HAProxy community

HTTP Response Body Inspection and matching string in acl


I am terminating the SSL in haproxy and send the request received to backend server which is again running on https.

I want to inspect the payload on every response received from backend server and match a particular string in payload, if match I want to drop that response.

I have following configuration on my backend

backend events
mode http
option forwardfor
option http-buffer-request
tcp-response inspect-delay 5s
acl payloadmatch res.payload(0,100000) -m bin 7072617665656e
# acl payloadmatch res.payload(0,100000),hex -m sub 7072617665656e
http-response deny if payloadmatch
server events management.xxxyyy.com:443 check ssl verify none

But the above configuration is not working, still I am getting response instead of denying it.

You can’t, this is not supported.

As per configuration document, res.payload(offset, length) option is available. Could you please let me know is there any option available to match a string in the response body.

And res.payload looks at a specific, static offset in the buffer, which is why it doesn’t work for this purpose.

I don’t have a suggestion for you, because this cannot be done with vanilla haproxy features. Now if you want to write a custom SPOE agent or a LUA script, that could probably achieve something like this. But I don’t have any ready-for-use solutions for you.