spoa-modsecurity
spoa-modsecurity copied to clipboard
haproxy
forwarding Source IP as client IP
When using spoa on Haproxy the modproxy logs keep showing that the connected client is the haproxy itself (which in my case is 127.0.0.1, as I run the agent on the server in a docker) and modproxy logs this IP.
Is there a way to include the original source IP which connected to the HAproxy beforehand and pass it to modsecurity - in a forwarded for header for example?
The problem is that some features like geoip or ip reputation do not work on this scenario. Moreover when using siem-solution for logging the modsecurity logs and threats the connecting IP is always localhost.
Im looking forward to receive some tipps or even a solution how to handle this.
Thanks in advance.
yah just ran into this now. basically white listing cannot work???? @Rdago did you find a solution?
@Rdago i see your forked the repo and made some changes. But did you fix the forwardfor? I see something about UniqueID.
@jessequinn I am also having the same issue, have you got any solution? how to get client-IP back on Modsecurity.
same problem here.
the trick i use to match requests in haproxy and modsec is the uniqid header.
in /etc/haproxy/haproxy.cfg, add this in frontend section :
# Add unique-id Header
unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
unique-id-header X-Unique-ID
and modify this in default section :
#option httplog
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %ID"
Regards
