Hi Ricardo,
On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa <spidersl...@yahoo.com.br>
wrote:
> Of course, it would be a pleasure, but I still couldn't get it to work,
> following the igor script I even managed to build it but it is generating
> the following log.
>
> ------------------- begin ---------------------
> 1588299971.657027 [07] 0 clients connected
> 1588299971.657000 [09] 0 clients connected
> 1588299974.851659 [00] <1> New Client connection accepted and assigned to
> worker 01
> 1588299974.851698 [01] <1> read_frame_cb
> 1588299974.851765 [01] <1> New Frame of 129 bytes received
> 1588299974.851774 [01] <1> Decode HAProxy HELLO frame
> 1588299974.851777 [01] <1> Supported versions : 2.0
> 1588299974.851779 [01] <1> HAProxy maximum frame size : 16380
> 1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async
> 1588299974.851789 [01] <1> HAProxy supports frame pipelining
> 1588299974.851797 [01] <1> HAProxy supports asynchronous frame
> 1588299974.851800 [01] <1> HAProxy engine id :
> a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2
> 1588299974.851803 [01] <1> Encode Agent HELLO frame
> 1588299974.851810 [01] <1> Agent version : 2.0
> 1588299974.851813 [01] <1> Agent maximum frame size : 16380
> 1588299974.851816 [01] <1> Agent capabilities :
> 1588299974.851830 [01] <1> write_frame_cb
> 1588299974.851856 [01] <1> Frame of 54 bytes send
> 1588299974.851905 [01] <1> read_frame_cb
> 1588299974.851916 [01] <1> New Frame of 617 bytes received
> 1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame
> 1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame
> received - frag_len=0 - len=617 - offset=7
> 1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1
> - length=610 bytes
> 1588299974.851946 [01] Process SPOE Message 'check-request'
> 1588299974.852077 [01] Encode Agent ACK frame
> 1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1
> 1588299974.852090 [01] Add action : set variable code=4294967195
> 1588299974.852098 [01] <1> write_frame_cb
> 1588299974.852125 [01] <1> Frame of 30 bytes send
> 1588299976.656052 [01] 1 clients connected
> 1588299976.657844 [04] 0 clients connected
> 1588299976.657858 [02] 0 clients connected
>
> ----------------------1588300001.660228 [08] 0 clients connected
> 1588300001.660241 [09] 0 clients connected
> 1588300001.660250 [01] 1 clients connected
> 1588300004.852590 [01] <1> read_frame_cb
> 1588300004.852619 [01] <1> New Frame of 49 bytes received
> 1588300004.852632 [01] <1> Decode HAProxy DISCONNECT frame
> 1588300004.852640 [01] <1> Disconnect status code : 2
> 1588300004.852647 [01] <1> Disconnect message : a timeout occurred
> 1588300004.852653 [01] <1> Peer closed connection: a timeout occurred
> 1588300004.852660 [01] <1> Encode Agent DISCONNECT frame
> 1588300004.852666 [01] <1> Disconnect status code : 2
> 1588300004.852671 [01] <1> Disconnect message : a timeout occurred
> 1588300004.852685 [01] <1> write_frame_cb
> 1588300004.852694 [01] Failed to write frame length : Broken pipe
> 1588300004.852704 [01] <1> Release client
> 1588300006.655592 [08] 0 clients connected
> 1588300006.655676 [09] 0 clients connected
> 1588300006.655608 [03] 0 clients connected
> 1588300006.655685 [01] 0 clients connected
> ---------------------------
>
> Any idea?
>
> when I compile with the new version it shows me the following message:
>
>
> config.status: executing depfiles commands
> config.status: executing libtool commands
> configure: WARNING: unrecognized options: --disable-apache2-module,
> --enable-standalone-module, --enable-pcre-study, --enable-pcre-jit,
> --with-apxs
>
>
> my config:
>
> ---------- haproxy.cfg--------
> global
> maxconn 50000
> user haproxy
>
> defaults
>
> timeout connect 10s
> timeout client 30s
> timeout server 30s
> mode http
> maxconn 3000
>
> frontend my-front
> bind 0.0.0.0:80
> mode http
> filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf
> http-request deny if { var(txn.modsec.code) -m int gt 0 }
> default_backend webservers
>
>
> backend spoe-modsecurity
> mode tcp
> server modsec-spoa1 192.168.10.120:12345
>
> backend webservers
> mode http
> balance roundrobin
> server web1 192.168.10.81:80 check
>
> --------------------------
>
> ------------- spoe-modsecurity.conf ------
>
> [modsecurity]
> spoe-agent modsecurity-agent
> messages check-request
> option var-prefix modsec
> timeout hello 100ms
> timeout idle 30s
> timeout processing 15ms
> use-backend spoe-modsecurity
> spoe-message check-request
> args unique-id method path query req.ver req.hdrs_bin req.body_size
> req.body
> event on-frontend-http-request
>
> -----------------
>
> --------modsecurity.conf----------
> SecStatusEngine On
> SecRuleEngine On
> SecRequestBodyAccess On
> SecRule REQUEST_HEADERS:Content-Type
> "(?:application(?:/soap\+|/)|text/)xml" \
>
> "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
> SecRule REQUEST_HEADERS:Content-Type "application/json" \
>
> "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
> SecRequestBodyLimit 13107200
> SecRequestBodyNoFilesLimit 131072
> SecRequestBodyInMemoryLimit 131072
> SecRequestBodyLimitAction Reject
> SecRule REQBODY_ERROR "!@eq 0" \
> "id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse
> request body.',logdata:'%{reqbody_error_msg}',severity:2"
> SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
> "id:'200003',phase:2,t:none,log,deny,status:400, \
> msg:'Multipart request body failed strict validation: \
> PE %{REQBODY_PROCESSOR_ERROR}, \
> BQ %{MULTIPART_BOUNDARY_QUOTED}, \
> BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
> DB %{MULTIPART_DATA_BEFORE}, \
> DA %{MULTIPART_DATA_AFTER}, \
> HF %{MULTIPART_HEADER_FOLDING}, \
> LF %{MULTIPART_LF_LINE}, \
> SM %{MULTIPART_MISSING_SEMICOLON}, \
> IQ %{MULTIPART_INVALID_QUOTING}, \
> IP %{MULTIPART_INVALID_PART}, \
> IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
> FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
> SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
> "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a
> possible unmatched boundary.'"
> SecPcreMatchLimit 1000
> SecPcreMatchLimitRecursion 1000
> SecRule TX:/^MSC_/ "!@streq 0" \
> "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged:
> %{MATCHED_VAR_NAME}'"
> SecResponseBodyAccess On
> SecResponseBodyMimeType text/plain text/html text/xml
> SecResponseBodyLimit 524288
> SecResponseBodyLimitAction ProcessPartial
> SecTmpDir /tmp/
> SecDataDir /tmp/
> SecDebugLog /opt/modsecurity/var/log/debug.log
> SecDebugLogLevel 3
> SecAuditEngine RelevantOnly
> SecAuditLogRelevantStatus "^(?:5|4(?!04))"
> SecAuditLogParts ABIJDEFHZ
> SecAuditLogType Serial
> SecAuditLog /var/log/modsec_audit.log
> SecAuditLogStorageDir /opt/modsecurity/var/audit/
> SecArgumentSeparator &
> SecCookieFormat 0
> SecUnicodeMapFile unicode.mapping 20127
>
> ----------------------------
>
> Any idea?
>
> Regards.
>
I personally do not see any errors in the log you posted, it looks all
normal to me. Which part of the log is concerning to you? I think those
timeout errors are a normal way of closing the connection to spoe but I
might be wrong :-/
Igor
