Add haproxy configuration example

Author: e-n-0

contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/CHANGELOG.md

@@ -0,0 +1,7 @@
+# CHANGELOG
+
+## 1.0.0
+
+### Added
+
+- Initial release

contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/backend.cfg

@@ -0,0 +1,11 @@
+# ========== Datadog App & API Protection Configuration ==========
+# This is the backend that will be used to send the request to the SPOA Agent.
+# Please edit the values below to match your configuration.
+backend spoa-backend
+    mode spop
+    timeout connect 5s
+    timeout server 3m
+    option spop-check
+    balance roundrobin
+    server spoa1 127.0.0.1:3000 check
+# ================================================================

contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/datadog_aap_blocking_response.lua

@@ -0,0 +1,22 @@
+core.register_action("send_blocking_response", { "http-req" }, function(txn)
+    print("send_blocking_response")
+
+    local body = txn:get_var("txn.dd.body")
+    local status_code = txn:get_var("txn.dd.status_code")
+    local headers = txn:get_var("txn.dd.headers")
+
+    local reply = txn:reply()
+    reply:set_status(status_code)
+
+    local LINE_ITER = "[^\r\n]+"
+    local LINE_KV_STRICT = "^([%w%-]+): (%S.+)$"
+    for line in headers:gmatch(LINE_ITER) do
+        local k, v = line:match(LINE_KV_STRICT)
+        if k then
+            reply:add_header(k, v)
+        end
+    end
+    
+    reply:set_body(body)
+    txn:done(reply)
+end)

contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/frontend-config.cfg

@@ -0,0 +1,35 @@
+frontend main
+    # bind *:80
+
+    # ========== Datadog App & API Protection Configuration ==========
+    # DO NOT EDIT
+    # This configuration should be placed at the most top of the file
+    # to ensure it is executed first.
+
+    filter spoe engine datadog-aap-engine config str("$DD_SPOA_SPOA_CONF_FILE")
+    
+    # Process the Request Headers
+    http-request set-var(txn.timeout) str("$DD_SPOA_TIMEOUT")
+    http-request send-spoe-group datadog-aap-engine dd-aap-http-request-headers-msg
+    http-request set-var(sess.span_id) var(txn.dd.span_id)
+    http-request set-var(sess.send_request_body) var(txn.dd.request_body)
+    http-request lua.send_blocking_response if { var(txn.dd.blocked) -m bool }
+
+    # Process the Request Body (when needed)
+    http-request wait-for-body time 1s if { var(sess.send_request_body) -m bool }
+    http-request send-spoe-group datadog-aap-engine dd-aap-http-request-body-msg if { var(sess.send_request_body) -m bool }
+    http-request lua.send_blocking_response if { var(sess.send_request_body) -m bool } { var(txn.dd.blocked) -m bool }
+
+    # Process the Response Headers
+    http-response send-spoe-group datadog-aap-engine dd-aap-http-response-headers-msg
+    http-response set-var(sess.send_response_body) var(txn.dd.request_body)
+    http-request lua.send_blocking_response if { var(txn.dd.blocked) -m bool }
+    
+    # Process the Response Body (when needed)
+    http-response wait-for-body time 1s if { var(sess.send_response_body) -m bool }
+    http-response send-spoe-group datadog-aap-engine dd-aap-http-response-body-msg if { var(sess.send_response_body) -m bool }
+    http-request lua.send_blocking_response if { var(sess.send_response_body) -m bool } { var(txn.dd.blocked) -m bool }
+    # ================= END OF DATADOG CONFIGURATION =================
+    
+    # ...
+    # default_backend webserver

contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/global-config.cfg

@@ -0,0 +1,20 @@
+global
+    # ========== Datadog App & API Protection Configuration ==========
+    # Please edit the values below to match your configuration.
+
+    # This lua file needs to be loaded to allow HAProxy to send custom response in case
+    # of a triggered blocking event. Adapt the path to the file to match your installation.
+    lua-load /etc/haproxy/lua/datadog_aap_blocking_response.lua
+
+    # This is the path to the SPOE configuration file. Please edit the path to match your installation.
+    setenv DD_SPOA_SPOA_CONF_FILE /usr/local/etc/haproxy/spoe.cfg
+
+    # The timeout value should be equal to the bigger backend server timeout where the SPOA Agent is running on.
+    # Default value is 1 minute.
+    # Example: If the biggest backend server timeout is 1 minute, set the timeout to 1m.
+    setenv DD_SPOA_TIMEOUT 1m
+
+    # The processing timeout value is used to set the timeout for the SPOA Agent to process the request.
+    # Please increase this value if you are sending large request or response bodies. Default value is 200ms.
+    setenv DD_SPOA_PROCESSING_TIMEOUT 200ms
+    # ================================================================

contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/spoe.cfg

@@ -0,0 +1,53 @@
+[datadog-aap-engine]
+
+spoe-agent datadog-aap-agent
+    option           set-on-error      spoe_error
+    option           var-prefix        dd
+
+    timeout          hello          100ms
+    timeout          idle           "$DD_SPOA_TIMEOUT"
+    timeout          processing     "$DD_SPOA_PROCESSING_TIMEOUT"
+
+    use-backend      spoa-backend
+    log              global
+
+    groups           dd-aap-http-request-headers-msg
+    groups           dd-aap-http-request-body-msg
+    groups           dd-aap-http-response-headers-msg
+    groups           dd-aap-http-response-body-msg
+
+# Groups defining messages
+spoe-group dd-aap-http-request-headers-msg
+    messages http-request-headers-msg
+
+spoe-group dd-aap-http-request-body-msg
+    messages http-request-body-msg
+
+spoe-group dd-aap-http-response-headers-msg
+    messages http-response-headers-msg
+
+spoe-group dd-aap-http-response-body-msg
+    messages http-response-body-msg
+
+# Messages
+spoe-message http-request-headers-msg
+    args ip=src
+    args ip_port=src_port
+    args method=method
+    args path=pathq
+    args headers=req.hdrs_bin
+    args https=ssl_fc
+    args timeout=var(txn.timeout)
+
+spoe-message http-request-body-msg  
+    args body=req.body
+    args span_id=var(sess.span_id)
+
+spoe-message http-response-headers-msg
+    args headers=res.hdrs_bin
+    args status=status
+    args span_id=var(sess.span_id)
+
+spoe-message http-response-body-msg
+    args body=res.body
+    args span_id=var(sess.span_id)