Hi.
On 24.11.20 11:48, Stanislav Pavlíček wrote:
Hello,
I'm trying to implement content inspection using haproxy/SPOE and SPOA agent.
I created basic sample configuration to demonstrate my issue:
https://github.com/haproxy/haproxy/issues/956#issuecomment-732806414
To reproduce locally, just download contentdebug.zip archive from link above,
run it using docker-compose up and hit it with curl (e.g. curl -d '{}' http://localhost ).
The issue is that although I declared tcp-request/tcp-reponse content
send-spoa-group rules, my SPOA agent is called only once with request length 0 and no payload.
I have downloaded the zip and see that you use the "contrib/spoa_server"
which have some issues which have Christopher Faulet explained in this post
https://www.mail-archive.com/haproxy@formilux.org/msg38484.html
I suspect I don't fully understand processing of tcp-request/tcp-response
rules, acls and accept/reject criteria. I tried to add various acls mainly
based on req.len/res.len, which I thought could be used to detect end of payload
(The documentation says that req.len/res.len returns false when no more data is
available), but still no luck.
My goal is to send every chunk of data read/written on given proxy to SPOA agent.
Ideally I would like to avoid any buffering, which I thought I could achieve using
https://www.arpalert.org/src/haproxy-lua-api/2.2/index.html#Channel.forward (not used in my example).
Is it feasible? Or do I need to implement my own filter?
As far as I know there is no other scriptable spoa solution for now.
You can try to fix the issues for spoa_server or build your solution based on
contrib/spoa_example for example.
contrib/modsecurity looks like that is based on the spoa_example ;-)
This is really important for the project I am working on.
Thanks for any help.
Regards,
Stanislav Pavlicek
Regards
Aleks
