{"id":19890103,"url":"https://github.com/haproxy/spoa-modsecurity","last_synced_at":"2025-05-02T18:30:52.984Z","repository":{"id":61114478,"uuid":"360105355","full_name":"haproxy/spoa-modsecurity","owner":"haproxy","description":"Example of a simple wrapper around the ModSecurity v2 WAF for use with HAProxy's SPOE filtering","archived":false,"fork":false,"pushed_at":"2021-04-21T09:18:37.000Z","size":66,"stargazers_count":19,"open_issues_count":9,"forks_count":8,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-07T04:33:16.602Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/haproxy.png","metadata":{"files":{"readme":"README","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-21T09:16:17.000Z","updated_at":"2024-12-06T04:09:27.000Z","dependencies_parsed_at":"2022-10-11T04:53:40.097Z","dependency_job_id":null,"html_url":"https://github.com/haproxy/spoa-modsecurity","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haproxy%2Fspoa-modsecurity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haproxy%2Fspoa-modsecurity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haproxy%2Fspoa-modsecurity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haproxy%2Fspoa-modsecurity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/haproxy","download_url":"https://codeload.github.com/haproxy/spoa-modsecurity/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252088240,"owners_count":21692764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T18:12:56.970Z","updated_at":"2025-05-02T18:30:52.622Z","avatar_url":"https://github.com/haproxy.png","language":"C","readme":"ModSecurity for HAProxy\n-----------------------\n\nThis is a third party daemon which speaks SPOE. It gives requests send by HAProxy\nto ModSecurity and returns the verdict.\n\n  Compilation\n---------------\n\nYou must compile ModSecurity in standalone mode. Below an example for\nModSecurity-2.9.1. Note that ModSecurity depends the Apache APR. I assume that\nthe Apache dependencies are installed on the system.\n\n   ./configure \\\n      --prefix=$PWD/INSTALL \\\n\t\t--disable-apache2-module \\\n      --enable-standalone-module \\\n      --enable-pcre-study \\\n      --without-lua \\\n      --enable-pcre-jit\n   make\n\tmake -C standalone install\n\tmkdir -p $PWD/INSTALL/include\n\tcp standalone/*.h $PWD/INSTALL/include\n\tcp apache2/*.h $PWD/INSTALL/include\n\nNote that this compilation method works, but is a little bit rustic. I can't\ndeal with Lua, I supposed that is a dependencies problem on my computer.\n\n  Start the service\n---------------------\n\nAfter you have compiled it, to start the service, you just need to use \"spoa\"\nbinary:\n\n    $\u003e ./modsecurity  -h\n    Usage: ./spoa [-h] [-d] [-p \u003cport\u003e] [-n \u003cnum-workers\u003e] [-f \u003cconfig-file\u003e]\n        -h                  Print this message\n        -d                  Enable the debug mode\n        -f \u003cconfig-file\u003e    Modsecurity configuration file\n        -m \u003cmax-frame-size\u003e Specify the maximum frame size (default : 16384)\n        -p \u003cport\u003e           Specify the port to listen on (default: 12345)\n        -n \u003cnum-workers\u003e    Specify the number of workers (default: 5)\n        -c \u003ccapability\u003e     Enable the support of the specified capability\n        -t \u003ctime\u003e           Set a delay to process a message (default: 0)\n                            The value is specified in milliseconds by default,\n                            but can be in any other unit if the number is suffixed\n                            by a unit (us, ms, s)\n\nNote: A worker is a thread.\n\n\n  Configure a SPOE to use the service\n---------------------------------------\n\nAll information about SPOE configuration can be found in \"doc/SPOE.txt\". Here is\nthe configuration template to use for your SPOE with ModSecurity module:\n\n   [modsecurity]\n\n   spoe-agent modsecurity-agent\n      messages check-request\n      option var-prefix modsec\n      timeout hello      100ms\n      timeout idle       30s\n      timeout processing 15ms\n      use-backend spoe-modsecurity\n\n   spoe-message check-request\n      args unique-id method path query req.ver req.hdrs_bin req.body_size req.body\n      event on-frontend-http-request\n\nThe engine is in the scope \"modsecurity\". So to enable it, you must set the\nfollowing line in a frontend/listener section:\n\n   frontend my-front\n      ...\n      filter spoe engine modsecurity config spoe-modsecurity.conf\n      ...\n\n\nBecause, in SPOE configuration file, we declare to use the backend\n\"spoe-modsecurity\" to communicate with the service, you must define it in\nHAProxy configuration. For example:\n\n   backend spoe-modsecurity\n      mode tcp\n      balance roundrobin\n      timeout connect 5s\n      timeout server  3m\n      server modsec1 127.0.0.1:12345\n\nThe modsecurity action is returned in a variable called txn.modsec.code. It\ncontains the HTTP returned code. If the variable contains 0, the request is\nclean.\n\n   http-request deny if { var(txn.modsec.code) -m int gt 0 }\n\nWith this rule, all the request not clean are rejected.\n\n\n  Known bugs, limitations and TODO list\n-----------------------------------------\n\nModsecurity bugs:\n-----------------\n\n* When the audit_log is used with the directive \"SecAuditLogType Serial\", in\n  some systems, the APR mutex initialisation silently fails, this causes a\n  segmentation fault. For my own usage, I have a patched version of modsec where\n  I use another mutex than \"APR_LOCK_DEFAULT\" like \"APR_LOCK_PROC_PTHREAD\"\n\n   -    rc = apr_global_mutex_create(\u0026msce-\u003eauditlog_lock, NULL, APR_LOCK_DEFAULT, mp);\n   +    rc = apr_global_mutex_create(\u0026msce-\u003eauditlog_lock, NULL, APR_LOCK_PROC_PTHREAD, mp);\n\n* Configuration file loaded with wildcard (eg. Include rules/*.conf), are loaded\n  in reverse alphabetical order. You can found a patch below. The ModSecurity\n  team ignored this patch.\n\n  https://github.com/SpiderLabs/ModSecurity/issues/1285\n  http://www.arpalert.org/0001-Fix-bug-when-load-files.patch\n\n  Or insert includes without wildcards.\n\nTodo:\n-----\n\n* Clarify the partial body analysis.\n* The response body is not yet analyzed.\n* ModSecurity can't modify the response body.\n* Implements real log management. Actually, the log are sent on stderr.\n* Implements daemon things (forks, write a pid, etc.).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhaproxy%2Fspoa-modsecurity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhaproxy%2Fspoa-modsecurity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhaproxy%2Fspoa-modsecurity/lists"}