-
Notifications
You must be signed in to change notification settings - Fork 20
/
Copy pathhaproxy.cfg
52 lines (40 loc) · 2.05 KB
/
haproxy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# https://docs.haproxy.org/
global
log stdout format raw local0
defaults
log global
option httplog
timeout client 1m
timeout server 1m
timeout connect 10s
frontend default
mode http
bind *:80
log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %[var(txn.coraza.id)]\ spoa-error:\ %[var(txn.coraza.error)]\ waf-hit:\ %[var(txn.coraza.fail)]"
# Set coraza app in HAProxy config to allow customized configs per host.
# You can also just leave this as is or even replace the use of a variable
# inside the coraza.cfg.
http-request set-var(txn.coraza.app) str(sample_app)
# !! Every http-request line will be executed before this !!
# Execute coraza request check.
filter spoe engine coraza config /usr/local/etc/haproxy/coraza.cfg
http-request send-spoe-group coraza coraza-req
# Currently haproxy cannot use variables to set the code or deny_status, so this needs to be manually configured here
http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-response redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
http-request deny deny_status 403 hdr waf-block "request" if { var(txn.coraza.action) -m str deny }
http-response deny deny_status 403 hdr waf-block "response" if { var(txn.coraza.action) -m str deny }
http-request silent-drop if { var(txn.coraza.action) -m str drop }
http-response silent-drop if { var(txn.coraza.action) -m str drop }
# Deny in case of an error, when processing with the Coraza SPOA
http-request deny deny_status 500 if { var(txn.coraza.error) -m int gt 0 }
http-response deny deny_status 500 if { var(txn.coraza.error) -m int gt 0 }
use_backend httpbin_backend
resolvers host_dns
parse-resolv-conf
backend httpbin_backend
mode http
server backend $BACKEND_HOST
backend coraza-spoa
mode tcp
server coraza_spoa coraza-spoa:9000