Re: doubt how to compile modsecurity module for HAproxy
HI Igor. I found out the error was missing to include in the owasp rules, but I couldn't compile the standalone mode in version 3 of modsecurity, can you tell if it supports it? I'm writing a howto and sending it and already sending the link Regards. Em sexta-feira, 1 de maio de 2020 00:19:29 GMT-4, Igor Cicimov escreveu: Hi Ricardo, On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa wrote: Of course, it would be a pleasure, but I still couldn't get it to work, following the igor script I even managed to build it but it is generating the following log. --- begin - 1588299971.657027 [07] 0 clients connected 1588299971.657000 [09] 0 clients connected 1588299974.851659 [00] <1> New Client connection accepted and assigned to worker 01 1588299974.851698 [01] <1> read_frame_cb 1588299974.851765 [01] <1> New Frame of 129 bytes received 1588299974.851774 [01] <1> Decode HAProxy HELLO frame 1588299974.851777 [01] <1> Supported versions : 2.0 1588299974.851779 [01] <1> HAProxy maximum frame size : 16380 1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async 1588299974.851789 [01] <1> HAProxy supports frame pipelining 1588299974.851797 [01] <1> HAProxy supports asynchronous frame 1588299974.851800 [01] <1> HAProxy engine id : a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2 1588299974.851803 [01] <1> Encode Agent HELLO frame 1588299974.851810 [01] <1> Agent version : 2.0 1588299974.851813 [01] <1> Agent maximum frame size : 16380 1588299974.851816 [01] <1> Agent capabilities : 1588299974.851830 [01] <1> write_frame_cb 1588299974.851856 [01] <1> Frame of 54 bytes send 1588299974.851905 [01] <1> read_frame_cb 1588299974.851916 [01] <1> New Frame of 617 bytes received 1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame 1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame received - frag_len=0 - len=617 - offset=7 1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 - length=610 bytes 1588299974.851946 [01] Process SPOE Message 'check-request' 1588299974.852077 [01] Encode Agent ACK frame 1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1 1588299974.852090 [01] Add action : set variable code=4294967195 1588299974.852098 [01] <1> write_frame_cb 1588299974.852125 [01] <1> Frame of 30 bytes send 1588299976.656052 [01] 1 clients connected 1588299976.657844 [04] 0 clients connected 1588299976.657858 [02] 0 clients connected --158831.660228 [08] 0 clients connected 158831.660241 [09] 0 clients connected 158831.660250 [01] 1 clients connected 158834.852590 [01] <1> read_frame_cb 158834.852619 [01] <1> New Frame of 49 bytes received 158834.852632 [01] <1> Decode HAProxy DISCONNECT frame 158834.852640 [01] <1> Disconnect status code : 2 158834.852647 [01] <1> Disconnect message : a timeout occurred 158834.852653 [01] <1> Peer closed connection: a timeout occurred 158834.852660 [01] <1> Encode Agent DISCONNECT frame 158834.852666 [01] <1> Disconnect status code : 2 158834.852671 [01] <1> Disconnect message : a timeout occurred 158834.852685 [01] <1> write_frame_cb 158834.852694 [01] Failed to write frame length : Broken pipe 158834.852704 [01] <1> Release client 158836.655592 [08] 0 clients connected 158836.655676 [09] 0 clients connected 158836.655608 [03] 0 clients connected 158836.655685 [01] 0 clients connected --- Any idea? when I compile with the new version it shows me the following message: config.status: executing depfiles commands config.status: executing libtool commands configure: WARNING: unrecognized options: --disable-apache2-module, --enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, --with-apxs my config: -- haproxy.cfg global maxconn 5 user haproxy defaults timeout connect 10s timeout client 30s timeout server 30s mode http maxconn 3000 frontend my-front bind 0.0.0.0:80 mode http filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf http-request deny if { var(txn.modsec.code) -m int gt 0 } default_backend webservers backend spoe-modsecurity mode tcp server modsec-spoa1 192.168.10.120:12345 backend webservers mode http balance roundrobin server web1 192.168.10.81:80 check -- - spoe-modsecurity.conf -- [modsecurity] spoe-agent modsecurity-agent messages check-request option var-prefix modsec timeout hello 100ms timeout idle 30s timeout processing 15ms use-backend spoe-modsecurity spoe-message check-request args unique-id method path query req.ver req.hdrs_bin req.body_size req.body event on-frontend-http-request - modsecurity.conf-- SecStatusEngine On SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
Re: doubt how to compile modsecurity module for HAproxy
Hi Ricardo, On Fri, May 1, 2020 at 1:06 PM Ricardo Barbosa wrote: > Of course, it would be a pleasure, but I still couldn't get it to work, > following the igor script I even managed to build it but it is generating > the following log. > > --- begin - > 1588299971.657027 [07] 0 clients connected > 1588299971.657000 [09] 0 clients connected > 1588299974.851659 [00] <1> New Client connection accepted and assigned to > worker 01 > 1588299974.851698 [01] <1> read_frame_cb > 1588299974.851765 [01] <1> New Frame of 129 bytes received > 1588299974.851774 [01] <1> Decode HAProxy HELLO frame > 1588299974.851777 [01] <1> Supported versions : 2.0 > 1588299974.851779 [01] <1> HAProxy maximum frame size : 16380 > 1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async > 1588299974.851789 [01] <1> HAProxy supports frame pipelining > 1588299974.851797 [01] <1> HAProxy supports asynchronous frame > 1588299974.851800 [01] <1> HAProxy engine id : > a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2 > 1588299974.851803 [01] <1> Encode Agent HELLO frame > 1588299974.851810 [01] <1> Agent version : 2.0 > 1588299974.851813 [01] <1> Agent maximum frame size : 16380 > 1588299974.851816 [01] <1> Agent capabilities : > 1588299974.851830 [01] <1> write_frame_cb > 1588299974.851856 [01] <1> Frame of 54 bytes send > 1588299974.851905 [01] <1> read_frame_cb > 1588299974.851916 [01] <1> New Frame of 617 bytes received > 1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame > 1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame > received - frag_len=0 - len=617 - offset=7 > 1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 > - length=610 bytes > 1588299974.851946 [01] Process SPOE Message 'check-request' > 1588299974.852077 [01] Encode Agent ACK frame > 1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1 > 1588299974.852090 [01] Add action : set variable code=4294967195 > 1588299974.852098 [01] <1> write_frame_cb > 1588299974.852125 [01] <1> Frame of 30 bytes send > 1588299976.656052 [01] 1 clients connected > 1588299976.657844 [04] 0 clients connected > 1588299976.657858 [02] 0 clients connected > > --158831.660228 [08] 0 clients connected > 158831.660241 [09] 0 clients connected > 158831.660250 [01] 1 clients connected > 158834.852590 [01] <1> read_frame_cb > 158834.852619 [01] <1> New Frame of 49 bytes received > 158834.852632 [01] <1> Decode HAProxy DISCONNECT frame > 158834.852640 [01] <1> Disconnect status code : 2 > 158834.852647 [01] <1> Disconnect message : a timeout occurred > 158834.852653 [01] <1> Peer closed connection: a timeout occurred > 158834.852660 [01] <1> Encode Agent DISCONNECT frame > 158834.852666 [01] <1> Disconnect status code : 2 > 158834.852671 [01] <1> Disconnect message : a timeout occurred > 158834.852685 [01] <1> write_frame_cb > 158834.852694 [01] Failed to write frame length : Broken pipe > 158834.852704 [01] <1> Release client > 158836.655592 [08] 0 clients connected > 158836.655676 [09] 0 clients connected > 158836.655608 [03] 0 clients connected > 158836.655685 [01] 0 clients connected > --- > > Any idea? > > when I compile with the new version it shows me the following message: > > > config.status: executing depfiles commands > config.status: executing libtool commands > configure: WARNING: unrecognized options: --disable-apache2-module, > --enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, > --with-apxs > > > my config: > > -- haproxy.cfg > global > maxconn 5 > user haproxy > > defaults > > timeout connect 10s > timeout client 30s > timeout server 30s > mode http > maxconn 3000 > > frontend my-front > bind 0.0.0.0:80 > mode http > filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf > http-request deny if { var(txn.modsec.code) -m int gt 0 } > default_backend webservers > > > backend spoe-modsecurity > mode tcp > server modsec-spoa1 192.168.10.120:12345 > > backend webservers > mode http > balance roundrobin > server web1 192.168.10.81:80 check > > -- > > - spoe-modsecurity.conf -- > > [modsecurity] > spoe-agent modsecurity-agent > messages check-request > option var-prefix modsec > timeout hello 100ms > timeout idle 30s > timeout processing 15ms > use-backend spoe-modsecurity > spoe-message check-request > args unique-id method path query req.ver req.hdrs_bin req.body_size > req.body > event on-frontend-http-request > > - > > modsecurity.conf-- > SecStatusEngine On > SecRuleEngine On > SecRequestBodyAccess On > SecRule REQUEST_HEADERS:Content-Type > "(?:application(?:/soap\+|/)|text/)xml" \ > > "id:'20',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" > SecRule REQUEST_HEADERS:Content-Type "application/json" \ > >
Re: doubt how to compile modsecurity module for HAproxy
Of course, it would be a pleasure, but I still couldn't get it to work, following the igor script I even managed to build it but it is generating the following log. --- begin - 1588299971.657027 [07] 0 clients connected 1588299971.657000 [09] 0 clients connected 1588299974.851659 [00] <1> New Client connection accepted and assigned to worker 01 1588299974.851698 [01] <1> read_frame_cb 1588299974.851765 [01] <1> New Frame of 129 bytes received 1588299974.851774 [01] <1> Decode HAProxy HELLO frame 1588299974.851777 [01] <1> Supported versions : 2.0 1588299974.851779 [01] <1> HAProxy maximum frame size : 16380 1588299974.851780 [01] <1> HAProxy capabilities : pipelining,async 1588299974.851789 [01] <1> HAProxy supports frame pipelining 1588299974.851797 [01] <1> HAProxy supports asynchronous frame 1588299974.851800 [01] <1> HAProxy engine id : a9dd7313-bb7e-46e2-a50e-5987dfa4f0d2 1588299974.851803 [01] <1> Encode Agent HELLO frame 1588299974.851810 [01] <1> Agent version : 2.0 1588299974.851813 [01] <1> Agent maximum frame size : 16380 1588299974.851816 [01] <1> Agent capabilities : 1588299974.851830 [01] <1> write_frame_cb 1588299974.851856 [01] <1> Frame of 54 bytes send 1588299974.851905 [01] <1> read_frame_cb 1588299974.851916 [01] <1> New Frame of 617 bytes received 1588299974.851925 [01] <1> Decode HAProxy NOTIFY frame 1588299974.851927 [01] <1> STREAM-ID=12 - FRAME-ID=1 - unfragmented frame received - frag_len=0 - len=617 - offset=7 1588299974.851938 [01] Process frame messages : STREAM-ID=12 - FRAME-ID=1 - length=610 bytes 1588299974.851946 [01] Process SPOE Message 'check-request' 1588299974.852077 [01] Encode Agent ACK frame 1588299974.852088 [01] STREAM-ID=12 - FRAME-ID=1 1588299974.852090 [01] Add action : set variable code=4294967195 1588299974.852098 [01] <1> write_frame_cb 1588299974.852125 [01] <1> Frame of 30 bytes send 1588299976.656052 [01] 1 clients connected 1588299976.657844 [04] 0 clients connected 1588299976.657858 [02] 0 clients connected --158831.660228 [08] 0 clients connected 158831.660241 [09] 0 clients connected 158831.660250 [01] 1 clients connected 158834.852590 [01] <1> read_frame_cb 158834.852619 [01] <1> New Frame of 49 bytes received 158834.852632 [01] <1> Decode HAProxy DISCONNECT frame 158834.852640 [01] <1> Disconnect status code : 2 158834.852647 [01] <1> Disconnect message : a timeout occurred 158834.852653 [01] <1> Peer closed connection: a timeout occurred 158834.852660 [01] <1> Encode Agent DISCONNECT frame 158834.852666 [01] <1> Disconnect status code : 2 158834.852671 [01] <1> Disconnect message : a timeout occurred 158834.852685 [01] <1> write_frame_cb 158834.852694 [01] Failed to write frame length : Broken pipe 158834.852704 [01] <1> Release client 158836.655592 [08] 0 clients connected 158836.655676 [09] 0 clients connected 158836.655608 [03] 0 clients connected 158836.655685 [01] 0 clients connected --- Any idea? when I compile with the new version it shows me the following message: config.status: executing depfiles commands config.status: executing libtool commands configure: WARNING: unrecognized options: --disable-apache2-module, --enable-standalone-module, --enable-pcre-study, --enable-pcre-jit, --with-apxs my config: -- haproxy.cfg global maxconn 5 user haproxy defaults timeout connect 10s timeout client 30s timeout server 30s mode http maxconn 3000 frontend my-front bind 0.0.0.0:80 mode http filter spoe engine modsecurity config /opt/haproxy/spoe-modsecurity.conf http-request deny if { var(txn.modsec.code) -m int gt 0 } default_backend webservers backend spoe-modsecurity mode tcp server modsec-spoa1 192.168.10.120:12345 backend webservers mode http balance roundrobin server web1 192.168.10.81:80 check -- - spoe-modsecurity.conf -- [modsecurity] spoe-agent modsecurity-agent messages check-request option var-prefix modsec timeout hello 100ms timeout idle 30s timeout processing 15ms use-backend spoe-modsecurity spoe-message check-request args unique-id method path query req.ver req.hdrs_bin req.body_size req.body event on-frontend-http-request - modsecurity.conf-- SecStatusEngine On SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ "id:'20',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" SecRule REQUEST_HEADERS:Content-Type "application/json" \ "id:'21',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON" SecRequestBodyLimit 13107200 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'22', phase:2,t:none,log,deny,status:400,msg:'Failed to parse
Re: doubt how to compile modsecurity module for HAproxy
Hi Ricardo, On Sun, Apr 26, 2020 at 11:36 AM Ricardo Barbosa wrote: > Hello everyone, everything good? I'm studying how to enable the > modsecurity module, but I don't know how the compilation process is done. > > I found this link > https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I > didn't understand how to do it, I downloaded the source code of haproxy and > in the file called INSTALL, the instructions are to run the make command, > followed by the "TARGET" parameter, using one of the following options: > > linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, > cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. > > for example: > > make TARGET=linux-glibc > > however, there is no configure script. to execute and follow the > instructions on the website above. Does anyone have any idea how to do this? > > Best Regards > > This is what I have come up with https://gist.github.com/icicimov/69456f82e60ea6c53feb341f021fd089 Hope can help. Cheers, Igor
Re: doubt how to compile modsecurity module for HAproxy
вс, 26 апр. 2020 г. в 06:37, Ricardo Barbosa : > Hello everyone, everything good? I'm studying how to enable the > modsecurity module, but I don't know how the compilation process is done. > > I found this link > https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I > didn't understand how to do it, I downloaded the source code of haproxy and > in the file called INSTALL, the instructions are to run the make command, > followed by the "TARGET" parameter, using one of the following options: > > linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, > cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. > > for example: > > make TARGET=linux-glibc > > however, there is no configure script. to execute and follow the > instructions on the website above. Does anyone have any idea how to do this? > indeed there are instructions on the mentioned page (it is README file). it is pity not being clear, can you help to improve it ? > > Best Regards > >
doubt how to compile modsecurity module for HAproxy
Hello everyone, everything good? I'm studying how to enable the modsecurity module, but I don't know how the compilation process is done. I found this link https://github.com/haproxy/haproxy/tree/master/contrib/modsecurity. but I didn't understand how to do it, I downloaded the source code of haproxy and in the file called INSTALL, the instructions are to run the make command, followed by the "TARGET" parameter, using one of the following options: linux-glibc, linux-glibc-legacy, solaris, freebsd, openbsd, netbsd, cygwin, haiku, aix51, aix52, aix72-gcc, osx, generic, custom. for example: make TARGET=linux-glibc however, there is no configure script. to execute and follow the instructions on the website above. Does anyone have any idea how to do this? Best Regards