HAProxy agent for ModSecurity
HAProxy agent (SPOA) for ModSecurity web application firewall (WAF).
SPOP and HAProxy Version
The current SPOP version is v2, used since modsecurity-spoa v0.4. This agent version works on HAProxy 1.8.10 and newer.
SPOP v1 is used on modsecurity-spoa v0.1 to v0.3. This agent version works on HAProxy up to 1.8.9.
Agent Configuration
Command line syntax:
$ docker run -p 12345:12345 quay.io/jcmoraisjr/modsecurity-spoa [options] [-- <config-file1> [<config-file2> ...] ]config-files can be used either after -- (see above) or from -f option (see below).
The only difference is that the later supports only one filename. All config-files found
will be used, included in the same order as they have been declared.
Customize the Configuration Files
In order to use the default configuration in your customization, you should copy the following files from the image:
docker create --name modsec quay.io/jcmoraisjr/modsecurity-spoa
docker cp modsec:/etc/modsecurity .
docker rm modsecDownload and customize the configuration files for either the ModSecurity repository or from OWASP repository. Use the copied files from the previous code section in your run command:
docker run -p 12345:12345 -v $PWD/modsecurity:/etc/modsecurity quay.io/jcmoraisjr/modsecurity-spoa -n 1If you do not want to include the default configuration files and only use the configuration files (ex./ custom-config.conf) that you design, leave out the copied default configuration files from before in your run command:
docker run -p 12345:12345 -v $PWD/modsecurity:/etc/modsecurity quay.io/jcmoraisjr/modsecurity-spoa -n 1 -- /etc/modsecurity/custom-config.confRunning without Config Files
If no config-file is declared, the following will be used:
/etc/modsecurity/modsecurity.conf: ModSecurity recommended config, from ModSecurity repository- Changes:
SecRuleEngine, changed fromDetectionOnlytoOn
- Changes:
/etc/modsecurity/owasp-modsecurity-crs.conf: Generic attack detection rules for ModSecurity, from OWASP ModSecurity CRS repository- Changes:
SecDefaultAction,phase:1andphase:2, changed fromlog,auditlog,passtolog,noauditlog,deny,status:403
- Changes:
Options are: (from modsecurity agent -h)
-h Print this message
-d Enable the debug mode
-f <config-file> ModSecurity configuration file
-m <max-frame-size> Specify the maximum frame size (default : 16384)
-p <port> Specify the port to listen on (default : 12345)
-n <num-workers> Specify the number of workers (default : 10)
-c <capability> Enable the support of the specified capability
-t <time> Set a delay to process a message (default: 0)
The value is specified in milliseconds by default,
but can be in any other unit if the number is suffixed
by a unit (us, ms, s)
Supported capabilities: fragmentation, pipelining, asyncHAProxy configuration
Configure modsecurity-spoa as a HAProxy SPOE agent. See also SPOE filter doc and SPOE spec.
Changes to haproxy.cfg - change 127.0.0.1:12345 below to the
modsecurity-spoa endpoint:
frontend httpfront
mode http
...
filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
http-request deny if { var(txn.modsec.code) -m int gt 0 }
...
backend spoe-modsecurity
mode tcp
server modsec-spoa1 127.0.0.1:12345Create a /etc/haproxy/spoe-modsecurity.conf:
[modsecurity]
spoe-agent modsecurity-agent
messages check-request
option var-prefix modsec
timeout hello 100ms
timeout idle 30s
timeout processing 1s
use-backend spoe-modsecurity
spoe-message check-request
args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
event on-frontend-http-requestTest with docker
(cd ./test && ./run.sh)