spoa-modsecurity
spoa-modsecurity copied to clipboard
haproxy
Example of a simple wrapper around the ModSecurity v2 WAF for use with HAProxy's SPOE filtering
ModSecurity for HAProxy
This is a third party daemon which speaks SPOE. It gives requests send by HAProxy to ModSecurity and returns the verdict.
Compilation
You must compile ModSecurity in standalone mode. Below an example for ModSecurity-2.9.1. Note that ModSecurity depends the Apache APR. I assume that the Apache dependencies are installed on the system.
./configure
--prefix=$PWD/INSTALL
--disable-apache2-module
--enable-standalone-module
--enable-pcre-study
--without-lua
--enable-pcre-jit
make
make -C standalone install
mkdir -p $PWD/INSTALL/include
cp standalone/.h $PWD/INSTALL/include
cp apache2/.h $PWD/INSTALL/include
Note that this compilation method works, but is a little bit rustic. I can't deal with Lua, I supposed that is a dependencies problem on my computer.
Start the service
After you have compiled it, to start the service, you just need to use "spoa" binary:
$> ./modsecurity -h
Usage: ./spoa [-h] [-d] [-p <port>] [-n <num-workers>] [-f <config-file>]
-h Print this message
-d Enable the debug mode
-f <config-file> Modsecurity configuration file
-m <max-frame-size> Specify the maximum frame size (default : 16384)
-p <port> Specify the port to listen on (default: 12345)
-n <num-workers> Specify the number of workers (default: 5)
-c <capability> Enable the support of the specified capability
-t <time> Set a delay to process a message (default: 0)
The value is specified in milliseconds by default,
but can be in any other unit if the number is suffixed
by a unit (us, ms, s)
Note: A worker is a thread.
Configure a SPOE to use the service
All information about SPOE configuration can be found in "doc/SPOE.txt". Here is the configuration template to use for your SPOE with ModSecurity module:
[modsecurity]
spoe-agent modsecurity-agent messages check-request option var-prefix modsec timeout hello 100ms timeout idle 30s timeout processing 15ms use-backend spoe-modsecurity
spoe-message check-request args unique-id method path query req.ver req.hdrs_bin req.body_size req.body event on-frontend-http-request
The engine is in the scope "modsecurity". So to enable it, you must set the following line in a frontend/listener section:
frontend my-front ... filter spoe engine modsecurity config spoe-modsecurity.conf ...
Because, in SPOE configuration file, we declare to use the backend "spoe-modsecurity" to communicate with the service, you must define it in HAProxy configuration. For example:
backend spoe-modsecurity mode tcp balance roundrobin timeout connect 5s timeout server 3m server modsec1 127.0.0.1:12345
The modsecurity action is returned in a variable called txn.modsec.code. It contains the HTTP returned code. If the variable contains 0, the request is clean.
http-request deny if { var(txn.modsec.code) -m int gt 0 }
With this rule, all the request not clean are rejected.
Known bugs, limitations and TODO list
Modsecurity bugs:
-
When the audit_log is used with the directive "SecAuditLogType Serial", in some systems, the APR mutex initialisation silently fails, this causes a segmentation fault. For my own usage, I have a patched version of modsec where I use another mutex than "APR_LOCK_DEFAULT" like "APR_LOCK_PROC_PTHREAD"
- rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
- rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_PROC_PTHREAD, mp);
-
Configuration file loaded with wildcard (eg. Include rules/*.conf), are loaded in reverse alphabetical order. You can found a patch below. The ModSecurity team ignored this patch.
https://github.com/SpiderLabs/ModSecurity/issues/1285 http://www.arpalert.org/0001-Fix-bug-when-load-files.patch
Or insert includes without wildcards.
Todo:
- Clarify the partial body analysis.
- The response body is not yet analyzed.
- ModSecurity can't modify the response body.
- Implements real log management. Actually, the log are sent on stderr.
- Implements daemon things (forks, write a pid, etc.).
haproxy