RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-14 07:24:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
6381650516
haproxy/contrib/spoa_example
History
Christopher Faulet 6381650516 MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0 
The commit c4dcaff3 ("BUG/MEDIUM: spoe: Flags are not encoded in network order")
introduced an incompatibility with older agents. So the major version of the
SPOP is increased to make the situation unambiguous. And because before the fix,
the protocol is buggy, the support of the version 1.0 is removed to be sure to
not continue to support buggy agents.

The agents in the contrib folder (spoa_example, modsecurity and mod_defender)
are also updated to announce the SPOP version 2.0.

So, to be clear, from the patch, connections to agents announcing the SPOP
version 1.0 will be rejected.

This patch must be backported in 1.8.
2018-06-04 17:33:48 +02:00
..
include CONTRIB: spoa_example: remove SPOE enums that are useless for clients 2017-11-21 21:33:27 +01:00
Makefile BUILD: Fix LDFLAGS vs. LIBS re linking order in various makefiles 2017-12-02 14:36:15 +01:00
README MINOR: spoe: Remove useless 'timeout ack' option 2016-11-21 15:29:59 +01:00
spoa.c MAJOR: spoe: upgrade the SPOP version to 2.0 and remove the support for 1.0 2018-06-04 17:33:48 +02:00

README 

A Random IP reputation service acting as a Stream Processing Offload Agent
--------------------------------------------------------------------------

This is a very simple service that implement a "random" ip reputation
service. It will return random scores for all checked IP addresses. It only
shows you how to implement a ip reputation service or such kind of services
using the SPOE.


  Start the service
---------------------

After you have compiled it, to start the service, you just need to use "spoa"
binary:

    $> ./spoa  -h
    Usage: ./spoa [-h] [-d] [-p <port>] [-n <num-workers>]
        -h                  Print this message
        -d                  Enable the debug mode
        -p <port>           Specify the port to listen on (default: 12345)
        -n <num-workers>    Specify the number of workers (default: 5)

Note: A worker is a thread.


  Configure a SPOE to use the service
---------------------------------------

All information about SPOE configuration can be found in "doc/SPOE.txt". Here is
the configuration template to use for your SPOE:

    [ip-reputation]

    spoe-agent iprep-agent
        messages check-client-ip

        option var-prefix iprep

        timeout hello      100ms
        timeout idle       30s
        timeout processing 15ms

        use-backend iprep-backend

    spoe-message check-client-ip
        args src
        event on-client-session


The engine is in the scope "ip-reputation". So to enable it, you must set the
following line in a frontend/listener section:

    frontend my-front
        ...
        filter spoe engine ip-reputation config /path/spoe-ip-reputation.conf
	....

where "/path/spoe-ip-reputation.conf" is the path to your SPOE configuration
file. The engine name is important here, it must be the same than the one used
in the SPOE configuration file.

IMPORTANT NOTE:
    Because we want to send a message on the "on-client-session" event, this
    SPOE must be attached to a proxy with the frontend capability. If it is
    declared in a backend section, it will have no effet.


Because, in SPOE configuration file, we declare to use the backend
"iprep-backend" to communicate with the service, you must define it in HAProxy
configuration. For example:

    backend iprep-backend
        mode tcp
	timeout server 1m
	server iprep-srv 127.0.0.1:12345 check maxconn 5


In reply to the "check-client-ip" message, this service will set the variable
"ip_score" for the session, an integer between 0 and 100. If unchanged, the
variable prefix is "iprep". So the full variable name will be
"sess.iprep.ip_score".

You can use it in ACLs to experiment the SPOE feature. For example:

    tcp-request content reject if { var(sess.iprep.ip_score) -m int lt 20 }

With this rule, all IP address with a score lower than 20 will be rejected
(Remember, this score is random).