Does spoa-mirror support gRPC?

[wwuck]

Does the spoa-mirror support gRPC mirroring?

I've tried setting it up with the configuration examples from this repository and https://www.haproxy.com/blog/haproxy-traffic-mirroring-for-real-world-testing/ and requests go through successfully to the backend but it doesn't seem to send anything through to the mirror url.

https://www.haproxy.com/blog/haproxy-2-0-and-beyond/#grpc

# spoa-mirror --version

spoa-mirror v1.2.1 [build 2309] by Miroslav Zagorac <mzagorac@haproxy.com>, Sep 23 2019

/etc/haproxy/haproxy.conf:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    master-worker

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # https://www.haproxy.com/blog/haproxy-1-9-2-adds-grpc-support/
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options ssl-min-ver TLSv1.2

    tune.ssl.default-dh-param 4096

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
    option http-use-htx

program mirror
    command /usr/local/bin/spoa-mirror --runtime 0 --mirror-url https://mirror-grpc-server.example.com:50053 --address 127.0.0.1 --port 12345 --logfile a:/var/log/haproxy-mirror.log

frontend fe_proxy
    bind :50051 ssl crt /etc/haproxy/combined.pem alpn h2 
    filter spoe engine mirror config /etc/haproxy/mirror.conf
    default_backend be_test_api

backend be_test_api
    server test_server backend-grpc-server.example.com:50051 ssl verify required ca-file /etc/ssl/certs/cacert.pem alpn h2 check

backend mirroragents
    mode tcp
    server mirror_agent localhost:12345

/etc/haproxy/mirror.conf

[mirror]
spoe-agent mirror_agent
    log global
    messages mirror_message
    use-backend mirroragents
    timeout hello 10s
    timeout idle 10s
    timeout processing 10s

spoe-message mirror_message
    args arg_method=method arg_path=url arg_ver=req.ver arg_hdrs=req.hdrs_bin arg_body=req.body
    event on-frontend-http-request

[zaga00]

Hello @wwuck, I apologize for not answering this issue so far. I don't have a configuration built to test grpc functionality, so when I put it together, I'll try to see if it works with a spoa-mirror. Nevertheless, I can say that probably not all the functionality of grpc works.

[wwuck]

Thanks for the comment. I've currently got a mirror setup using envoy proxy instead.

[iosifnicolae2]

Any news on this?

[zaga00]

Hello @iosifnicolae2,

I don't think spoa-mirror can be used for gRPC, because maybe it exceeds the capabilities of stream processing offload protocol (HAProxy SPOP). However, I am not an expert on gRPC, so it may be better to refer your question to the HAProxy mailing list. I'm sorry I can't help specifically with this topic.