Re: Haproxy + nginx + naxsi
Hi, On Tue, Sep 03, 2013 at 02:34:41AM +, Shannon Francis wrote: > Hug, > > It looks like these lines from that tutorial are causing some hang ups: > > --- > acl abuse sc1_http_req_rate(ft_web) ge 100 > acl flag_abuser sc1_inc_gpc0(ft_web) > . . . > acl abuse sc1_http_err_rate(ft_waf) ge 10 > acl flag_abuser sc1_inc_gpc0(ft_waf) > --- > > HAProxy is complaining because those fetch methods don't take arguments. > Also, from the tutorial it looks like neither of these two front-ends tracks > anything or has any stick-tables, so: > > --- > acl abuse sc1_http_req_rate ge 100 > acl flag_abuser sc1_inc_gpc0 > . . . > acl abuse sc1_http_err_rate ge 10 > acl flag_abuser sc1_inc_gpc0 > --- > > might make more sense. I have not taken a look at the config on the blog, but the config above with the argument became valid after 1.5-dev19 and is very convenient for some use cases. However since this was implemented on late July, it's possible that this older blog article did not expect to use it :-) Best regards, Willy
Re: Haproxy + nginx + naxsi
> On Mon, Jun 10, 2013 at 6:15 PM, Hugues Lepesant wrote: > > Hello all, > > > > > > > > I'm trying to make this tutorial work : > > > > > > > > http://blog.exceliance.fr/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/ > > > > > > > > But when I check the configuration of haproxy I've got a this errors : > > > > > > > > # haproxy -c -f /etc/haproxy/haproxy.test.cfg > > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:32] : > > error detected while parsing ACL 'abuse' : ACL keyword 'sc1_http_req_rate' > > takes no argument. > > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:33] : > > error detected while parsing ACL 'flag_abuser' : ACL keyword 'sc1_inc_gpc0' > > takes no argument. > > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:34] : > > 'tcp-request content reject' : error detected in frontend 'ft_waf' while > > parsing 'if' condition : no such ACL : 'abuse' > > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:56] : > > error detected while parsing ACL 'abuse' : ACL keyword 'sc1_http_err_rate' > > takes no argument. > > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:57] : > > error detected while parsing ACL 'flag_abuser' : ACL keyword 'sc1_inc_gpc0' > > takes no argument. > > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:58] : > > 'tcp-request content reject' : error detected in backend 'bk_waf' while > > parsing 'if' condition : no such ACL : 'abuse' > > [ALERT] 160/191308 (22091) : Error(s) found in configuration file : > > /etc/haproxy/haproxy.test.cfg > > [WARNING] 160/191308 (22091) : config : log format ignored for frontend > > 'ft_waf' since it has no log address. > > [WARNING] 160/191308 (22091) : config : log format ignored for frontend > > 'ft_web' since it has no log address. > > [ALERT] 160/191308 (22091) : Fatal errors found in configuration. Hug, It looks like these lines from that tutorial are causing some hang ups: --- acl abuse sc1_http_req_rate(ft_web) ge 100 acl flag_abuser sc1_inc_gpc0(ft_web) . . . acl abuse sc1_http_err_rate(ft_waf) ge 10 acl flag_abuser sc1_inc_gpc0(ft_waf) --- HAProxy is complaining because those fetch methods don't take arguments. Also, from the tutorial it looks like neither of these two front-ends tracks anything or has any stick-tables, so: --- acl abuse sc1_http_req_rate ge 100 acl flag_abuser sc1_inc_gpc0 . . . acl abuse sc1_http_err_rate ge 10 acl flag_abuser sc1_inc_gpc0 --- might make more sense. Best of luck, Shannon
Re: Haproxy + nginx + naxsi
Hug Hugues :p Sorry for the delay in my response, I'm a bit busy and "far" right now :) Well, this sounds a configuration issue, some typo or misnamed ACLs. Baptiste On Mon, Jun 10, 2013 at 6:15 PM, Hugues Lepesant wrote: > Hello all, > > > > I'm trying to make this tutorial work : > > > > http://blog.exceliance.fr/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/ > > > > But when I check the configuration of haproxy I've got a this errors : > > > > # haproxy -c -f /etc/haproxy/haproxy.test.cfg > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:32] : > error detected while parsing ACL 'abuse' : ACL keyword 'sc1_http_req_rate' > takes no argument. > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:33] : > error detected while parsing ACL 'flag_abuser' : ACL keyword 'sc1_inc_gpc0' > takes no argument. > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:34] : > 'tcp-request content reject' : error detected in frontend 'ft_waf' while > parsing 'if' condition : no such ACL : 'abuse' > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:56] : > error detected while parsing ACL 'abuse' : ACL keyword 'sc1_http_err_rate' > takes no argument. > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:57] : > error detected while parsing ACL 'flag_abuser' : ACL keyword 'sc1_inc_gpc0' > takes no argument. > [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:58] : > 'tcp-request content reject' : error detected in backend 'bk_waf' while > parsing 'if' condition : no such ACL : 'abuse' > [ALERT] 160/191308 (22091) : Error(s) found in configuration file : > /etc/haproxy/haproxy.test.cfg > [WARNING] 160/191308 (22091) : config : log format ignored for frontend > 'ft_waf' since it has no log address. > [WARNING] 160/191308 (22091) : config : log format ignored for frontend > 'ft_web' since it has no log address. > [ALERT] 160/191308 (22091) : Fatal errors found in configuration. > > > I'm running on Debian Squeeze 64 bits this version of haproxy : > > # haproxy - > HA-Proxy version 1.5-dev17 2012/12/28 > Copyright 2000-2012 Willy Tarreau > > Build options : > TARGET = linux2628 > CPU = native > CC = gcc > CFLAGS = -O2 -march=native -g -fno-strict-aliasing > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.3.4 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 0.9.8o 01 Jun 2010 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > > Available polling systems : > epoll : pref=300, test result OK >poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > > Any help is welcome. > > > > Best regards, > > Hug > >
Haproxy + nginx + naxsi
Hello all, I'm trying to make this tutorial work : http://blog.exceliance.fr/2012/10/16/high-performance-waf-platform-with-naxsi-and-haproxy/ But when I check the configuration of haproxy I've got a this errors : # haproxy -c -f /etc/haproxy/haproxy.test.cfg [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:32] : error detected while parsing ACL 'abuse' : ACL keyword 'sc1_http_req_rate' takes no argument. [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:33] : error detected while parsing ACL 'flag_abuser' : ACL keyword 'sc1_inc_gpc0' takes no argument. [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:34] : 'tcp-request content reject' : error detected in frontend 'ft_waf' while parsing 'if' condition : no such ACL : 'abuse' [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:56] : error detected while parsing ACL 'abuse' : ACL keyword 'sc1_http_err_rate' takes no argument. [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:57] : error detected while parsing ACL 'flag_abuser' : ACL keyword 'sc1_inc_gpc0' takes no argument. [ALERT] 160/191308 (22091) : parsing [/etc/haproxy/haproxy.test.cfg:58] : 'tcp-request content reject' : error detected in backend 'bk_waf' while parsing 'if' condition : no such ACL : 'abuse' [ALERT] 160/191308 (22091) : Error(s) found in configuration file : /etc/haproxy/haproxy.test.cfg [WARNING] 160/191308 (22091) : config : log format ignored for frontend 'ft_waf' since it has no log address. [WARNING] 160/191308 (22091) : config : log format ignored for frontend 'ft_web' since it has no log address. [ALERT] 160/191308 (22091) : Fatal errors found in configuration. I'm running on Debian Squeeze 64 bits this version of haproxy : # haproxy - HA-Proxy version 1.5-dev17 2012/12/28 Copyright 2000-2012 Willy Tarreau Build options : TARGET = linux2628 CPU = native CC = gcc CFLAGS = -O2 -march=native -g -fno-strict-aliasing OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3.4 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 0.9.8o 01 Jun 2010 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Any help is welcome. Best regards, Hug