haproxy-ingress
haproxy-ingress copied to clipboard
jcmoraisjr
Coraza WAF modsecurity addon injects wrong backend config
Description of the problem What is not working - injected backend config when using Ingress annotations: haproxy-ingress.github.io/waf: "modsecurity" haproxy-ingress.github.io/waf-mode: "deny"
filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
http-request deny if !{ var(txn.coraza.fail) -m int eq 0 }
Resulting in:
403 Forbidden
Request forbidden by administrative rules.
On all requests.
What is working (my current workaround):
filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
# Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-request deny deny_status 403 hdr waf-block "request" if { var(txn.coraza.action) -m str deny }
http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }
http-request silent-drop if { var(txn.coraza.action) -m str drop }
http-response silent-drop if { var(txn.coraza.action) -m str drop }
# Deny in case of an error, when processing with the Coraza SPOA
http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
Expected behavior
Working backend config OOTB
Steps to reproduce the problem
- Prepage HaProxy deployment (via Helm chart)
- Configure Coraza modsecurity according to instructions: https://haproxy-ingress.github.io/docs/examples/modsecurity/
- It also requires to use an up to date config reference https://github.com/corazawaf/coraza-spoa
- Configure Ingress with appropriate annotations
Environment information
HAProxy Ingress version: v0.14
Global options:
controller:
config:
modsecurity-use-coraza: "true"
modsecurity-args: "app=str(default_app) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method
path=path query=query version=req.ver headers=req.hdrs body=req.body"
modsecurity-endpoints: modsecurity-spoa.haproxy.svc.cluster.local:9000
Ingress objects:
metadata:
annotations:
haproxy-ingress.github.io/waf: "modsecurity"
haproxy-ingress.github.io/waf-mode: "deny"
@tomklapka Thank you for providing the snippet, we were running into the same issue this week and I was able to successfully get it running with your changes and I've created a PR for the fix
Fixed by @JanHolger and already merged. The change will be available in the next v0.14 and v0.15 versions, where Coraza is supported.
