On Wed, 9 May 2018 21:10:48 +0100
Andrew Smalley <[email protected]> wrote:
> Hello Thierry
>
> Thank you for your response saying it is the SPOE engine that does
> mod_security integration and not the almost correct SPOA that I said.
No, you're right: SPOA is the Agent and the ModSec implemention is an
SPOA. SPOE is the Engine.
> Can I ask how haproxy does the SSO with the SPOE/SPOA Engine?
The SPOE/SPOA is designed for this kind of usage, but I don't heard
about any SPOA soft which implements this kind of functionnality.
I propose four ways:
- Not easy, but reliable: copy/paste the C SPOA demo agent and modify
it to perform SSO authentication according with your needs.
- Easy, but with questionable reliability (because recent dev): I
submit a few days ago a generic SPOA daemon whoch executes Python
scripts. Unfortunately, I based my dev on a old HAProxy version
(1.6 or 1.7), and the agent is not compatible with all SPOP
(P=Protocol) feature, but i works with 1.8 and 1.9.
https://www.mail-archive.com/[email protected]/msg29093.html
Once python is executed, you can done authentication with any backend.
- Hard and not reliable (because new dev): Internal haproxy dev (based
on the same way than SPOE and Lua socket) which communicates with
SASL. SASL seems great for SSO authentication: it can process many
authentication method (HTTP Basic, HTTP Digest) and use many backend:
PAM, files, passwd, ldap, ...)
- Easy with some protocols and reliable. Use Lua and socket to
establish authentication protocol with another server. But some
limitations prevent the usage of some libraries. The libldap is
not usable. The usable libs are libs using luasocket, but which
can be modificated for using haproxy sockets (its the same API
than luasocket).
BR,
Thierry
>
>
> Andruw Smalley
>
> Loadbalancer.org Ltd.
>
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
> [email protected]
>
> Leave a Review | Deployment Guides | Blog
>
>
> On 9 May 2018 at 21:04, Thierry Fournier <[email protected]>
> wrote:
> > Hi,
> >
> > I confirm: the modsecurity i done throught SPOE.
> >
> > The limitation are:
> >
> > The limit of the body size analysed is the size of HAProxy buffer (default
> > 16kB, but for my own usage, I configure 1MB)
> >
> >
> > The response is not analysed.
> >
> >
> > BR,
> > Thierry
> >
> >
> > On 9 May 2018, at 21:40, Andrew Smalley <[email protected]> wrote:
> >
> > Hi Mark
> >
> > Actually as far as I understand the Haproxy implementation of
> > mod_security integration is not with Lua but with SPOA
> >
> > https://www.haproxy.org/download/1.7/doc/SPOE.txt
> > Andruw Smalley
> >
> > Loadbalancer.org Ltd.
> >
> > www.loadbalancer.org
> > +1 888 867 9504 / +44 (0)330 380 1064
> > [email protected]
> >
> > Leave a Review | Deployment Guides | Blog
> >
> >
> > On 9 May 2018 at 20:36, Mark Lakes <[email protected]> wrote:
> >
> > RIght, via lua module it integrates with haproxy.
> > -mark
> >
> >
> >
> >
> > Mark Lakes
> > Sr Software Engineer
> > (555) 555-5555
> > Winner: InfoWorld Technology of the Year 2018
> >
> >
> > On Wed, May 9, 2018 at 11:43 AM, Jonathan Matthews <[email protected]>
> > wrote:
> >
> >
> > On Wed, 9 May 2018 at 18:43, Mark Lakes <[email protected]> wrote:
> >
> >
> > For commercial purposes, see Signal Sciences Next Gen WAF solution:
> > https://www.signalsciences.com/waf-web-application-firewall/
> >
> >
> >
> > That page says it supports "Nginx, Nginx Plus, Apache and IIS". Does it
> > integrate with HAProxy? Via what mechanism?
> >
> > J
> >
> > --
> > Jonathan Matthews
> > London, UK
> > http://www.jpluscplusm.com/contact.html
> >
> >
> >
> >
> >
>
