Le 8/11/21 à 2:53 AM, Ryan Burn a écrit :
I'm working on integrating HAProxy with traceable.ai <http://traceable.ai>'s
security product.
As part of the integration, we'd like to capture the contents of any http
responses processed by HAProxy and send them to a service either via SPOA or an
RPC call from Lua. The response contents are used by the product to help
identify possible security threats.
I've tried a few things, but haven't found a reliable way to capture the
contents of response bodies. Is this possible with HAProxy?
Here are the approaches I've explored so far:
1. I used the "res.body" fetch but that only provides the contents sometimes (I
presume if it's available in a buffer):
https://github.com/rnburn/haproxy-extcap/blob/master/test/docker/extcap.conf#L19
<https://github.com/rnburn/haproxy-extcap/blob/master/test/docker/extcap.conf#L19>
2. I also tried accessing the contents of the response channel from a Lua
action, but that fails with "Cannot manipulate HAProxy channels in HTTP mode"
https://github.com/rnburn/haproxy-extcap/blob/master/test/docker/response.lua#L5
<https://github.com/rnburn/haproxy-extcap/blob/master/test/docker/response.lua#L5>
Hi Ryan,
About the SPOE, it is on the todo-list to add streaming feature to be able to
send request/response payload to an agent and be able to rewrite it.
Unfortunately, to make it clean and usable, it requires a total refactoring and
for now, I haven't found the time to work on it.
About the sample fetches, on HAProxy 2.3 and lower, there is no way to get the
response payload because it is not possible to wait for it. There is no
equivalent to the "http-buffer-request" option on the response side. On
HAProxy-2.4, it is possible by using "wait-for-body" HTTP rule, available on the
request and the response side. However, it is still limited by the buffer size.
With the Lua, it is only possible by writing a filter using the experimental Lua
filter API, available in HAProxy 2.5. This API is really experimental for now,
but it may be a solution to analyze the whole message payload, regardless its
size. However, It may be painful because the API may be incomplete and because
dealing with multiple buffers is not simple, especially if you don't want to
forward the payload before the end of analysis.
--
Christopher Faulet
