Re: Content inspection using tcp-request/tcp-response content send-spoa-group

Tue, 24 Nov 2020 04:58:01 -0800 

Le 24/11/2020 à 11:48, Stanislav Pavlíček a écrit :

Hello,

I'm trying to implement content inspection using haproxy/SPOE and SPOA agent.

I created basic sample configuration to demonstrate my issue:
https://github.com/haproxy/haproxy/issues/956#issuecomment-732806414 <https://github.com/haproxy/haproxy/issues/956#issuecomment-732806414>
To reproduce locally, just download contentdebug.zip archive from link above, run it using docker-compose up and hit it with curl (e.g. curl -d '{}' http://localhost <http://localhost>).
The issue is that although I declared tcp-request/tcp-reponse content send-spoa-group rules, my SPOA agent is called only once with request length 0 and no payload.
tcp rulesets are only evaluated once. But, you may wait to eval a rule using an ACL. For instance "if { req.len gt 0 }".
I suspect I don't fully understand processing of tcp-request/tcp-response rules, acls and accept/reject criteria. I tried to add various acls mainly based on req.len/res.len, which I thought could be used to detect end of payload (The documentation says that req.len/res.len returns false when no more data is available), but still no luck.
req.len/res.len return the current number of bytes in the buffer. That may be 0 if nothing is received yet. they only return false if you wait for more data but haproxy knows no more are expected. But len/payload/payload_lv must not be used on an HTTP message because data are structured and not raw. The documentation must warn against this use and a warning should probably be added in the code.
My goal is to send every chunk of data read/written on given proxy to SPOA agent. Ideally I would like to avoid any buffering, which I thought I could achieve using https://www.arpalert.org/src/haproxy-lua-api/2.2/index.html#Channel.forward <https://www.arpalert.org/src/haproxy-lua-api/2.2/index.html#Channel.forward> (not used in my example). 

Is it feasible? Or do I need to implement my own filter?
With the current SPOE design, it is not possible. But the filters API is able to do that. Thus with a SPOE refactoring is could be possible too. For now, the only way to achieve that is to write your own filter. The trace filter is a good example.
But before, you must eval the requests and responses size you expect. Because, if smaller than a buffer, including the headers, it is already possible. 

--
Christopher Faulet

Reply via email to