HAProxy WAF Redundancy ACL



  • I am wondering if anyone can provide insite as to how to configure HAProxy ACLs for failover for redundancy. I configured HAProxy as a RP that sends all https requests to a standalone apache WAF using mod security + OWASP_CRS/3.0.0 + proxypass. Im new to webservers, and wanted a solution in front of it for security. It was an interesting build and can provide details if anyone is interested. I wanted a standalone WAF to handle all traffic for multiple webservers and future webservers.

    I am curious if there is a way I can write a few ACL rules that detect the Health Check for a failed WAF and can then switch over routing directly to the webservers. I know this evades security, but the websites are accessible until I can fix the WAF.

    My configuration is as follows

    Gateway/FW/HAProxy - WAF - HAProxy - Webservers

    Frontend: SharedFrontend
    WAN 443 SSL Offloading
    http/https (offloading)
    ACLs

    • ACL1 Host matches: hostname.domain1.tld
    • ACL2 host matches: hostname.domain2.tld
      ACT
    • Use Backend: WAF_ft ACL1
    • Use Backend: WAF_ft ACL2

    Use Forwardfor option
    httpclose: http-keep-alive

    Certificate: LetsEncrypt Cert

    Backend: WAF_ft
    active, name, <waf ip="">8080 No SSL
    Balance: None
    Health Check: Basic, 5000 ms

    traffic deemed safe by WAF, returned to RP

    Frontend: WAF_SAFE
    Listen: LAN## Address 8080 NO SSL Offloading
    http/https (offloading)
    ACL

    • safe_traffic Source IP matches: <waf ip="">ACT
    • Use Backend: webserver1 safe_traffic
      Use Forwardfor option
      httpclose: http-keep-alive

    Backend: webserver1
    active, name, <webserverip>80 No SSL
    Balance: None
    Health Check: Basic, 5000 ms

    FW ACL VLAN##
    Allow IPv4 TCP/UDP
    Source: WAF-Source-IP
    Dest: LAN## Address Port 8080

    I used this blog post as guidance, but its a bit dated and isnt using pfsense UI. So im not sure how to implement the concepts in pfsense UI.

    http://blog.haproxy.com/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/</webserverip></waf></waf>