-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Customize WAF per website #111
Comments
Yes you can do that. I have a similar setup with multiple hosts/domains. See #92 /etc/haproxy/coraza.cfgSee the spoe-message coraza-req
args app=req.hdr(host),regsub("^www.",,i) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
event on-frontend-http-request
spoe-message coraza-res
args app=str(txn.app_name) id=unique-id version=res.ver status=status headers=res.hdrs body=res.body
event on-http-response /etc/coraza/config.yamlYour domain (without www) is the application.
You can configure different log files too. # The SPOA server bind address
bind: 0.0.0.0:9000
# Process request and response with this application if provided app name is not found.
# You can remove or comment out this config param if you don't need "default_application" functionality.
default_application: default_haproxy
applications:
default_haproxy: &default
# Get the coraza.conf from https://github.com/corazawaf/coraza
#
# Download the OWASP CRS from https://github.com/coreruleset/coreruleset/releases
# and copy crs-custom.conf & the rules, plugins directories to /etc/coraza-spoa
directives: |
Include /etc/coraza-spoa/sites/coraza.conf
Include /etc/coraza-spoa/crs-setup.conf
Include /etc/coraza-spoa/sites/crs-custom.conf
Include /etc/coraza-spoa/sites/plugins/*-config.conf
Include /etc/coraza-spoa/sites/plugins/*-before.conf
Include /etc/coraza-spoa/rules/*.conf
Include /etc/coraza-spoa/sites/plugins/*-after.conf
Include /etc/coraza-spoa/sites/after.conf
# HAProxy configured to send requests only, that means no cache required
# NOTE: there are still some memory & caching issues, so use this with care
no_response_check: true
# The transaction cache lifetime in milliseconds (60000ms = 60s)
transaction_ttl_ms: 600000
# The maximum number of transactions which can be cached
transaction_active_limit: 100000
# The log level configuration, one of: debug/info/warn/error/panic/fatal
log_level: info
# The log file path
log_file: /var/log/coraza-spoa/coraza-agent.log
# YOUR DOMAINS HERE
example.com:
<<: *default
directives: |
Include /etc/coraza-spoa/sites.d/example.com/coraza.conf
Include /etc/coraza-spoa/crs-setup.conf
Include /etc/coraza-spoa/sites.d/example.com/crs-custom.conf
Include /etc/coraza-spoa/sites.d/example.com/plugins/*-config.conf
Include /etc/coraza-spoa/sites.d/example.com/plugins/*-before.conf
# Next line is for the default CRS Rules to load (all)
Include /etc/coraza-spoa/rules/*.conf
# Custom rules for the site
Include /etc/coraza-spoa/sites.d/example.com/rules/*.conf
Include /etc/coraza-spoa/sites.d/example.com/plugins/*-after.conf
# Adjust the log file path
log_file: /var/log/coraza-spoa/coraza-agent-example.com.log |
Very clean answer, sir. |
Sorry to reopen this issue, but I have a complementary answer: In HAProxy, I dynamically load backends using a
I would like to reuse
I tried multiple syntaxes, but for now, all of them seems to be ignored.
Do you know a cleaner way to achieve this? |
Is this still an issue? your solution should normally work. |
Yes, it's working. Just wondered if a cleaner solution exists to avoid recalculating |
That should normally just work. Which haproxy version are you running? I will try to reproduce it :) |
Thank you. |
Hello,
I have one an only web frontend, dispatching requests to multiple backends through a host maps:
Coraza WAF is setup on this frontend, and it's working well... but I'm struggling on some use cases:
Thank you.
The text was updated successfully, but these errors were encountered: