Re: doubt how to compile modsecurity module for HAproxy
HI Igor.
I found out the error was missing to include in the owasp rules, but I couldn't
compile the standalone mode in version 3 of modsecurity, can you tell if it
supports it? I'm writing a howto and sending it and already sending the link
Regards. Em sexta-feira, 1 de maio de 2020 00:19:29 GMT-4, Igor Cicimov
escreveu:
Hi Ricardo,
On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa wrote:
Of course, it would be a pleasure, but I still couldn't get it to work,
following the igor script I even managed to build it but it is generating the
following log.
--- begin -
1588299971.657027 [07] 0 clients connected
1588299971.657000 [09] 0 clients connected
1588299974.851659 [00] <1> New Client connection accepted and assigned to
worker 01
1588299974.851698 [01] <1> read_frame_cb
1588299974.851765 [01] <1> New Frame of 129 bytes received
1588299974.851774 [01] <1> Decode HAProxy HELLO frame
1588299974.851777 [01] <1> Supported versions : 2.0
1588299974.851779 [01] <1> HAProxy maximum frame size : 16380
1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async
1588299974.851789 [01] <1> HAProxy supports frame pipelining
1588299974.851797 [01] <1> HAProxy supports asynchronous frame
1588299974.851800 [01] <1> HAProxy engine id :
a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2
1588299974.851803 [01] <1> Encode Agent HELLO frame
1588299974.851810 [01] <1> Agent version : 2.0
1588299974.851813 [01] <1> Agent maximum frame size : 16380
1588299974.851816 [01] <1> Agent capabilities :
1588299974.851830 [01] <1> write_frame_cb
1588299974.851856 [01] <1> Frame of 54 bytes send
1588299974.851905 [01] <1> read_frame_cb
1588299974.851916 [01] <1> New Frame of 617 bytes received
1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame
1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame
received - frag_len=0 - len=617 - offset=7
1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 -
length=610 bytes
1588299974.851946 [01] Process SPOE Message 'check-request'
1588299974.852077 [01] Encode Agent ACK frame
1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1
1588299974.852090 [01] Add action : set variable code=4294967195
1588299974.852098 [01] <1> write_frame_cb
1588299974.852125 [01] <1> Frame of 30 bytes send
1588299976.656052 [01] 1 clients connected
1588299976.657844 [04] 0 clients connected
1588299976.657858 [02] 0 clients connected
--158831.660228 [08] 0 clients connected
158831.660241 [09] 0 clients connected
158831.660250 [01] 1 clients connected
158834.852590 [01] <1> read_frame_cb
158834.852619 [01] <1> New Frame of 49 bytes received
158834.852632 [01] <1> Decode HAProxy DISCONNECT frame
158834.852640 [01] <1> Disconnect status code : 2
158834.852647 [01] <1> Disconnect message : a timeout occurred
158834.852653 [01] <1> Peer closed connection: a timeout occurred
158834.852660 [01] <1> Encode Agent DISCONNECT frame
158834.852666 [01] <1> Disconnect status code : 2
158834.852671 [01] <1> Disconnect message : a timeout occurred
158834.852685 [01] <1> write_frame_cb
158834.852694 [01] Failed to write frame length : Broken pipe
158834.852704 [01] <1> Release client
158836.655592 [08] 0 clients connected
158836.655676 [09] 0 clients connected
158836.655608 [03] 0 clients connected
158836.655685 [01] 0 clients connected
---
Any idea?
when I compile with the new version it shows me the following message:
config.status: executing depfiles commands
config.status: executing libtool commands
configure: WARNING: unrecognized options: --disable-apache2-module,
--enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, --with-apxs
my config:
-- haproxy.cfg
global
maxconn 5
user haproxy
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
mode http
maxconn 3000
frontend my-front
bind 0.0.0.0:80
mode http
filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf
http-request deny if { var(txn.modsec.code) -m int gt 0 }
default_backend webservers
backend spoe-modsecurity
mode tcp
server modsec-spoa1 192.168.10.120:12345
backend webservers
mode http
balance roundrobin
server web1 192.168.10.81:80 check
--
- spoe-modsecurity.conf --
[modsecurity]
spoe-agent modsecurity-agent
messages check-request
option var-prefix modsec
timeout hello 100ms
timeout idle 30s
timeout processing 15ms
use-backend spoe-modsecurity
spoe-message check-request
args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
event on-frontend-http-request
-
modsecurity.conf--
SecStatusEngine On
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
Re: doubt how to compile modsecurity module for HAproxy
Hi Ricardo,
On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa
wrote:
> Of course, it would be a pleasure, but I still couldn't get it to work,
> following the igor script I even managed to build it but it is generating
> the following log.
>
> --- begin -
> 1588299971.657027 [07] 0 clients connected
> 1588299971.657000 [09] 0 clients connected
> 1588299974.851659 [00] <1> New Client connection accepted and assigned to
> worker 01
> 1588299974.851698 [01] <1> read_frame_cb
> 1588299974.851765 [01] <1> New Frame of 129 bytes received
> 1588299974.851774 [01] <1> Decode HAProxy HELLO frame
> 1588299974.851777 [01] <1> Supported versions : 2.0
> 1588299974.851779 [01] <1> HAProxy maximum frame size : 16380
> 1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async
> 1588299974.851789 [01] <1> HAProxy supports frame pipelining
> 1588299974.851797 [01] <1> HAProxy supports asynchronous frame
> 1588299974.851800 [01] <1> HAProxy engine id :
> a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2
> 1588299974.851803 [01] <1> Encode Agent HELLO frame
> 1588299974.851810 [01] <1> Agent version : 2.0
> 1588299974.851813 [01] <1> Agent maximum frame size : 16380
> 1588299974.851816 [01] <1> Agent capabilities :
> 1588299974.851830 [01] <1> write_frame_cb
> 1588299974.851856 [01] <1> Frame of 54 bytes send
> 1588299974.851905 [01] <1> read_frame_cb
> 1588299974.851916 [01] <1> New Frame of 617 bytes received
> 1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame
> 1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame
> received - frag_len=0 - len=617 - offset=7
> 1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1
> - length=610 bytes
> 1588299974.851946 [01] Process SPOE Message 'check-request'
> 1588299974.852077 [01] Encode Agent ACK frame
> 1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1
> 1588299974.852090 [01] Add action : set variable code=4294967195
> 1588299974.852098 [01] <1> write_frame_cb
> 1588299974.852125 [01] <1> Frame of 30 bytes send
> 1588299976.656052 [01] 1 clients connected
> 1588299976.657844 [04] 0 clients connected
> 1588299976.657858 [02] 0 clients connected
>
> --158831.660228 [08] 0 clients connected
> 158831.660241 [09] 0 clients connected
> 158831.660250 [01] 1 clients connected
> 158834.852590 [01] <1> read_frame_cb
> 158834.852619 [01] <1> New Frame of 49 bytes received
> 158834.852632 [01] <1> Decode HAProxy DISCONNECT frame
> 158834.852640 [01] <1> Disconnect status code : 2
> 158834.852647 [01] <1> Disconnect message : a timeout occurred
> 158834.852653 [01] <1> Peer closed connection: a timeout occurred
> 158834.852660 [01] <1> Encode Agent DISCONNECT frame
> 158834.852666 [01] <1> Disconnect status code : 2
> 158834.852671 [01] <1> Disconnect message : a timeout occurred
> 158834.852685 [01] <1> write_frame_cb
> 158834.852694 [01] Failed to write frame length : Broken pipe
> 158834.852704 [01] <1> Release client
> 158836.655592 [08] 0 clients connected
> 158836.655676 [09] 0 clients connected
> 158836.655608 [03] 0 clients connected
> 158836.655685 [01] 0 clients connected
> ---
>
> Any idea?
>
> when I compile with the new version it shows me the following message:
>
>
> config.status: executing depfiles commands
> config.status: executing libtool commands
> configure: WARNING: unrecognized options: --disable-apache2-module,
> --enable-standalone-module, --enable-pcre-study, --enable-pcre-jit,
> --with-apxs
>
>
> my config:
>
> -- haproxy.cfg
> global
> maxconn 5
> user haproxy
>
> defaults
>
> timeout connect 10s
> timeout client 30s
> timeout server 30s
> mode http
> maxconn 3000
>
> frontend my-front
> bind 0.0.0.0:80
> mode http
> filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf
> http-request deny if { var(txn.modsec.code) -m int gt 0 }
> default_backend webservers
>
>
> backend spoe-modsecurity
> mode tcp
> server modsec-spoa1 192.168.10.120:12345
>
> backend webservers
> mode http
> balance roundrobin
> server web1 192.168.10.81:80 check
>
> --
>
> - spoe-modsecurity.conf --
>
> [modsecurity]
> spoe-agent modsecurity-agent
> messages check-request
> option var-prefix modsec
> timeout hello 100ms
> timeout idle 30s
> timeout processing 15ms
> use-backend spoe-modsecurity
> spoe-message check-request
> args unique-id method path query req.ver req.hdrs_bin req.body_size
> req.body
> event on-frontend-http-request
>
> -
>
> modsecurity.conf--
> SecStatusEngine On
> SecRuleEngine On
> SecRequestBodyAccess On
> SecRule REQUEST_HEADERS:Content-Type
> "(?:application(?:/soap\+|/)|text/)xml" \
>
> "id:'20',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
> SecRule REQUEST_HEADERS:Content-Type "application/json" \
>
>
Re: doubt how to compile modsecurity module for HAproxy
Of course, it would be a pleasure, but I still couldn't get it to work,
following the igor script I even managed to build it but it is generating the
following log.
--- begin -
1588299971.657027 [07] 0 clients connected
1588299971.657000 [09] 0 clients connected
1588299974.851659 [00] <1> New Client connection accepted and assigned to
worker 01
1588299974.851698 [01] <1> read_frame_cb
1588299974.851765 [01] <1> New Frame of 129 bytes received
1588299974.851774 [01] <1> Decode HAProxy HELLO frame
1588299974.851777 [01] <1> Supported versions : 2.0
1588299974.851779 [01] <1> HAProxy maximum frame size : 16380
1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async
1588299974.851789 [01] <1> HAProxy supports frame pipelining
1588299974.851797 [01] <1> HAProxy supports asynchronous frame
1588299974.851800 [01] <1> HAProxy engine id :
a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2
1588299974.851803 [01] <1> Encode Agent HELLO frame
1588299974.851810 [01] <1> Agent version : 2.0
1588299974.851813 [01] <1> Agent maximum frame size : 16380
1588299974.851816 [01] <1> Agent capabilities :
1588299974.851830 [01] <1> write_frame_cb
1588299974.851856 [01] <1> Frame of 54 bytes send
1588299974.851905 [01] <1> read_frame_cb
1588299974.851916 [01] <1> New Frame of 617 bytes received
1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame
1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame
received - frag_len=0 - len=617 - offset=7
1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 -
length=610 bytes
1588299974.851946 [01] Process SPOE Message 'check-request'
1588299974.852077 [01] Encode Agent ACK frame
1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1
1588299974.852090 [01] Add action : set variable code=4294967195
1588299974.852098 [01] <1> write_frame_cb
1588299974.852125 [01] <1> Frame of 30 bytes send
1588299976.656052 [01] 1 clients connected
1588299976.657844 [04] 0 clients connected
1588299976.657858 [02] 0 clients connected
--158831.660228 [08] 0 clients connected
158831.660241 [09] 0 clients connected
158831.660250 [01] 1 clients connected
158834.852590 [01] <1> read_frame_cb
158834.852619 [01] <1> New Frame of 49 bytes received
158834.852632 [01] <1> Decode HAProxy DISCONNECT frame
158834.852640 [01] <1> Disconnect status code : 2
158834.852647 [01] <1> Disconnect message : a timeout occurred
158834.852653 [01] <1> Peer closed connection: a timeout occurred
158834.852660 [01] <1> Encode Agent DISCONNECT frame
158834.852666 [01] <1> Disconnect status code : 2
158834.852671 [01] <1> Disconnect message : a timeout occurred
158834.852685 [01] <1> write_frame_cb
158834.852694 [01] Failed to write frame length : Broken pipe
158834.852704 [01] <1> Release client
158836.655592 [08] 0 clients connected
158836.655676 [09] 0 clients connected
158836.655608 [03] 0 clients connected
158836.655685 [01] 0 clients connected
---
Any idea?
when I compile with the new version it shows me the following message:
config.status: executing depfiles commands
config.status: executing libtool commands
configure: WARNING: unrecognized options: --disable-apache2-module,
--enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, --with-apxs
my config:
-- haproxy.cfg
global
maxconn 5
user haproxy
defaults
timeout connect 10s
timeout client 30s
timeout server 30s
mode http
maxconn 3000
frontend my-front
bind 0.0.0.0:80
mode http
filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf
http-request deny if { var(txn.modsec.code) -m int gt 0 }
default_backend webservers
backend spoe-modsecurity
mode tcp
server modsec-spoa1 192.168.10.120:12345
backend webservers
mode http
balance roundrobin
server web1 192.168.10.81:80 check
--
- spoe-modsecurity.conf --
[modsecurity]
spoe-agent modsecurity-agent
messages check-request
option var-prefix modsec
timeout hello 100ms
timeout idle 30s
timeout processing 15ms
use-backend spoe-modsecurity
spoe-message check-request
args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
event on-frontend-http-request
-
modsecurity.conf--
SecStatusEngine On
SecRuleEngine On
SecRequestBodyAccess On
SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
"id:'20',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "application/json" \
"id:'21',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 131072
SecRequestBodyLimitAction Reject
SecRule REQBODY_ERROR "!@eq 0" \
"id:'22', phase:2,t:none,log,deny,status:400,msg:'Failed to parse
Re: doubt how to compile modsecurity module for HAproxy
Hi Ricardo, On Sun, Apr 26, 2020 at 11:36 AM Ricardo Barbosa wrote: > Hello everyone, everything good? I'm studying how to enable the > modsecurity module, but I don't know how the compilation process is done. > > I found this link > https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I > didn't understand how to do it, I downloaded the source code of haproxy and > in the file called INSTALL, the instructions are to run the make command, > followed by the "TARGET" parameter, using one of the following options: > > linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, > cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. > > for example: > > make TARGET=linux-glibc > > however, there is no configure script. to execute and follow the > instructions on the website above. Does anyone have any idea how to do this? > > Best Regards > > This is what I have come up with https://gist.github.com/icicimov/69456f82e60ea6c53feb341f021fd089 Hope can help. Cheers, Igor
Re: doubt how to compile modsecurity module for HAproxy
вс, 26 апр. 2020 г. в 06:37, Ricardo Barbosa : > Hello everyone, everything good? I'm studying how to enable the > modsecurity module, but I don't know how the compilation process is done. > > I found this link > https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I > didn't understand how to do it, I downloaded the source code of haproxy and > in the file called INSTALL, the instructions are to run the make command, > followed by the "TARGET" parameter, using one of the following options: > > linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, > cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. > > for example: > > make TARGET=linux-glibc > > however, there is no configure script. to execute and follow the > instructions on the website above. Does anyone have any idea how to do this? > indeed there are instructions on the mentioned page (it is README file). it is pity not being clear, can you help to improve it ? > > Best Regards > >
doubt how to compile modsecurity module for HAproxy
Hello everyone, everything good? I'm studying how to enable the modsecurity module, but I don't know how the compilation process is done. I found this link https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I didn't understand how to do it, I downloaded the source code of haproxy and in the file called INSTALL, the instructions are to run the make command, followed by the "TARGET" parameter, using one of the following options: linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. for example: make TARGET=linux-glibc however, there is no configure script. to execute and follow the instructions on the website above. Does anyone have any idea how to do this? Best Regards
