Hello,

I'm looking into possibilities to implement some slightly more complex logic 
into haproxy that's being used when talking to origins.
Looking through the documentation, I see I can obviously use Lua, which offers 
great flexibility.

I'm looking to implement a few additional checks and balances before I forward 
requests to the origin/backend for being processed.

Two of these things are:
- validation of bearer tokens (API tokens) on haproxy level
- S3 signing

Bearer tokens are stored in a Redis instance, and I can obviously write Lua 
that's ran for a given http-request, but from what I understand, the way the 
Lua is ran, means I obviously have to establish the whole Redis 
instance/connection every time the code is executed, and I can't keep a 
connection open.
Would it be possible for using the SPOE feature of haproxy to essentially run a 
separate program, that would bridge this gap, basically being a super fast 
processing engine for tokens, where I keep this persistent Redis connection 
open, or are there better ways of doing it?

Likewise for S3 signing ( I know it's supported by haproxy enterprise, but in 
this particular case, I'm not there yet, to where I can justify it, sorry!) , 
there's, from what I can see, quite a few ways this can be done:
- I can use Lua to do the hash calculations (again, likely store these AWS 
access key/secret in Redis)
- Possibly use SPOE (assuming this is one of the possible use-cases - it 
mentions ldap and SSO for example, this is just another kind of signing)
- I can do it the ugly way, and proxy the request from haproxy to a small 
Golang app or similar, and then let the Go application talk to S3 backend 
directly
- Proxy from haproxy to nginx, and do a bunch of logic in nginx using Lua, and 
forward onto the origin. However, introducing a nginx into the stack, is 
ideally something I'd like to avoid

Any pointers to whether SPOE would make sense here, would be great, or if you 
have any other suggestions, or possibly even experience doing something similar!

Thanks in advance! 👌

Best Regards,
Lucas Rolff

Reply via email to