search

jcmoraisjr / modsecurity-spoa

HAProxy agent for ModSecurity web application firewall
Apache License 2.0
95 stars 25 forks source link

Transfer of real client IP #55

Open sstsarel opened 1 year ago

sstsarel commented 1 year ago

Hello, I'm testing modsec and haproxy in the logs of my container, the client IP is always 127.0.0.1 example 1697202928.470503 [00] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. I can’t find how to make it work with a real IP client Please tell me what needs to be done?

JsdBEnZ7Rt9orgOfa1Ep1e4n commented 1 year ago

Same for me, for the moment i use this trick

sstsarel commented 1 year ago

I already tried this but it doesn't work for me((( I raise a container on another node docker run -p 12345:12345 -v $PWD/modsecurity:/etc/modsecurity -d quay.io/jcmoraisjr/modsecurity-spoa -n 1

on haproxy I have it like this

`global daemon user haproxy group haproxy chroot /var/lib/haproxy maxconn 4096 log localhost local0 log-send-hostname stats socket /run/haproxy-master.sock mode 660 level admin stats timeout 60s

defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch 1 retries 3 retry-on all-retryable-errors timeout http-request 180s timeout client 300s timeout queue 60s timeout connect 300s timeout server 300s timeout check 10s timeout http-keep-alive 10s

backend my_backend balance roundrobin server server1 10.0.0.1:80 check server server2 10.0.0.2:80 check

backend spoe-modsecurity mode tcp timeout connect 5s timeout server 3m server modsec-spoa1 10.0.0.3:12345

frontend femain bind :80 unique-id-format %{+X}o\ %ci:%cp%fi:%fp%Ts%rt:%pid unique-id-header X-Unique-ID log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[unique-id]" filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf http-request deny if { var(txn.modsec.code) -m int gt 0 } default_backend my_backend`

but in the logs 1697228856.345744 [00] [client 127.0.0.1] ModSecurity: Warning. Matched phrase "etc/passwd"

I still don’t understand why logs are not written to SecAuditLogType Serial SecAuditLog /var/log/moaudit.log SecAuditLogFormat JSON

moaudit.log file is empty

sstsarel commented 1 year ago

Tell me why not all parameters are accepted?

Maybe because of this the normal IP is not transmitted?

spoe-message check-request args unique-id method path query req.ver req.hdrs_bin req.body_size req.body

spoe-message check-request args unique-id src src_port dst dst_port method path query req.ver req.hdrs_bin req.body_size req.body

JsdBEnZ7Rt9orgOfa1Ep1e4n commented 1 year ago

This solution works

Use this fork : https://github.com/infra-octave/spoa-modsecurity

spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request
sstsarel commented 1 year ago

Это решение работает

Use this fork : https://github.com/infra-octave/spoa-modsecurity

spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

Well, I wanted to figure out why the docker from this turnip does not work as expected compiling from the source I got the desired result, but using this image I get the wrong client IP

mat1010 commented 1 year ago

This solution works

Use this fork : https://github.com/infra-octave/spoa-modsecurity

spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

https://github.com/haproxy/spoa-modsecurity/compare/master...infra-octave:spoa-modsecurity:master#diff-8c7cd210990f9430651c54ed753427ec1bb59cc3f4ae2003daed70f490e3a6d0R251 This only works for ipv4, right?

JsdBEnZ7Rt9orgOfa1Ep1e4n commented 1 year ago

This solution works Use this fork : https://github.com/infra-octave/spoa-modsecurity spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

haproxy/spoa-modsecurity@master...infra-octave:spoa-modsecurity:master#diff-8c7cd210990f9430651c54ed753427ec1bb59cc3f4ae2003daed70f490e3a6d0R251 This only works for ipv4, right?

I don't test with ipv6