Modify Request Body / Response Body Before Sending To Server Or Client

[thepeanutgalleryandco]

Detailed Description of the Problem

I would like to use a LUA script to modify the request body of the incoming HTTP request before submitting it to my backend and then I want to use a LUA script to modify the response body from the backend before sending it back to the client. Is something like this possible? I can see that I am able to use an action in LUA and the TXN class to modify items, but I can't seem to be able to get the changed values into HAProxy before submitting the request to the server or the client.

I am using HAProxy 2.6.5 at the moment.

Expected Behavior

Having a LUA script or HAProxy configuration to modify request body or response body before submitting to server or back to client

Steps to Reproduce the Behavior

No steps at this stage.

Do you have any idea what may have caused this?

No response

Do you have an idea how to solve the issue?

No response

What is your configuration?

### Global Configuration ###
global
  # General
  log stdout format timed local0 debug
  maxconn "$MAX_CONNECTIONS"
  stats socket /tmpfs/haproxy.sock mode 644 level admin expose-fd listeners
  max-spread-checks "$MAX_SPREAD_CHECKS"
  spread-checks "$SPREAD_CHECKS"

  # Lua Configuration
  tune.lua.maxmem "$LUA_MAX_MEM"
  lua-load /opt/haproxy/lua/peers_discoverer.lua  
  lua-load-per-thread /opt/haproxy/lua/data_extractor.lua
  lua-load-per-thread /opt/haproxy/lua/tcp_healthcheck.lua
  lua-load-per-thread /opt/haproxy/lua/json_validator.lua

  # SSL Configuration
  ca-base /opt/haproxy/certs
  crt-base /opt/haproxy/certs

  ssl-default-bind-ciphers "$SSL_CIPHERS"
  ssl-default-bind-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 no-tls-tickets

  ssl-default-server-ciphers "$SSL_CIPHERS"
  ssl-default-server-options ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 no-tls-tickets

  ssl-server-verify none
  tune.ssl.default-dh-param 4096

### Resolver Configuration ###
resolvers dns-resolver
  parse-resolv-conf
  resolve_retries       3
  timeout resolve       1s
  timeout retry         1s
  hold other           30s
  hold refused         30s
  hold nx              30s
  hold timeout         30s
  hold valid           10s
  hold obsolete        30s

### Defaults Configuration ###
defaults
  # General
  mode http
  monitor-uri "$MONITOR_URI"

  # Default Server
  default-server check
  balance roundrobin

  # Default Logging
  log global
  unique-id-format %[uuid()]
  unique-id-header "$UNIQUE_ID_HEADER"
  log-format "%ci:%cp - %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID %[var(txn.luaId)]"
  option tcp-check
  option dontlognull
  option forwardfor header "$FORWARD_FOR_HEADER" if-none
  option log-separate-errors
  option log-health-checks

  # Default Connection Config
  #timeout http-request "$TIMEOUT_HTTP_REQUEST"
  #option abortonclose

  timeout connect "$TIMEOUT_CONNECT"
  timeout client "$TIMEOUT_CLIENT"
  timeout server "$TIMEOUT_SERVER"
  timeout check "$TIMEOUT_CONNECT"
  retries 3

  # Defaults Stats
  stats enable

  # Default Error Files
  errorfile 400 /opt/haproxy/errorfiles/400.http
  errorfile 403 /opt/haproxy/errorfiles/403.http
  errorfile 408 /opt/haproxy/errorfiles/408.http
  errorfile 500 /opt/haproxy/errorfiles/500.http
  errorfile 502 /opt/haproxy/errorfiles/502.http
  errorfile 503 /opt/haproxy/errorfiles/503.http
  errorfile 504 /opt/haproxy/errorfiles/504.http

Output of haproxy -vv

bash-5.1$ haproxy -vv
HAProxy version 2.6.5-987a4e2 2022/09/03 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs: http://www.haproxy.org/bugs/bugs-2.6.5.html
Running on: Linux 5.15.0-202.135.2.el8uek.x86_64 #2 SMP Fri Jan 5 16:12:57 PST 2024 x86_64
Build options :
  TARGET  = linux-musl
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL +THREAD -BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -ENGINE +GETADDRINFO +OPENSSL +LUA +ACCEPT4 -CLOSEFROM +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC -PROMEX -MEMORY_PROFILING

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.1.1q  5 Jul 2022
Running on OpenSSL version : OpenSSL 1.1.1q  5 Jul 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.6
Built with network namespace support.
Support for malloc_trim() is enabled.
Built with zlib version : 1.2.12
Running on zlib version : 1.2.12
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.40 2022-04-14
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 10.3.1 20211027

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : none

Available filters :
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

bash-5.1$

Last Outputs and Backtraces

No response

Additional Information

No response

[Darlelet]

Maybe Lua filters could help you to achieve that: https://www.arpalert.org/src/haproxy-lua-api/3.0/index.html#filter-class

If you need assistance about this feature, I suggest you to have a look at existing github issues (lua filters related, e.g: #2517) or ask for help on mailing list or on the community forum as github issue are normally meant for tracking bugs and feature requests.

[capflam]

As @Darlelet said, Lua filters are the only way to do it. I'm closing because it is not a feature request or a bug.

[thepeanutgalleryandco]

Thanks @Darlelet and @capflam , I will take a look there. Much appreciated.