Coraza WAF for HaProxy

[xkpx]

Hey gentlemens i found in old thread that someone asked about coraza, then i found guide for deb/ubn for integration with HaProxy here.
Can you help me to add it to haproxy for testing purposes , and later add it to HaProxy itself

Code: [Select]

root@wall:~/coraza # git clone https://github.com/corazawaf/coraza-spoa.git
Cloning into 'coraza-spoa'...
remote: Enumerating objects: 965, done.
remote: Counting objects: 100% (451/451), done.
remote: Compressing objects: 100% (178/178), done.
remote: Total 965 (delta 315), reused 311 (delta 265), pack-reused 514
Receiving objects: 100% (965/965), 288.82 KiB | 999.00 KiB/s, done.
Resolving deltas: 100% (497/497), done.
root@firewall:~/coraza # cd ./coraza-spoa
root@firewall:~/coraza/coraza-spoa # make
make: "/root/coraza/coraza-spoa/Makefile" line 22: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 24: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 28: Invalid line type
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "ifeq" ignored
make: "Makefile" line 23: warning: using previous script for "ifeq" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 29: warning: duplicate script for target "(,)" ignored
make: "Makefile" line 23: warning: using previous script for "(,)" defined here
make: "/root/coraza/coraza-spoa/Makefile" line 30: Invalid line type
make: Fatal errors encountered -- cannot continue
make: stopped in /root/coraza/coraza-spoa
~ few hundred years later managed to build and run the coraza in opnsense, but i stumble few hickups that i don't understand yet,
- first how to create easy configctl service for it / or maybe just run at startup time of opnsense
- second as i search in forums or inside opnsense files i dont see haproxy.conf that i can edit (and it's not automatic generated) - i guess php handles the generation of it, and in my case is in /usr/local/etc/haproxy.conf and edit will not help, if i click apply from UI because maybe will delete my additions.

Is there a way to add in example bellow few options ?

Code: [Select]

defaults
    log global
    option httplog
    timeout client 1m
timeout server 1m
timeout connect 10s
timeout http-keep-alive 2m
timeout queue 15s
timeout tunnel 4h  # for websocket

frontend test
    mode http
    bind *:80
   
    unique-id-format %[uuid()]
    unique-id-header X-Unique-ID
    filter spoe engine coraza config /etc/haproxy/coraza.cfg
   
    # Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
    http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
    http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }

    http-request deny deny_status 403 hdr waf-block "request"  if { var(txn.coraza.action) -m str deny }
    http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }

    http-request silent-drop if { var(txn.coraza.action) -m str drop }
    http-response silent-drop if { var(txn.coraza.action) -m str drop }

    # Deny in case of an error, when processing with the Coraza SPOA
    http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
    http-response deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }

    use_backend test_backend

backend test_backend
    mode http
    http-request return status 200 content-type "text/plain" string "Welcome!\n"

backend coraza-spoa
    mode tcp
    balance roundrobin
    timeout connect 5s # greater than hello timeout
    timeout server 3m  # greater than idle timeout
    server s1 127.0.0.1:9000

[xkpx]

Just a quick update on this post , i manage to get it working and its okey, there a few errors that i must fix but so far its okey and blocks.