Am 12-04-2017 23:33, schrieb Aleksandar Lazic:
Am 12-04-2017 21:28, schrieb thierry.fourn...@arpalert.org:
On Wed, 12 Apr 2017 21:21:58 +0200
Aleksandar Lazic <al-hapr...@none.at> wrote:
[snipp]
Do you have the patches as files where I can download it?
It's easier for docker to call a 'curl -vLO ...' then to go across a
mail body ;-)
Not sure to understand. I given the patches as file. Note that I'm
testing new email client. So I put the patches here:
http://www.arpalert.org/0001-BUG-MINOR-change-header-declared-function-to-static-.patch
http://www.arpalert.org/0002-MINOR-Add-binary-encoding-request-sample-fetch.patch
http://www.arpalert.org/0003-MINOR-Add-ModSecurity-wrapper-as-contrib.patch
I'm so sorry for the rush. :-(
I have seen to late that you have send the patches to the list.
Thanks for the links. I will take more care in the future.
I have now build the haproxy with modsecurity on centos 7.3 ;-)
I have used this file for modsecurity.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/crs-setup.conf.example
###
/usr/local/bin/modsecurity -f crs-setup.conf.example
1492041223.145110 [00] ModSecurity for nginx (STABLE)/2.9.1
(http://www.modsecurity.org/) configured.
1492041223.145159 [00] ModSecurity: APR compiled version="1.4.8"; loaded
version="1.4.8"
1492041223.145193 [00] ModSecurity: PCRE compiled version="8.32 ";
loaded version="8.32 2012-11-30"
1492041223.145197 [00] ModSecurity: LIBXML compiled version="2.9.1"
1492041223.145200 [00] ModSecurity: Status engine is currently disabled,
enable it by set SecStatusEngine to On.
1492041228.152877 [01] 0 clients connected
1492041228.153037 [02] 0 clients connected
1492041228.153069 [03] 0 clients connected
...
###
It was a little bit challenging.
.) the patches apply only on haproxy 1.8 because some files does not
exists on 1.7 ( e. g. include/proto/spoe.h )
git clone http://git.haproxy.org/git/haproxy.git/
patch -d haproxy -p 1 -i
/usr/src/0001-BUG-MINOR-change-header-declared-function-to-static-.patch
patch -d haproxy -p 1 -i
/usr/src/0002-MINOR-Add-binary-encoding-request-sample-fetch.patch
patch -d haproxy -p 1 -i
/usr/src/0003-MINOR-Add-ModSecurity-wrapper-as-contrib.patch
.) you will need a lot of devel packages inclusive some httpd one.
yum install -y apr-devel apr-util-devel gcc make libevent-devel
libxml2-devel libcurl-devel httpd-devel pcre-devel yajl-devel
.) I will figure out which runtime packages will be necessary.
.) I have started a Dockerfile which you can find at github.
https://github.com/git001/haproxy-waf/blob/master/Dockerfile
Open questions for me.
.) How is the transfer-encoding handled (a. k. a. streaming)?
.) How big can a content be? Where can we define some limits?
.) How can the rule-set be reloaded? stop & start || gracefully?
Again thanks Thierry for your work this looks very good.
Regards
Aleks
