Hey gentlemens i found in old thread that someone asked about coraza (https://coraza.io/connectors/coraza-spoa/), then i found guide for deb/ubn for integration with HaProxy here (https://www.alldiscoveries.com/installation-and-configuration-haproxy-v2-4-22-with-waf-coraza-spoa-on-ubuntu-server-22-04-lts/).
Can you help me to add it to haproxy for testing purposes , and later add it to HaProxy itself :)
root@wall:~/coraza # git clone https://github.com/corazawaf/coraza-spoa.git
Cloning into 'coraza-spoa'...
remote: Enumerating objects: 965, done.
remote: Counting objects: 100% (451/451), done.
remote: Compressing objects: 100% (178/178), done.
remote: Total 965 (delta 315), reused 311 (delta 265), pack-reused 514
Receiving objects: 100% (965/965), 288.82 KiB | 999.00 KiB/s, done.
Resolving deltas: 100% (497/497), done.
root@firewall:~/coraza # cd ./coraza-spoa
root@firewall:~/coraza/coraza-spoa # make
make: "/root/coraza/coraza-spoa/Makefile" line 22: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 24: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 28: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "ifeq" ignored
make: "Makefile" line 23: warning: using previous script for "ifeq" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "(,)" ignored
make: "Makefile" line 23: warning: using previous script for "(,)" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 30: Invalid line type
make: Fatal errors encountered -- cannot continue
make: stopped in /root/coraza/coraza-spoa
~ few hundred years later managed to build and run the coraza in opnsense, but i stumble few hickups that i don't understand yet,
- first how to create easy configctl service for it / or maybe just run at startup time of opnsense
- second as i search in forums or inside opnsense files i dont see haproxy.conf that i can edit (and it's not automatic generated) - i guess php handles the generation of it, and in my case is in /usr/local/etc/haproxy.conf and edit will not help, if i click apply from UI because maybe will delete my additions.
Is there a way to add in example bellow few options ?
defaults
log global
option httplog
timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h # for websocket
frontend test
mode http
bind *:80
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
filter spoe engine coraza config /etc/haproxy/coraza.cfg
# Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-request deny deny_status 403 hdr waf-block "request" if { var(txn.coraza.action) -m str deny }
http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }
http-request silent-drop if { var(txn.coraza.action) -m str drop }
http-response silent-drop if { var(txn.coraza.action) -m str drop }
# Deny in case of an error, when processing with the Coraza SPOA
http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
use_backend test_backend
backend test_backend
mode http
http-request return status 200 content-type "text/plain" string "Welcome!\n"
backend coraza-spoa
mode tcp
balance roundrobin
timeout connect 5s # greater than hello timeout
timeout server 3m # greater than idle timeout
server s1 127.0.0.1:9000
Just a quick update on this post , i manage to get it working and its okey, there a few errors that i must fix but so far its okey and blocks.
(https://i.postimg.cc/tsLwKPQX/Screenshot-1.png) (https://postimg.cc/tsLwKPQX)
(https://i.postimg.cc/2qhMr6rn/Screenshot-2.png) (https://postimg.cc/2qhMr6rn)
(https://i.postimg.cc/r09HRPdm/Screenshot-3.png) (https://postimg.cc/r09HRPdm)
(https://i.postimg.cc/PpHcxj59/Screenshot-4.png) (https://postimg.cc/PpHcxj59)