I use the SPOE for SAML authentication with Okta and Azure AD. I'm still waiting for shared variables so I can restore my active-active configuration with 2 HAPEE servers.
Content by Norman. Spelling by iPhone. On Oct 10, 2023, at 03:12, Willy Tarreau <w...@1wt.eu> wrote: On Sun, Oct 08, 2023 at 02:43:57PM +0200, Aleksandar Lazic wrote: On 2023-10-08 (So.) 14:15, Tristan wrote: Since this was brought up, On 7 Oct 2023, at 14:34, Willy Tarreau <w...@1wt.eu> wrote: [...] Maybe this will then bring up SPOE to a level where the body of a request can be scanned and bring it to a full WAF level or as WASM filter. Any thoughts on the feasibility of a WASM based alternative to the current LUA platform? From what I looked there are a few WASM runtimes set up for being embedded in C applications, though I'm not expert enough on the tradeoffs of each to know if there are dealbreakers. I also realize that a lot of work went into the current LUA support (a long at the frighteningly long .c file for it speaks volumes). But on one hand I find it rather difficult to use correctly in its current state, in part because of the complete absence (to my knowledge) of something equivalent to C headers for validation ahead of deployment, and also in part (and more personally) because I never understood what anyone could possibly like about LUA itself... There are at least 2 issues about the topic WASM and body handling of SPOE. https://urldefense.com/v3/__https://github.com/haproxy/haproxy/issues/1482__;!!A69Ausm6DtA!eo-4k_EFGGSh2fEcOT-DNZFc3kS63-NpUER9XHfmutMw1AcnkAbbyTPCU-Jj5c1_KOAze2YeTi8UoDh4$ https://urldefense.com/v3/__https://github.com/haproxy/haproxy/issues/913__;!!A69Ausm6DtA!eo-4k_EFGGSh2fEcOT-DNZFc3kS63-NpUER9XHfmutMw1AcnkAbbyTPCU-Jj5c1_KOAze2YeTrFwJdMg$ From my point of view would it be very helpful when SPOE could handle the body, but I think this is a huge change as there should also be some protection about internal DoS for that topic. The benefit would be that such a feature could open more languages within WASM context with all there pro and cons. Sorry I had not seen your message before responding, but please see my response to Tristan ;-) Cheers, Willy
