Re: Blocking log4j CVE with HAProxy
Hi. On 14.12.21 10:18, Olivier D wrote: Hi, Le lun. 13 déc. 2021 à 19:38, John Lauro mailto:johnala...@gmail.com>> a écrit : http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i "\$\{jndi:" } was not catching the bad traffic. I think the escapes were causing issues in the matching. The following did work: http-request deny deny_status 405 if { url_sub -i -f /etc/haproxy/bad_header.lst } http-request deny deny_status 405 if { hdr_sub(user-agent) -i -f /etc/haproxy/bad_header.lst } and in bad_header.lst ${jndi: I tried http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i "\$\{jndi:" } and http-request deny deny_status 405 if { url_sub -i ${jndi: or hdr_sub(user-agent) -i ${jndi: } without success. Can anyone tell what's wrong with both syntaxes ? And how to escape special chars correctly ? There is now a blog post on haproxy.com how to configure haproxy to protect the backend applications against the log4j attack. https://www.haproxy.com/blog/december-2021-log4shell-mitigation/ Olivier Regards Alex
Re: [ANNOUNCE] haproxy-2.5.0
On Tue, Nov 23, 2021 at 05:18:37PM +0100, Willy Tarreau wrote: > > Hi, > > HAProxy 2.5.0 was released on 2021/11/23. It added 9 new commits after > version 2.5-dev15, fixing minor last-minute details (bind warnings > that turned to errors, and an incorrect free in the backend SSL cache). > Hi Thierry, Could you update the lua documentation at http://www.arpalert.org/haproxy-api.html? It looks like neither the 2.4 version nor the 2.5 were published. Also the 2.4-dev link seems to be the master, maybe you could rename "2.4dev" into "master" directly? Thanks, -- William Lallemand
Re: Blocking log4j CVE with HAProxy
Hi, Le lun. 13 déc. 2021 à 19:38, John Lauro a écrit : > http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or > hdr_sub(user-agent) -i "\$\{jndi:" } > was not catching the bad traffic. I think the escapes were causing issues > in the matching. > > The following did work: > http-request deny deny_status 405 if { url_sub -i -f > /etc/haproxy/bad_header.lst } > http-request deny deny_status 405 if { hdr_sub(user-agent) > -i -f /etc/haproxy/bad_header.lst } > and in bad_header.lst > ${jndi: > I tried http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i "\$\{jndi:" } and http-request deny deny_status 405 if { url_sub -i ${jndi: or hdr_sub(user-agent) -i ${jndi: } without success. Can anyone tell what's wrong with both syntaxes ? And how to escape special chars correctly ? Olivier
Re: [EXTERNAL] Re: [PATCH] MEDIUM numa supports for FreeBSD
On Tue, Dec 14, 2021 at 05:16:15AM +0100, Willy TARREAU wrote: > On Tue, Dec 14, 2021 at 02:12:28AM +, David CARLIER wrote: > > ping :) > sorry for the delay David, we'll check today. > Willy I can handle this as I have already implemented the Linux part. I'm looking at it as soon as possible. -- Amaury Denoyelle