Re: TLS-PSK: making a http(s) lookup call from inside haproxy code
Thanks for the insight from both of you.. I have spent couple of hours browsing through the code and realized that even if async io would be possible in PSK callback, I would have really hard time wrap my head around it. The learning curve is just too steep (not to mention post-implementation maintenance of that patch). Right now, the solution to replace the file and reload haproxy sounds more feasible. > BTW, in the thread about the TLS-PSK support, it was suggested to use a map > to handle identities. When it will be done, it will be possible to > dynamically update the map. I will be following haproxy development for any news in this regard. Thanks, Brano Zarnovican
Re: TLS-PSK: making a http(s) lookup call from inside haproxy code
Le 22/02/2017 à 16:02, thierry.fourn...@arpalert.org a écrit : On Wed, 22 Feb 2017 15:43:36 +0100 Braňo Žarnovičanwrote: Options: (a) implement lookup call in C I should be able to whip up simple http 1.0 request via low-level socket programming. However, I would like some more, fancier features like https, persistent-connections, basic-auth, handle timeouts, etc. Even with the simple socket code I'm not sure, how will that play with haproxy's event-driven nature. I would appreciate if someone could point me to an example where haproxy is doing something similar already. Hi, there are no way to implement easyly http request from haproxy. If you are looking for an example, you can look the code of SPOE, the stats page, stats CLI or the Lua code for "core.socket". The idea is to create a client applet and use an internal proxy to process connection and the data exchange and the SSL. The HTTP protocol as client must be implemented in our side. I just took a quick look at the patch of Nenad, but it seems impossible to do asynchronous processing in PSK callback functions. If I'm right, you cannot loop on these callbacks, waiting for the completion of an external lookup. So you should do your HTTP request synchronously, and you certainly do not want to do that ! Using an applet here, as Thierry suggested, will not help you. (b) integrate it with Lua Lua sounds like a better option for writing custom code to HAproxy. However, I'm afraid that I wouldn't be able to hook it to the TLS handshake itself (that stage is too early in the process). Seems, that it's not a good use-case for Lua. I confirm, you cant have a hook in the https, and you cant configure the https parameters. Maybe in a fture version, for now, I'm waiting some feedback about the actual process. An other way is to use the new SPOE protocol to forward some data at your own service which will process SSL. Look for an exemple of SPEO client ins the directory "contrib/spoa_example". The SPOE (Stream Processing Offload Engine), as its name said, must be used to offload processing on streams. So, it cannot be used during the SSL handshake, because there is not yet stream at this step. This is not a limitation of the SPOE in itself, but of the filters API. There is no hook to handle TCP/SSL connections creation (not yet). BTW, in the thread about the TLS-PSK support, it was suggested to use a map to handle identities. When it will be done, it will be possible to dynamically update the map. -- Christopher Faulet
Re: TLS-PSK: making a http(s) lookup call from inside haproxy code
On Wed, 22 Feb 2017 15:43:36 +0100 Braňo Žarnovičanwrote: > Hi, > > a need to call an external http (preferably https) service from > HAproxy code. What's the easiest way to achieve that ? > > Context: > I would like HAproxy to do TLS termination for non-http traffic > (mqtt). The TLS cipher is PSK (pre-shared key). There was a patch in > this mailing-list adding support for this cipher. In his patch, Nenad > Merdanovic is loading : map from a configuration file. > This is fine, if you have a static environment. I would like to hook > this identity-to-key function to some external service. > > // for TLS-PSK, you need to implement this function > static int ssl_srv_psk_cb(SSL *ssl, char *identity, unsigned char > *psk, unsigned int max_psk_len) { > // for a given "identity" string, return his pre-shared key "psk" > // make a https call here.. > } > > // and register it for OpenSSL as call-back > SSL_CTX_set_psk_server_callback(ctx, ssl_srv_psk_cb) > > Options: > > (a) implement lookup call in C > > I should be able to whip up simple http 1.0 request via low-level > socket programming. However, I would like some more, fancier features > like https, persistent-connections, basic-auth, handle timeouts, etc. > Even with the simple socket code I'm not sure, how will that play with > haproxy's event-driven nature. I would appreciate if someone could > point me to an example where haproxy is doing something similar > already. Hi, there are no way to implement easyly http request from haproxy. If you are looking for an example, you can look the code of SPOE, the stats page, stats CLI or the Lua code for "core.socket". The idea is to create a client applet and use an internal proxy to process connection and the data exchange and the SSL. The HTTP protocol as client must be implemented in our side. > (b) integrate it with Lua > > Lua sounds like a better option for writing custom code to HAproxy. > However, I'm afraid that I wouldn't be able to hook it to the TLS > handshake itself (that stage is too early in the process). Seems, that > it's not a good use-case for Lua. I confirm, you cant have a hook in the https, and you cant configure the https parameters. Maybe in a fture version, for now, I'm waiting some feedback about the actual process. An other way is to use the new SPOE protocol to forward some data at your own service which will process SSL. Look for an exemple of SPEO client ins the directory "contrib/spoa_example". Thierry > Any thoughts ? Examples of async IO https calls from C ? > > Thanks, > > Brano Zarnovican >