On Wed, 22 Feb 2017 15:43:36 +0100
Braňo Žarnovičan <zarnovi...@gmail.com> wrote:
> Hi,
>
> a need to call an external http (preferably https) service from
> HAproxy code. What's the easiest way to achieve that ?
>
> Context:
> I would like HAproxy to do TLS termination for non-http traffic
> (mqtt). The TLS cipher is PSK (pre-shared key). There was a patch in
> this mailing-list adding support for this cipher. In his patch, Nenad
> Merdanovic is loading <identity>:<key> map from a configuration file.
> This is fine, if you have a static environment. I would like to hook
> this identity-to-key function to some external service.
>
> // for TLS-PSK, you need to implement this function
> static int ssl_srv_psk_cb(SSL *ssl, char *identity, unsigned char
> *psk, unsigned int max_psk_len) {
> // for a given "identity" string, return his pre-shared key "psk"
> // make a https call here..
> }
>
> // and register it for OpenSSL as call-back
> SSL_CTX_set_psk_server_callback(ctx, ssl_srv_psk_cb)
>
> Options:
>
> (a) implement lookup call in C
>
> I should be able to whip up simple http 1.0 request via low-level
> socket programming. However, I would like some more, fancier features
> like https, persistent-connections, basic-auth, handle timeouts, etc.
> Even with the simple socket code I'm not sure, how will that play with
> haproxy's event-driven nature. I would appreciate if someone could
> point me to an example where haproxy is doing something similar
> already.
Hi, there are no way to implement easyly http request from haproxy. If
you are looking for an example, you can look the code of SPOE, the
stats page, stats CLI or the Lua code for "core.socket".
The idea is to create a client applet and use an internal proxy to
process connection and the data exchange and the SSL. The HTTP protocol
as client must be implemented in our side.
> (b) integrate it with Lua
>
> Lua sounds like a better option for writing custom code to HAproxy.
> However, I'm afraid that I wouldn't be able to hook it to the TLS
> handshake itself (that stage is too early in the process). Seems, that
> it's not a good use-case for Lua.
I confirm, you cant have a hook in the https, and you cant configure
the https parameters. Maybe in a fture version, for now, I'm waiting
some feedback about the actual process.
An other way is to use the new SPOE protocol to forward some data at
your own service which will process SSL. Look for an exemple of SPEO
client ins the directory "contrib/spoa_example".
Thierry
> Any thoughts ? Examples of async IO https calls from C ?
>
> Thanks,
>
> Brano Zarnovican
>
