> On 13 Apr 2017, at 02:06, Aleksandar Lazic <al-hapr...@none.at> wrote: > > > > Am 12-04-2017 23:33, schrieb Aleksandar Lazic: >> Am 12-04-2017 21:28, schrieb thierry.fourn...@arpalert.org: >>> On Wed, 12 Apr 2017 21:21:58 +0200 >>> Aleksandar Lazic <al-hapr...@none.at> wrote: > > [snipp] > >>>> Do you have the patches as files where I can download it? >>>> It's easier for docker to call a 'curl -vLO ...' then to go across a >>>> mail body ;-) >>> Not sure to understand. I given the patches as file. Note that I'm >>> testing new email client. So I put the patches here: >>> http://www.arpalert.org/0001-BUG-MINOR-change-header-declared-function-to-static-.patch >>> http://www.arpalert.org/0002-MINOR-Add-binary-encoding-request-sample-fetch.patch >>> http://www.arpalert.org/0003-MINOR-Add-ModSecurity-wrapper-as-contrib.patch >> I'm so sorry for the rush. :-( >> I have seen to late that you have send the patches to the list. >> Thanks for the links. I will take more care in the future. > > I have now build the haproxy with modsecurity on centos 7.3 ;-) > > I have used this file for modsecurity. > https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.0/master/crs-setup.conf.example > > ### > /usr/local/bin/modsecurity -f crs-setup.conf.example > 1492041223.145110 [00] ModSecurity for nginx (STABLE)/2.9.1 > (http://www.modsecurity.org/) configured. > 1492041223.145159 [00] ModSecurity: APR compiled version="1.4.8"; loaded > version="1.4.8" > 1492041223.145193 [00] ModSecurity: PCRE compiled version="8.32 "; loaded > version="8.32 2012-11-30" > 1492041223.145197 [00] ModSecurity: LIBXML compiled version="2.9.1" > 1492041223.145200 [00] ModSecurity: Status engine is currently disabled, > enable it by set SecStatusEngine to On. > 1492041228.152877 [01] 0 clients connected > 1492041228.153037 [02] 0 clients connected > 1492041228.153069 [03] 0 clients connected > ... > ### > > It was a little bit challenging. > > .) the patches apply only on haproxy 1.8 because some files does not exists > on 1.7 ( e. g. include/proto/spoe.h )
Ok. I think that SPOE was introduced in 1.7, obviously I’m wrong. > git clone http://git.haproxy.org/git/haproxy.git/ > > patch -d haproxy -p 1 -i > /usr/src/0001-BUG-MINOR-change-header-declared-function-to-static-.patch > patch -d haproxy -p 1 -i > /usr/src/0002-MINOR-Add-binary-encoding-request-sample-fetch.patch > patch -d haproxy -p 1 -i > /usr/src/0003-MINOR-Add-ModSecurity-wrapper-as-contrib.patch > > .) you will need a lot of devel packages inclusive some httpd one. > > yum install -y apr-devel apr-util-devel gcc make libevent-devel libxml2-devel > libcurl-devel httpd-devel pcre-devel yajl-devel Yes Modsecurity is linked designed for apache and needs Apache libraries (APR), libevent is for the SPOA. libcurl and yajl are used for the Modsecurity “mlogc” function. > .) I will figure out which runtime packages will be necessary. > .) I have started a Dockerfile which you can find at github. > > https://github.com/git001/haproxy-waf/blob/master/Dockerfile > > Open questions for me. Note: I swapped the order of your questions > .) How big can a content be? Where can we define some limits? ModSecurity analyses an Haproxy buffer. (don’t forget the directive “option http-buffer-request”) For my own usage, the HAProxy buffer are configured as 1MB. When the buffer is full or when the http request is receive, all the data are offloaded towards ModSecurity. > .) How is the transfer-encoding handled (a. k. a. streaming)? The stream is not processed, just the first buffer containing the header request and a maximum of the body it is. > .) How can the rule-set be reloaded? stop & start || gracefully? I do not process this part. Today, you must stop and start the process. The graceful doesn’t exists. I guess than the graceful can be implemented easily. You can ensure the availability of the SPOA Modsec using the properties of the HAProxy backend. > Again thanks Thierry for your work this looks very good. Thanks for testing. Thierry > Regards > Aleks