-1

I am experimenting with following setup.

Clone/copy (but not redirect) all incoming HTTP requests from port 80 to another port say 8080 on same machine. I have a simple NGINX + Lua based WAF which is listening on 8080. Essentially, I am running two instances of webservers here, one which is serving real requests and other one working on cloned traffic for detection purpose. I don't care about being able to block the malicious requests so I dont care about being inline.

I want to use WAF only for detection purpose i.e. it should analyze all incoming requests, raise alert and drop the request after that. This will not hamper anything from users point of view since port 80 is serving real requests.

How can I clone traffic this way and just discard it after analysis is done ? Is this feasible ? If yes, please suggest any tools which can clone traffic with minimal performance hit.

Iornman l
  • 1
  • 2
  • Duplicate of http://serverfault.com/questions/766526/nginx-reverse-proxy-http-interceptor – Tim Mar 29 '16 at 18:41
  • The use case looks similar, but I am still confused about the way forward. Is it possible to do it or not ? Log parsing is not something I am looking for. – Iornman l Mar 30 '16 at 09:07
  • I don't think it's possible - it's really an edge case. Try these ideas http://stackoverflow.com/questions/7247668/duplicate-tcp-traffic-with-a-proxy – Tim Mar 30 '16 at 16:53

1 Answers1

0

You could consider using GOR to do this. It may be possible in Nginx with post_action - I'm not an expert, I just put your query into Google.

Community
  • 1
Tim
  • 31,888
  • 7
  • 52
  • 78