
<format>mysql</format>
<description>MySQL protocol check</description>
</valueHelp>
<valueHelp>
<format>pgsql</format>
<description>PostgreSQL protocol check</description>
</valueHelp>
<valueHelp>
<format>redis</format>
<description>Redis protocol check</description>
</valueHelp>
<valueHelp>
<format>smtp</format>
<description>SMTP protocol check</description>
</valueHelp>
<constraint>
<regex>(ldap|mysql|redis|pgsql|smtp)</regex>
</constraint>
</properties>
</leafNode>
#include <include/haproxy/rule-backend.xml.i>
<tagNode name="server">
<properties>
<help>Backend server name</help>
</properties>
<children>
<leafNode name="address">
<properties>
<help>Backend server address</help>
<valueHelp>
<format>ipv4</format>
<description>IPv4 unicast peer address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 unicast peer address</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="backup">
<properties>
<help>Use backup server if other servers are not available</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="check">
<properties>
<help>Active health check backend server</help>
<valueless/>
</properties>
</leafNode>
#include <include/port-number.xml.i>
<leafNode name="send-proxy">
<properties>
<help>Send a Proxy Protocol version 1 header (text format)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="send-proxy-v2">
<properties>
<help>Send a Proxy Protocol version 2 header (binary format)</help>
<valueless/>
</properties>
</leafNode>
</children>
</tagNode>
<node name="ssl">
<properties>
<help>SSL Certificate, SSL Key and CA</help>
</properties>
<children>
#include <include/pki/ca-certificate.xml.i>
<leafNode name="no-verify">
<properties>
<help>Do not attempt to verify SSL certificates for backend servers</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
#include <include/haproxy/timeout.xml.i>
</children>
</tagNode>
<node name="global-parameters">
<properties>
<help>Global perfomance parameters and limits</help>
</properties>
<children>
+ #include <include/haproxy/logging.xml.i>
<leafNode name="max-connections">
<properties>
<help>Maximum allowed connections</help>
<valueHelp>
<format>u32:1-2000000</format>
<description>Maximum allowed connections</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-2000000"/>
</constraint>
</properties>
</leafNode>
<leafNode name="ssl-bind-ciphers">
<properties>
<help>Cipher algorithms ("cipher suite") used during SSL/TLS handshake for all frontend servers</help>
<completionHelp>
<list>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</list>
</completionHelp>
<valueHelp>
<format>ecdhe-ecdsa-aes128-gcm-sha256</format>
<description>ecdhe-ecdsa-aes128-gcm-sha256</description>
</valueHelp>
<valueHelp>
<format>ecdhe-rsa-aes128-gcm-sha256</format>
<description>ecdhe-rsa-aes128-gcm-sha256</description>
</valueHelp>
<valueHelp>
<format>ecdhe-ecdsa-aes256-gcm-sha384</format>
<description>ecdhe-ecdsa-aes256-gcm-sha384</description>
</valueHelp>
<valueHelp>
<format>ecdhe-rsa-aes256-gcm-sha384</format>
<description>ecdhe-rsa-aes256-gcm-sha384</description>
</valueHelp>
<valueHelp>
<format>ecdhe-ecdsa-chacha20-poly1305</format>
<description>ecdhe-ecdsa-chacha20-poly1305</description>
</valueHelp>
<valueHelp>
<format>ecdhe-rsa-chacha20-poly1305</format>
<description>ecdhe-rsa-chacha20-poly1305</description>
</valueHelp>
<valueHelp>
<format>dhe-rsa-aes128-gcm-sha256</format>
<description>dhe-rsa-aes128-gcm-sha256</description>
</valueHelp>
<valueHelp>
<format>dhe-rsa-aes256-gcm-sha384</format>
<description>dhe-rsa-aes256-gcm-sha384</description>
</valueHelp>
<constraint>
<regex>(ecdhe-ecdsa-aes128-gcm-sha256|ecdhe-rsa-aes128-gcm-sha256|ecdhe-ecdsa-aes256-gcm-sha384|ecdhe-rsa-aes256-gcm-sha384|ecdhe-ecdsa-chacha20-poly1305|ecdhe-rsa-chacha20-poly1305|dhe-rsa-aes128-gcm-sha256|dhe-rsa-aes256-gcm-sha384)</regex>
</constraint>
<multi/>
</properties>
<defaultValue>ecdhe-ecdsa-aes128-gcm-sha256 ecdhe-rsa-aes128-gcm-sha256 ecdhe-ecdsa-aes256-gcm-sha384 ecdhe-rsa-aes256-gcm-sha384 ecdhe-ecdsa-chacha20-poly1305 ecdhe-rsa-chacha20-poly1305 dhe-rsa-aes128-gcm-sha256 dhe-rsa-aes256-gcm-sha384</defaultValue>
</leafNode>
<leafNode name="tls-version-min">
<properties>
<help>Specify the minimum required TLS version</help>
<completionHelp>
<list>1.2 1.3</list>
</completionHelp>
<valueHelp>
<format>1.2</format>
<description>TLS v1.2</description>
</valueHelp>
<valueHelp>
<format>1.3</format>
<description>TLS v1.3</description>
</valueHelp>
<constraint>
<regex>(1.2|1.3)</regex>
</constraint>
</properties>
<defaultValue>1.3</defaultValue>
</leafNode>
</children>
</node>
#include <include/interface/vrf.xml.i>
</children>
</node>
</children>
</node>
</interfaceDefinition>