Le 13/04/2017 à 12:53, Thierry Fournier a écrit :
On 13 Apr 2017, at 12:28, Willy Tarreau <w...@1wt.eu> wrote:
On Thu, Apr 13, 2017 at 12:21:20PM +0200, Thierry Fournier wrote:
.) the patches apply only on haproxy 1.8 because some files does not exists on
1.7 ( e. g. include/proto/spoe.h )
Ok. I think that SPOE was introduced in 1.7, obviously I'm wrong.
No, it was introduced in 1.7 but there were some improvements later
(like pipelining etc).
(...)
.) How can the rule-set be reloaded? stop & start || gracefully?
I do not process this part. Today, you must stop and start the process. The
graceful doesn't exists.
I guess than the graceful can be implemented easily. You can ensure the
availability of the
SPOA Modsec using the properties of the HAProxy backend.
Actually that's a very good point. I think it would even be possible to
ensure a graceful shutdown using disable-on-404 or using an agent so
that you can roll the restart over multiple WAF nodes.
Interesting. I think about a system which (on SPOA side) stop listeners
and wait for the end of processing current requests. By this way, the SPOA
doesn’t accept requests, and HAProxy send requests on the other process.
Another way is using the CLI and set one spoa/modsec in graceful mode.
Adding a special check is the best way, but the daemon speaks SPOP and not
HTTP. Maybe a thread which listen on specific port dedicated to this
function ? Or improving the SPOP for asking graceful mode in the agent-hello
response message ? (it seems that haproxy send periodically haproxy-hello
messages, but maybe I’m wrong)
The hello-handshake is done only once, when a new connection with a SPOA
is opened. But we can improve the SPOP by adding a new frame type to
handle admin tasks (like graceful stop). This way, for a specific
connection, it would be possible to wait for last ACK frames without
sending new frames to the SPOA. Then stopping the SPOA listeners to let
the SPOP health check failed should do the trick, I guess.
--
Christopher Faulet
