Re: Weird behavior of spoe between http and https requests

Mon, 14 Jun 2021 02:03:33 -0700 

Le 6/11/21 à 8:22 PM, Aleksandar Lazic a écrit :

Hi.

On 11.06.21 18:07, Aleksandar Lazic wrote:

Hi.

I use haproxy 2.4 with this fe config.

```
global
      log stdout format raw daemon
      daemon
      maxconn 20000
      stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd 
listeners
      stats timeout 30s

      tune.ssl.default-dh-param 2048

      # Default SSL material locations
      ca-base /etc/ssl/certs
      crt-base /etc/ssl/private


      # See 
https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=old&openssl=1.1.1d&guideline=5.4
      ssl-default-bind-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
      ssl-default-bind-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
      ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.0

      ssl-default-server-ciphers 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
      ssl-default-server-ciphersuites 
TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
      ssl-default-server-options no-tls-tickets ssl-min-ver TLSv1.0


defaults http
    log global
    mode http
    retry-on all-retryable-errors
    option forwardfor
    option redispatch
    option http-ignore-probes
    option httplog
    option dontlognull
    option log-health-checks
    option socket-stats
    timeout connect 5s
    timeout client  50s
    timeout server  50s
    http-reuse safe
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend http-in
    bind *:80
    mode http

    unique-id-format %rt
    http-request set-var(sess.my_fe_path) path
    http-request set-var(sess.my_fe_src) src
    http-request set-var(sess.my_fe_referer) req.hdr(Referer)
    http-request set-var(sess.my_fe_requestedhost) req.hdr(Host)

    # define the spoe agents
    filter spoe engine agent-on-http-req config /etc/haproxy/spoe-url.conf
    filter spoe engine agent-on-http-res config /etc/haproxy/spoe-url.conf

frontend https-in

    bind :::443 v4v6 alpn h2,http/1.1 ssl ca-file 
/etc/haproxy/letsencryptauthorityx3.pem crt /etc/ssl/haproxy/

    unique-id-format %rt
    http-request set-var(sess.my_fe_path) path
    http-request set-var(sess.my_fe_src) src
    http-request set-var(sess.my_fe_referer) req.hdr(Referer)
    http-request set-var(sess.my_fe_requestedhost) req.hdr(Host)

    # define the spoe agents
    filter spoe engine agent-on-http-req config /etc/haproxy/spoe-url.conf
    filter spoe engine agent-on-http-res config /etc/haproxy/spoe-url.conf
```

And with this spoe config.
```
[agent-on-http-req]
spoe-agent agent-on-http-req

      log global

      messages agent-on-http-req

      option var-prefix feevents

      timeout hello      2s
      timeout idle       2m
      timeout processing 1s

      use-backend agent-on-http-req

spoe-message agent-on-http-req
      args my_path=path my_src=src my_referer=req.hdr(Referer) my_sid=unique-id 
my_req_host=req.hdr(Host)
      event on-frontend-http-request

[agent-on-http-res]
spoe-agent agent-on-http-res

      log global

      messages agent-on-http-res

      option var-prefix feevents

      timeout hello      2s
      timeout idle       2m
      timeout processing 1s

      use-backend agent-on-http-res

spoe-message agent-on-http-res
      args my_path=var(sess.my_fe_path) my_src=src 
my_referer=var(sess.my_fe_referer) my_sid=unique-id 
my_req_host=var(sess.my_fe_requestedhost)
      event on-http-response
```

Now when I make a http request I get all values and args.
```
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Msg Name  
:agent-on-http-req:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Msg Count :5:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Name  
:my_path:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Value 
:/test:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Name  
:my_src:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Value 
:<My_IP>:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Name  
:my_referer:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Value 
:%!s(<nil>):
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Name  
:my_sid:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Value :11:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Name  
:my_req_host:
Jun 11 16:01:01 reggata-001 spoe-url[112969]: 2021/06/11 16:01:01 Arg Value 
:<REQ_HOST>:
```

But when I make a https request I get only the path.

```
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Msg Name  
:agent-on-http-req:
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Msg Count :5:
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Name  
:my_path:
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Value 
:/test:
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Name  
:my_src:
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Value 
:0.0.0.0:
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Name  ::
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Value 
:%!s(<nil>):
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Name  ::
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Value 
:%!s(<nil>):
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Name  ::
Jun 11 15:55:32 reggata-001 spoe-url[112869]: 2021/06/11 15:55:32 Arg Value 
:%!s(<nil>):
```

Please can somebody tell me what's my mistake, thank you?


The problem can be easily reproduces when the bind lines is replaces with '::'

      Working: *:80
Not Working: :::80

Then works also the HTTPS part.

It looks like that '*:80' goes different Way then ':::80'



Hi Alex,
I'm unable to reproduce the issue. Everything works as expected, with all combinations of HTTP/HTTPS and IPv4/IPv6. It may be an issue with your agent. "my_src" value is displayed as an IPv4 while it should be an IPv6. Could you check your agent is properly decoding IPv6 values ? 

You may also try to do a network capture between HAProxy and your agent.

--
Christopher Faulet

Reply via email to