opnsense · fraenki · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		haproxy
-PLUGIN_VERSION=		4.6
-PLUGIN_REVISION=	1
+PLUGIN_VERSION=		4.7
 PLUGIN_COMMENT=		Reliable, high performance TCP/HTTP load balancer
 PLUGIN_DEPENDS=		haproxy30 py${PLUGIN_PYTHON}-haproxy-cli
 PLUGIN_MAINTAINER=	opnsense@moov.de

diff --git a/net/haproxy/pkg-descr b/net/haproxy/pkg-descr
@@ -6,6 +6,13 @@ very high loads while needing persistence or Layer7 processing.
 Plugin Changelog
 ================
 
+4.7
+
+Added:
+* add new rule: http-request silent-drop
+* add new condition: HTTP method
+* support custom HTTP status code in "http-request deny" rules
+
 4.6
 
 Changed:

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAcl.xml
@@ -88,6 +88,17 @@
         <type>text</type>
         <help><![CDATA[HTTP host header contains string (substring match)]]></help>
     </field>
+
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>expression_table table_http_method</style>
+    </field>
+    <field>
+        <id>acl.http_method</id>
+        <label>HTTP Method</label>
+        <type>select_multiple</type>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>

diff --git a/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml b/net/haproxy/src/opnsense/mvc/app/controllers/OPNsense/HAProxy/forms/dialogAction.xml
@@ -80,6 +80,17 @@
         <type>text</type>
         <help><![CDATA[When HAProxy requests user name and password from the user, this optional authentication realm is returned with the response (typically the application's name).]]></help>
     </field>
+    <field>
+        <label>Parameters</label>
+        <type>header</type>
+        <style>type_table table_http-request_deny</style>
+    </field>
+    <field>
+        <id>action.http_request_deny_status</id>
+        <label>HTTP Status Code</label>
+        <type>text</type>
+        <help><![CDATA[By default an HTTP 403 error is returned for requests, and 502 for responses, but optionally a different HTTP status code may be specified.]]></help>
+    </field>
     <field>
         <label>Parameters</label>
         <type>header</type>

diff --git a/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml b/net/haproxy/src/opnsense/mvc/app/models/OPNsense/HAProxy/HAProxy.xml
@@ -1728,6 +1728,7 @@
                         <cust_hdr>HTTP Header matches</cust_hdr>
                         <cust_hdr_reg>HTTP Header regex</cust_hdr_reg>
                         <cust_hdr_sub>HTTP Header contains</cust_hdr_sub>
+                        <http_method>HTTP Method</http_method>
                         <url_param>URL parameter contains</url_param>
                         <ssl_c_verify>SSL Client certificate is valid</ssl_c_verify>
                         <ssl_c_verify_code>SSL Client certificate verify error result</ssl_c_verify_code>
@@ -2195,6 +2196,21 @@
                     <Multiple>Y</Multiple>
                     <Required>N</Required>
                 </allowedGroups>
+                <http_method type="OptionField">
+                    <Required>N</Required>
+                    <Multiple>Y</Multiple>
+                    <OptionValues>
+                        <CONNECT>CONNECT</CONNECT>
+                        <DELETE>DELETE</DELETE>
+                        <GET>GET</GET>
+                        <HEAD>HEAD</HEAD>
+                        <OPTIONS>OPTIONS</OPTIONS>
+                        <PATCH>PATCH</PATCH>
+                        <POST>POST</POST>
+                        <PUT>PUT</PUT>
+                        <TRACE>TRACE</TRACE>
+                    </OptionValues>
+                </http_method>
             </acl>
         </acls>
         <actions>
@@ -2259,6 +2275,7 @@
                         <http-request_replace-value>http-request header replace value</http-request_replace-value>
                         <http-request_set-path>http-request set-path</http-request_set-path>
                         <http-request_set-var>http-request set-var</http-request_set-var>
+                        <http-request_silent-drop>http-request silent-drop</http-request_silent-drop>
                         <http-response_allow>http-response allow</http-response_allow>
                         <http-response_deny>http-response deny</http-response_deny>
                         <http-response_lua>http-response lua script</http-response_lua>
@@ -2323,6 +2340,12 @@
                     <Mask>/^.{1,4096}$/u</Mask>
                     <Required>N</Required>
                 </http_request_auth>
+                <http_request_deny_status type="IntegerField">
+                    <MinimumValue>100</MinimumValue>
+                    <MaximumValue>999</MaximumValue>
+                    <ValidationMessage>Please specify a value between 100 and 999.</ValidationMessage>
+                    <Required>N</Required>
+                </http_request_deny_status>
                 <!-- XXX: add support for all "redirect" parameters as separate fields -->
                 <http_request_redirect type="TextField">
                     <Mask>/^.{1,4096}$/u</Mask>

diff --git a/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf b/net/haproxy/src/opnsense/service/templates/OPNsense/HAProxy/haproxy.conf
@@ -136,6 +136,13 @@
 {%                 set acl_enabled = '0' %}
     # ERROR: missing parameters
 {%               endif %}
+{%             elif acl_data.expression == 'http_method' %}
+{%               if acl_data.http_method|default("") != "" %}
+{%                 do acl_options.append('method ' ~ acl_data.http_method|replace(',', ' ')) %}
+{%               else %}
+{%                 set acl_enabled = '0' %}
+    # ERROR: missing parameters
+{%               endif %}
 {%             elif acl_data.expression == 'path_beg' %}
 {%               if acl_data.path_beg|default("") != "" %}
 {%                 do acl_options.append('path_beg') %}
@@ -482,7 +489,11 @@
 {%         elif action_data.type == 'http-request_allow' %}
 {%           do action_options.append('http-request allow') %}
 {%         elif action_data.type == 'http-request_deny' %}
-{%           do action_options.append('http-request deny') %}
+{%           if action_data.http_request_deny_status|default("") != "" %}
+{%             do action_options.append('http-request deny deny_status ' ~ action_data.http_request_deny_status) %}
+{%           else %}
+{%             do action_options.append('http-request deny') %}
+{%           endif %}
 {%         elif action_data.type == 'http-request_tarpit' %}
 {%           do action_options.append('http-request tarpit') %}
 {%         elif action_data.type == 'http-request_auth' %}
@@ -561,6 +572,8 @@
 {%             set action_enabled = '0' %}
     # ERROR: missing parameters
 {%           endif %}
+{%         elif action_data.type == 'http-request_silent-drop' %}
+{%           do action_options.append('http-request silent-drop') %}
 {%         elif action_data.type == 'http-response_allow' %}
 {%           do action_options.append('http-response allow') %}
 {%         elif action_data.type == 'http-response_deny' %}