Coraza WAF modsecurity addon injects wrong backend config

[tomklapka]

Description of the problem What is not working - injected backend config when using Ingress annotations: haproxy-ingress.github.io/waf: "modsecurity" haproxy-ingress.github.io/waf-mode: "deny"

    filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
    http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
    http-request deny if !{ var(txn.coraza.fail) -m int eq 0 }

Resulting in:

403 Forbidden
Request forbidden by administrative rules.

On all requests.

What is working (my current workaround):

    filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
    # Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
    http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
    http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }

    http-request deny deny_status 403 hdr waf-block "request"  if { var(txn.coraza.action) -m str deny }
    http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }

    http-request silent-drop if { var(txn.coraza.action) -m str drop }
    http-response silent-drop if { var(txn.coraza.action) -m str drop }

    # Deny in case of an error, when processing with the Coraza SPOA
    http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
    http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }

Expected behavior

Working backend config OOTB

Steps to reproduce the problem

0. Prepage HaProxy deployment (via Helm chart)
1. Configure Coraza modsecurity according to instructions: https://haproxy-ingress.github.io/docs/examples/modsecurity/
   • It also requires to use an up to date config reference https://github.com/corazawaf/coraza-spoa
2. Configure Ingress with appropriate annotations

Environment information

HAProxy Ingress version: v0.14

Global options:

controller:
  config:
    modsecurity-use-coraza: "true"
    modsecurity-args: "app=str(default_app) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method 
    path=path query=query version=req.ver headers=req.hdrs body=req.body"
    modsecurity-endpoints: modsecurity-spoa.haproxy.svc.cluster.local:9000

Ingress objects:

metadata:
  annotations:
    haproxy-ingress.github.io/waf: "modsecurity"
    haproxy-ingress.github.io/waf-mode: "deny"

[JanHolger]

@tomklapka Thank you for providing the snippet, we were running into the same issue this week and I was able to successfully get it running with your changes and I've created a PR for the fix

[jcmoraisjr]

Fixed by @JanHolger and already merged. The change will be available in the next v0.14 and v0.15 versions, where Coraza is supported.