Le 24/11/2020 à 11:48, Stanislav Pavlíček a écrit :
Hello,
I'm trying to implement content inspection using haproxy/SPOE and SPOA agent.
I created basic sample configuration to demonstrate my issue:
https://github.com/haproxy/haproxy/issues/956#issuecomment-732806414
<https://github.com/haproxy/haproxy/issues/956#issuecomment-732806414>
To reproduce locally, just download contentdebug.zip archive from link above,
run it using docker-compose up and hit it with curl (e.g. curl -d '{}'
http://localhost <http://localhost>).
The issue is that although I declared tcp-request/tcp-reponse content
send-spoa-group rules, my SPOA agent is called only once with request length 0
and no payload.
tcp rulesets are only evaluated once. But, you may wait to eval a rule using an
ACL. For instance "if { req.len gt 0 }".
I suspect I don't fully understand processing of tcp-request/tcp-response rules,
acls and accept/reject criteria. I tried to add various acls mainly based on
req.len/res.len, which I thought could be used to detect end of payload (The
documentation says that req.len/res.len returns false when no more data is
available), but still no luck.
req.len/res.len return the current number of bytes in the buffer. That may be 0
if nothing is received yet. they only return false if you wait for more data but
haproxy knows no more are expected. But len/payload/payload_lv must not be used
on an HTTP message because data are structured and not raw. The documentation
must warn against this use and a warning should probably be added in the code.
My goal is to send every chunk of data read/written on given proxy to SPOA
agent. Ideally I would like to avoid any buffering, which I thought I could
achieve using
https://www.arpalert.org/src/haproxy-lua-api/2.2/index.html#Channel.forward
<https://www.arpalert.org/src/haproxy-lua-api/2.2/index.html#Channel.forward>
(not used in my example).
Is it feasible? Or do I need to implement my own filter?
With the current SPOE design, it is not possible. But the filters API is able to
do that. Thus with a SPOE refactoring is could be possible too. For now, the
only way to achieve that is to write your own filter. The trace filter is a good
example.
But before, you must eval the requests and responses size you expect. Because,
if smaller than a buffer, including the headers, it is already possible.
--
Christopher Faulet