From 85dc32c41b5cc4102b055a15fa4963d6141a876f Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 21:04:51 +0100
Subject: [PATCH 1/4] net/haproxy: add support for http-request silent-drop

---
 net/haproxy/pkg-descr                                          | 3 +++
 .../src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml   | 1 +
 .../opnsense/service/templates/OPNsense/HAProxy/haproxy.conf   | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 13a4f948b6..348f8e5b15 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,6 +6,9 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+Added:
+* add support for "http-request silent-drop"
+
 4.6
 
 Changed:
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index e1a40e1c57..aad51398ed 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2259,6 +2259,7 @@
                         <http-request_replace-value>http-request header replace value</http-request_replace-value>
                         <http-request_set-path>http-request set-path</http-request_set-path>
                         <http-request_set-var>http-request set-var</http-request_set-var>
+                        <http-request_silent-drop>http-request silent-drop</http-request_silent-drop>
                         <http-response_allow>http-response allow</http-response_allow>
                         <http-response_deny>http-response deny</http-response_deny>
                         <http-response_lua>http-response lua script</http-response_lua>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 642a84e4a6..a11ba548d3 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -561,6 +561,8 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'http-request_silent-drop' %}
+{%           do action_options.append('http-request silent-drop') %}
 {%         elif action_data.type == 'http-response_allow' %}
 {%           do action_options.append('http-response allow') %}
 {%         elif action_data.type == 'http-response_deny' %}

From 26b6c8a15cd7dbca31aeb2284125e201549472c3 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 21:43:53 +0100
Subject: [PATCH 2/4] net/haproxy: add new condition: HTTP method

---
 net/haproxy/pkg-descr                            |  1 +
 .../OPNsense/HAProxy/forms/dialogAcl.xml         | 11 +++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml  | 16 ++++++++++++++++
 .../templates/OPNsense/HAProxy/haproxy.conf      |  7 +++++++
 4 files changed, 35 insertions(+)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 348f8e5b15..78424afb27 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -8,6 +8,7 @@ Plugin Changelog
 
 Added:
 * add support for "http-request silent-drop"
+* add new condition: HTTP method
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
index 895bd6e4b2..849a44e850 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -88,6 +88,17 @@
         <type>text</type>
         <help><![CDATA[HTTP host header contains string (substring match)]]></help>
     </field>
+
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_http_method</style>
+    </field>
+    <field>
+        <id>acl.http_method</id>
+        <label>HTTP Method</label>
+        <type>select_multiple</type>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index aad51398ed..8c43890cf5 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1728,6 +1728,7 @@
                         <cust_hdr>HTTP Header matches</cust_hdr>
                         <cust_hdr_reg>HTTP Header regex</cust_hdr_reg>
                         <cust_hdr_sub>HTTP Header contains</cust_hdr_sub>
+                        <http_method>HTTP Method</http_method>
                         <url_param>URL parameter contains</url_param>
                         <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
@@ -2195,6 +2196,21 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedGroups>
+                <http_method type="OptionField">
+                    <Required>N</Required>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <CONNECT>CONNECT</CONNECT>
+                        <DELETE>DELETE</DELETE>
+                        <GET>GET</GET>
+                        <HEAD>HEAD</HEAD>
+                        <OPTIONS>OPTIONS</OPTIONS>
+                        <PATCH>PATCH</PATCH>
+                        <POST>POST</POST>
+                        <PUT>PUT</PUT>
+                        <TRACE>TRACE</TRACE>
+                    </OptionValues>
+                </http_method>
             </acl>
         </acls>
         <actions>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index a11ba548d3..1c352d83e9 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -136,6 +136,13 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'http_method' %}
+{%               if acl_data.http_method|default("") != "" %}
+{%                 do acl_options.append('method ' ~ acl_data.http_method|replace(',', ' ')) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'path_beg' %}
 {%               if acl_data.path_beg|default("") != "" %}
 {%                 do acl_options.append('path_beg') %}

From 0f1ea336843eae4cb44d5a7f66502dd77c05e754 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 22:03:30 +0100
Subject: [PATCH 3/4] net/haproxy: support deny_status in http-request deny

---
 net/haproxy/pkg-descr                                 |  1 +
 .../OPNsense/HAProxy/forms/dialogAction.xml           | 11 +++++++++++
 .../mvc/app/models/OPNsense/HAProxy/HAProxy.xml       |  6 ++++++
 .../service/templates/OPNsense/HAProxy/haproxy.conf   |  6 +++++-
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 78424afb27..257dd3590d 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -9,6 +9,7 @@ Plugin Changelog
 Added:
 * add support for "http-request silent-drop"
 * add new condition: HTTP method
+* support custom HTTP status code in "http-request deny" rules
 
 4.6
 
diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
index 0386b9f1ae..cfc4cbf392 100644
--- a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
+++ b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -80,6 +80,17 @@
         <type>text</type>
         <help><![CDATA[When HAProxy requests user name and password from the user, this optional authentication realm is returned with the response (typically the application's name).]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-request_deny</style>
+    </field>
+    <field>
+        <id>action.http_request_deny_status</id>
+        <label>HTTP Status Code</label>
+        <type>text</type>
+        <help><![CDATA[By default an HTTP 403 error is returned for requests, and 502 for responses, but optionally a different HTTP status code may be specified.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>
diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
index 8c43890cf5..59d863b431 100644
--- a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
+++ b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -2340,6 +2340,12 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_auth>
+                <http_request_deny_status type="IntegerField">
+                    <MinimumValue>100</MinimumValue>
+                    <MaximumValue>999</MaximumValue>
+                    <ValidationMessage>Please specify a value between 100 and 999.</ValidationMessage>
+                    <Required>N</Required>
+                </http_request_deny_status>
                 <!-- XXX: add support for all "redirect" parameters as separate fields -->
                 <http_request_redirect type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>
diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
index 1c352d83e9..aa7fd84419 100644
--- a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
+++ b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -489,7 +489,11 @@
 {%         elif action_data.type == 'http-request_allow' %}
 {%           do action_options.append('http-request allow') %}
 {%         elif action_data.type == 'http-request_deny' %}
-{%           do action_options.append('http-request deny') %}
+{%           if action_data.http_request_deny_status|default("") != "" %}
+{%             do action_options.append('http-request deny deny_status ' ~ action_data.http_request_deny_status) %}
+{%           else %}
+{%             do action_options.append('http-request deny') %}
+{%           endif %}
 {%         elif action_data.type == 'http-request_tarpit' %}
 {%           do action_options.append('http-request tarpit') %}
 {%         elif action_data.type == 'http-request_auth' %}

From 7eb30a4a9ab4808f186e37e4910260600a5908e0 Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Mon, 22 Dec 2025 22:43:51 +0100
Subject: [PATCH 4/4] net/haproxy: bump version

---
 net/haproxy/Makefile  | 3 +--
 net/haproxy/pkg-descr | 4 +++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
index 0e7ae42d4c..eea1ecd8b1 100644
--- a/net/haproxy/Makefile
+++ b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.6
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		4.7
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de
diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
index 257dd3590d..d3c0881644 100644
--- a/net/haproxy/pkg-descr
+++ b/net/haproxy/pkg-descr
@@ -6,8 +6,10 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.7
+
 Added:
-* add support for "http-request silent-drop"
+* add new rule: http-request silent-drop
 * add new condition: HTTP method
 * support custom HTTP status code in "http-request deny" rules