Comments (11)
I just actually did compare the docker example and the haproxy conf is significantly different from the one in the git for the non docker version. So I copied it over and not getting the Argument missing message anymore but still not blocking.
Do I need to tell it to turn on blocking explicitly or is it on by default? Does it silently drop or does it show the drop in the logs? When it blocks does it also ban subsequent requests for a period of time?
Is the test example outdated maybe and HAProxy already escapes it?
I am using the example from the docs to test.
curl http://localhost:4000/\?x\=/etc/passwd
This request results in:
Jul 12 08:56:19 test haproxy[2691]: 192.168.1.10:50526 [12/Jul/2023:08:56:19.013] test test/<NOSRV> 0/0/3/3/-1/-1/-1/3 403 72 - - PR-- 1/1/0/0/0 0/0 "GET /?x=/etc/passwd HTTP/1.1" 2a3af7ac-ffbd-49b0-9274-5e8870bc3bce spoa-error: - waf-hit: -
Just doing curl http://localhost
results in
Jul 12 08:56:14 test haproxy[2691]: 192.168.1.10:56796 [12/Jul/2023:08:56:14.481] test test_backend/<NOSRV> 0/0/2/2/-1/-1/-1/2 200 80 - - LR-- 1/1/0/0/3 0/0 "GET / HTTP/1.1" 7b1d9997-a188-4f50-a852-214e3f77c3e0 spoa-error: - waf-hit: 0
waf-hit -
on first request and waf-hit 0
on second
Obviously changed ip and port.
Update:
Log statement is wrong:
log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ spoa-error:\ %[var(txn.coraza.error)]\ waf-hit:\ %[var(txn.coraza.fail)]"
txn.coraza.fail is always 0 or -
txn.coraza.action is the correct variable to see if denied or passed
changed it and now can see requests being blocked.
This can be closed. The documentation is all over the place about this. Hopefully this will be updated at some point to help others.
Thank you for your help.
from coraza-spoa.
Log statement is wrong
txn.coraza.action is the correct variable to see if denied or passed
@aim0r, thanks for report, fixed in #74.
from coraza-spoa.
- What's the version of
coraza-spoa
? HAProxy? - What are your
config.yaml
,coraza.conf
,crs-setup.conf
? - Have you tried to run in docker?
from coraza-spoa.
Thank you for the prompt response. Requested info below.
1.Version of coraza-spoa: git rev-parse --short HEAD dd5eb86, HAProxy version is 2.4.22-0 on Ubuntu 22.10
2. config.yml is a straight from here: github. Note I had to remove the pipe right behind the "directives:" for it to work and be valid not sure why the pipe is in there in the first place.
haproxy/coraza.cfg is a straight copy from here: github. Only changed the bind to 127.0.0.1 since I don't need it to listen on all ips and changed the log location.
coraza.conf is a straight copy from here: github
crs-setup.conf is a straight copy from here: github. I have also taken the crs-setup directly from coreruleset and the rules from coreruleset with no success.
I have not tried to run it in docker and wasn't planning to. Already running it in a container on Proxmox and don't need the overhead of docker.
from coraza-spoa.
wasn't planning to. Already running it in a container on Proxmox and don't need the overhead of docker.
That's OK of course, but I meant something different.
I have not tried to run it in docker
I've checked again by running example in docker and haven't got error you described. Works as intended.
Try to run docker example. If it works, try to find difference between docker setup and your standalone.
from coraza-spoa.
Do I need to tell it to turn on blocking explicitly or is it on by default?
Sets up by SecRuleEngine
Does it silently drop or does it show the drop in the logs?
In Docker example it shows
When it blocks does it also ban subsequent requests for a period of time?
I don't know, TBH. Look at underlying library. @jcchavezs
I'm curious too.
Is the test example outdated maybe and HAProxy already escapes it?
What example? In the docs?
Hopefully this will be updated at some point to help others.
PR is welcome ;)
from coraza-spoa.
When it blocks does it also ban subsequent requests for a period of time?
nope, that would be a whole different thing but achievable with current APIs. is this something you need?
All the other answers are right.
from coraza-spoa.
I do not, I was just curious. But it would be cool ;-). I have been running it in DetectionOnly mode now for a few hours and capturing logs to see what I need to tweak in terms of rules. Very excited about this, so far it's working great.
I do have a few more questions:
- I believe rules are not live reloaded upon change or additions, is that correct? If no live reload I believe just simple restart of spoa agent should refresh rules.
- Any plans on a log parser for it or does someone already have one? Or any advice which ones would be good, looking at coraza-spoa server.log specifically.
- Any chance there will be a web frontent at some point similar to HAProxy stats page to edit, change and activate or deactivate rules?
from coraza-spoa.
- There is no live reload #19. Yes, should refresh.
- It would be as JSON in near future #70. And Corarza's Audit and Debug logs are in JSON already. At least at high level.
- I think, a lot of time will pass before. Is there the one, who wanna implement it?
from coraza-spoa.
I think we should also update the example configs with an updated haproxy config, which incorporates the new variables. Just for reference, this is whats in use for the Docker & e2e tests:
# Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-request deny deny_status 403 hdr waf-block "request" if { var(txn.coraza.action) -m str deny }
http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }
http-request silent-drop if { var(txn.coraza.action) -m str drop }
http-response silent-drop if { var(txn.coraza.action) -m str drop }
# Deny in case of an error, when processing with the Coraza SPOA
http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
from coraza-spoa.
^ Addressed by #76.
@jcchavezs mark this as a bug
, please.
from coraza-spoa.
Related Issues (20)
- Systemd service failed
- SPOE deprecated in haproxy 3.1 HOT 2
- Add unit tests for internal package
- Adds readme/command to run a example application HOT 1
- Panic on empty Application name
- Adds support for FTW
- Drop logger, logLevel and use coraza's
- Use github.com/corazawaf/coraza/v3/http/e2e for E2E tests
- coraza-spoa always returns "-" on verdict %[var(txn.coraza.fail) instead of "1" as per documentation HOT 5
- Garbarge in client and hostname fields in Coraza's log
- MYSQL Injection Not Detected HOT 5
- Log to Syslog HOT 7
- Support json format as loglevel in config.yaml HOT 9
- Multiple domains - backend HOT 3
- Error sample_app, error: Key not found HOT 1
- Fetch methods for app parameter HOT 4
- Runtime error checking header user-agent HOT 1
- Listen "server" on .sock
- Excessive memory and CPU usage HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from coraza-spoa.