Hi Ricardo, On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa <spidersl...@yahoo.com.br> wrote:
> Of course, it would be a pleasure, but I still couldn't get it to work, > following the igor script I even managed to build it but it is generating > the following log. > > ------------------- begin --------------------- > 1588299971.657027 [07] 0 clients connected > 1588299971.657000 [09] 0 clients connected > 1588299974.851659 [00] <1> New Client connection accepted and assigned to > worker 01 > 1588299974.851698 [01] <1> read_frame_cb > 1588299974.851765 [01] <1> New Frame of 129 bytes received > 1588299974.851774 [01] <1> Decode HAProxy HELLO frame > 1588299974.851777 [01] <1> Supported versions : 2.0 > 1588299974.851779 [01] <1> HAProxy maximum frame size : 16380 > 1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async > 1588299974.851789 [01] <1> HAProxy supports frame pipelining > 1588299974.851797 [01] <1> HAProxy supports asynchronous frame > 1588299974.851800 [01] <1> HAProxy engine id : > a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2 > 1588299974.851803 [01] <1> Encode Agent HELLO frame > 1588299974.851810 [01] <1> Agent version : 2.0 > 1588299974.851813 [01] <1> Agent maximum frame size : 16380 > 1588299974.851816 [01] <1> Agent capabilities : > 1588299974.851830 [01] <1> write_frame_cb > 1588299974.851856 [01] <1> Frame of 54 bytes send > 1588299974.851905 [01] <1> read_frame_cb > 1588299974.851916 [01] <1> New Frame of 617 bytes received > 1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame > 1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame > received - frag_len=0 - len=617 - offset=7 > 1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 > - length=610 bytes > 1588299974.851946 [01] Process SPOE Message 'check-request' > 1588299974.852077 [01] Encode Agent ACK frame > 1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1 > 1588299974.852090 [01] Add action : set variable code=4294967195 > 1588299974.852098 [01] <1> write_frame_cb > 1588299974.852125 [01] <1> Frame of 30 bytes send > 1588299976.656052 [01] 1 clients connected > 1588299976.657844 [04] 0 clients connected > 1588299976.657858 [02] 0 clients connected > > ----------------------1588300001.660228 [08] 0 clients connected > 1588300001.660241 [09] 0 clients connected > 1588300001.660250 [01] 1 clients connected > 1588300004.852590 [01] <1> read_frame_cb > 1588300004.852619 [01] <1> New Frame of 49 bytes received > 1588300004.852632 [01] <1> Decode HAProxy DISCONNECT frame > 1588300004.852640 [01] <1> Disconnect status code : 2 > 1588300004.852647 [01] <1> Disconnect message : a timeout occurred > 1588300004.852653 [01] <1> Peer closed connection: a timeout occurred > 1588300004.852660 [01] <1> Encode Agent DISCONNECT frame > 1588300004.852666 [01] <1> Disconnect status code : 2 > 1588300004.852671 [01] <1> Disconnect message : a timeout occurred > 1588300004.852685 [01] <1> write_frame_cb > 1588300004.852694 [01] Failed to write frame length : Broken pipe > 1588300004.852704 [01] <1> Release client > 1588300006.655592 [08] 0 clients connected > 1588300006.655676 [09] 0 clients connected > 1588300006.655608 [03] 0 clients connected > 1588300006.655685 [01] 0 clients connected > --------------------------- > > Any idea? > > when I compile with the new version it shows me the following message: > > > config.status: executing depfiles commands > config.status: executing libtool commands > configure: WARNING: unrecognized options: --disable-apache2-module, > --enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, > --with-apxs > > > my config: > > ---------- haproxy.cfg-------- > global > maxconn 50000 > user haproxy > > defaults > > timeout connect 10s > timeout client 30s > timeout server 30s > mode http > maxconn 3000 > > frontend my-front > bind 0.0.0.0:80 > mode http > filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf > http-request deny if { var(txn.modsec.code) -m int gt 0 } > default_backend webservers > > > backend spoe-modsecurity > mode tcp > server modsec-spoa1 192.168.10.120:12345 > > backend webservers > mode http > balance roundrobin > server web1 192.168.10.81:80 check > > -------------------------- > > ------------- spoe-modsecurity.conf ------ > > [modsecurity] > spoe-agent modsecurity-agent > messages check-request > option var-prefix modsec > timeout hello 100ms > timeout idle 30s > timeout processing 15ms > use-backend spoe-modsecurity > spoe-message check-request > args unique-id method path query req.ver req.hdrs_bin req.body_size > req.body > event on-frontend-http-request > > ----------------- > > --------modsecurity.conf---------- > SecStatusEngine On > SecRuleEngine On > SecRequestBodyAccess On > SecRule REQUEST_HEADERS:Content-Type > "(?:application(?:/soap\+|/)|text/)xml" \ > > "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" > SecRule REQUEST_HEADERS:Content-Type "application/json" \ > > "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" > SecRequestBodyLimit 13107200 > SecRequestBodyNoFilesLimit 131072 > SecRequestBodyInMemoryLimit 131072 > SecRequestBodyLimitAction Reject > SecRule REQBODY_ERROR "!@eq 0" \ > "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse > request body.',logdata:'%{reqbody_error_msg}',severity:2" > SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ > "id:'200003',phase:2,t:none,log,deny,status:400, \ > msg:'Multipart request body failed strict validation: \ > PE %{REQBODY_PROCESSOR_ERROR}, \ > BQ %{MULTIPART_BOUNDARY_QUOTED}, \ > BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ > DB %{MULTIPART_DATA_BEFORE}, \ > DA %{MULTIPART_DATA_AFTER}, \ > HF %{MULTIPART_HEADER_FOLDING}, \ > LF %{MULTIPART_LF_LINE}, \ > SM %{MULTIPART_MISSING_SEMICOLON}, \ > IQ %{MULTIPART_INVALID_QUOTING}, \ > IP %{MULTIPART_INVALID_PART}, \ > IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ > FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" > SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ > "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a > possible unmatched boundary.'" > SecPcreMatchLimit 1000 > SecPcreMatchLimitRecursion 1000 > SecRule TX:/^MSC_/ "!@streq 0" \ > "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: > %{MATCHED_VAR_NAME}'" > SecResponseBodyAccess On > SecResponseBodyMimeType text/plain text/html text/xml > SecResponseBodyLimit 524288 > SecResponseBodyLimitAction ProcessPartial > SecTmpDir /tmp/ > SecDataDir /tmp/ > SecDebugLog /opt/modsecurity/var/log/debug.log > SecDebugLogLevel 3 > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > SecAuditLogParts ABIJDEFHZ > SecAuditLogType Serial > SecAuditLog /var/log/modsec_audit.log > SecAuditLogStorageDir /opt/modsecurity/var/audit/ > SecArgumentSeparator & > SecCookieFormat 0 > SecUnicodeMapFile unicode.mapping 20127 > > ---------------------------- > > Any idea? > > Regards. > I personally do not see any errors in the log you posted, it looks all normal to me. Which part of the log is concerning to you? I think those timeout errors are a normal way of closing the connection to spoe but I might be wrong :-/ Igor