Hey Mathias,
wow, brilliant! Made my day, really! - I was about getting frustrated
during troubleshooting :)
That was exactly what I needed. Thanks a bunch!
Failed to find something like that, because I was not exactly knowing
what to search for.
> As a side note: In case you want to match the payload in a binary
(non-HTTP) protocol,
> make sure you convert the payload to hex first, see section 7.1.3 in the
> newest configuration docs, here's the excerpt:
Yes, thats right. Luckily I already had some experience how to handle
that type of stuff from previous scripting jobs.
I wrote a bin2hex function for the LUA script I am testing. Not sure,
maybe in terms of performance(?) it makes more sense to leave that to
haproxy "payload(),hex" and just evaluate the converted result in my
script. Will have a look into that.
So far I got the impression tshooting and testing patterns is more
"obvious" and debug-able when implemented in my own LUA script.
Felt a bit "blind" on tracking decision making when testing a haproxy
ACLs equivalent (maybe just my first impression)
Used "set-var" + "if acl" and printed that via log-format, not sure if
there is a better way when testing ACLs?
Thanks again, BR
Micha
On 12.02.2020 12:09, Mathias WeiersmĂĽller (cyberheads GmbH) wrote:
Hi Micha,
My problem is that the "req.payload(0,10)" fetch, which I am using for
that purpose, does not seem to reliably have access to the payload at
all times.
The problem is not the fetch per se, it is the timing of the evaluation
of the rule: tcp-request content rules are evaluated very early - there's
a high probability the payload buffer is empty at this moment.
if you add a condition to check if there is already any content present,
it will always match (checked using your config, thanks!):
example:
tcp-request content set-var(txn.rawPayload) req.payload(0,2),hex if { req_len
gt 0 }
As a side note: In case you want to match the payload in a binary (non-HTTP)
protocol,
make sure you convert the payload to hex first, see section 7.1.3 in the
newest configuration docs, here's the excerpt:
Do not use string matches for binary fetches which might contain null bytes
(0x00), as the comparison stops at the occurrence of the first null byte.
Instead, convert the binary fetch to a hex string with the hex converter first.
Example:
# matches if the string <tag> is present in the binary sample
acl tag_found req.payload(0,0),hex -m sub 3C7461673E
Best regards
Mathias​
