search

corazawaf / coraza-spoa

A wrapper for integrating the OWASP Coraza WAF with HAProxy's SPOE filters.
Apache License 2.0
89 stars 18 forks source link

Custom error page #130

Closed bazalt closed 1 week ago

bazalt commented 1 week ago

Hi,

My goal is to display a custom 403 page when Coraza WAF blocks requests in a HAProxy context: 

# /usr/local/etc/haproxy/errors/waf.http

HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>403 Forbidden</h1>
Request forbidden by WAF.
</body></html>

I tried multiple things, including this conf (see lines 19-20 containing http-request deny deny_status 403 errorfiles waf-errors):

# haproxy.cfg

defaults
# Custom error files from WAF
http-errors waf-errors
  errorfile 403 /usr/local/etc/haproxy/errors/waf.http # <=== This file exists in HAProxy env

frontend fe_web
  bind :80

  # 
  # Apply Coraza WAF
  #
  filter spoe engine coraza config /usr/local/etc/haproxy/coraza.cfg

  # Below directives comes from https://github.com/corazawaf/coraza-spoa/blob/main/example/haproxy/haproxy.cfg

  # Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
  http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
  http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }

  http-request deny deny_status 403 errorfiles waf-errors hdr waf-block "request"  if { var(txn.coraza.action) -m str deny }
  http-response deny deny_status 403 errorfiles waf-errors hdr waf-block "response" if { var(txn.coraza.action) -m str deny }

  http-request silent-drop if { var(txn.coraza.action) -m str drop }
  http-response silent-drop if { var(txn.coraza.action) -m str drop }

  # Deny in case of an error, when processing with the Coraza SPOA
  http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
  http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }

  [...]

These http-request deny deny_status 403 errorfiles waf-errors hdr waf-block [...] directives raise warnings when reloading HAProxy, but seems to work anyway... 🤷⁉️ (the erorrfile typo in the warning message is not my own):

[WARNING]  (1) : config : parsing [/...../haproxy.cfg:20] : hdr parameters ignored by the http reply when used with an erorrfile.
[WARNING]  (1) : config : parsing [/...../haproxy.cfg:21] : hdr parameters ignored by the http reply when used with an erorrfile.
$ curl "http://xxxxxxx.com/?f=/etc/passwd"
<html><body><h1>403 Forbidden</h1>
Request forbidden by WAF.
</body></html>

Do you have any advice to achieve this in a cleaner way?

Thank you

foxcaput commented 1 week ago 
http-request deny deny_status 403 hdr Cache-Control no-cache hdr Connection close content-type text/html lf-file /etc/haproxy/errors/403.http if { var(txn.coraza.action) -m str deny }

http-response deny deny_status 403 hdr Cache-Control no-cache hdr Connection close content-type text/html lf-file /etc/haproxy/errors/403.http if { var(txn.coraza.action) -m str deny }

use this as an example

bazalt commented 1 week ago

Thanks for the tip 👍️