Re: Blocking log4j CVE with HAProxy

2021-12-14 Thread Aleksandar Lazic 

Hi.

On 14.12.21 10:18, Olivier D wrote:

Hi,

Le lun. 13 déc. 2021 à 19:38, John Lauro mailto:johnala...@gmail.com>> a écrit :

http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) 
-i "\$\{jndi:" }
was not catching the bad traffic.  I think the escapes were causing issues 
in the matching.

The following did work:
                 http-request deny deny_status 405 if { url_sub -i -f 
/etc/haproxy/bad_header.lst }
                 http-request deny deny_status 405 if { hdr_sub(user-agent) 
-i -f /etc/haproxy/bad_header.lst }
and in bad_header.lst
${jndi:


  I tried
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i 
"\$\{jndi:" }
and
http-request deny deny_status 405 if { url_sub -i ${jndi: or 
hdr_sub(user-agent) -i ${jndi: }

without success. Can anyone tell what's wrong with both syntaxes ? And how to 
escape special chars
correctly ?


There is now a blog post on haproxy.com how to configure haproxy to protect the 
backend applications against
the log4j attack.

https://www.haproxy.com/blog/december-2021-log4shell-mitigation/


Olivier


Regards
Alex

Re: [ANNOUNCE] haproxy-2.5.0

2021-12-14 Thread William Lallemand 
On Tue, Nov 23, 2021 at 05:18:37PM +0100, Willy Tarreau wrote:
>
> Hi,
> 
> HAProxy 2.5.0 was released on 2021/11/23. It added 9 new commits after
> version 2.5-dev15, fixing minor last-minute details (bind warnings
> that turned to errors, and an incorrect free in the backend SSL cache).
> 

Hi Thierry,

Could you update the lua documentation at 
http://www.arpalert.org/haproxy-api.html?

It looks like neither the 2.4 version nor the 2.5 were published.

Also the 2.4-dev link seems to be the master, maybe you could rename
"2.4dev" into "master" directly?

Thanks,

-- 
William Lallemand

Re: Blocking log4j CVE with HAProxy

2021-12-14 Thread Olivier D 
Hi,

Le lun. 13 déc. 2021 à 19:38, John Lauro  a écrit :

> http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
> hdr_sub(user-agent) -i "\$\{jndi:" }
> was not catching the bad traffic.  I think the escapes were causing issues
> in the matching.
>
> The following did work:
> http-request deny deny_status 405 if { url_sub -i -f
> /etc/haproxy/bad_header.lst }
> http-request deny deny_status 405 if { hdr_sub(user-agent)
> -i -f /etc/haproxy/bad_header.lst }
> and in bad_header.lst
> ${jndi:
>

 I tried
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or
hdr_sub(user-agent) -i "\$\{jndi:" }
and
http-request deny deny_status 405 if { url_sub -i ${jndi: or
hdr_sub(user-agent) -i ${jndi: }

without success. Can anyone tell what's wrong with both syntaxes ? And how
to escape special chars correctly ?

Olivier

Re: [EXTERNAL] Re: [PATCH] MEDIUM numa supports for FreeBSD

2021-12-14 Thread Amaury Denoyelle 
On Tue, Dec 14, 2021 at 05:16:15AM +0100, Willy TARREAU wrote:
> On Tue, Dec 14, 2021 at 02:12:28AM +, David CARLIER wrote:
> > ping :)
> sorry for the delay David, we'll check today.
> Willy

I can handle this as I have already implemented the Linux part. I'm
looking at it as soon as possible.

-- 
Amaury Denoyelle