• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy with an external modsecurity filter

Scheduled Pinned Locked Moved Cache/Proxy
9 Posts 5 Posters 5.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • L
    lncc63
    last edited by lncc63 Jun 14, 2021, 3:09 PM Jun 14, 2021, 3:04 PM

    Just sharing this in case others need a web application firewall (WAF) with their HAProxy on their pfSense firewall. I used the modsecurity WAF which I setup in a docker node running behind the firewall based on https://github.com/jcmoraisjr/modsecurity-spoa.

    The tricky part was using the pfSense GUI to configure the HAProxy frontend.

    ae0367c9-73e7-499e-949b-a28002ccff4b-image.png
    Important to note here is the "dummy" frontend entry that is there only to ensure that the modsecurity spoe backend is included. The port 33780 is just an arbitrary choice which is never intended to be actually used.

    Here are non-default parts of the dummy frontend entry:
    42e12876-164a-4b18-b1b0-c3c7ab1a65de-image.png
    e52d5ff0-d52c-40f9-b7de-1ef6ae00f5ff-image.png

    The backend's IP address in my setup is 192.168.90.1, and below is all that is needed:
    88dc5353-bebb-4d1a-b9be-faceed7e10a9-image.png

    Finally, the tricky part is the frontend configuration. I've a bunch of web apps on the backend all of which are protected by the modsecurity WAF. Here are screenshots of the "working" frontend's non-default parts:
    d4b4bd53-a701-4952-8e35-dc4156f2a7e4-image.png
    3d96d0dc-34b3-4c8c-b05f-9c257dc00733-image.png
    3443761a-8c1f-46ee-84dc-d727394784fd-image.png

    The last screenshot refers to a configuration file needed by haproxy. I used the filer package because I have a HA setup that needs several additional files sync'd to the backup node. You can do a direct edit if you only have one node but filer gives you the benefit of the files being part of the config.xml backups. Here is a screenshot of the filer entry needed:
    cd720e36-1603-43ba-b75e-84068649589f-image.png
    Please take node of the Script/Command entry, and IIRC the indentation used is critical. Also, at least in 2.5.1, you will find a Warning message in your general system log about the last line, which is harmless with present version of haproxy.

    The setup works but I should add deploying a WAF this way may not be the best of ideas which probably why a WAF is not part of pfSense package lineup.

    I tested this using this: https://github.com/wallarm/gotestwaf. The default rules of the modsecurity setup mentioned earlier doesn't score perfectly but shows pfSense interface to the WAF works and that its time to tune :)

    M 1 Reply Last reply Jan 17, 2025, 2:06 PM Reply Quote 4
    • P
      paulbr
      last edited by Sep 9, 2021, 11:39 AM

      @lncc63 thanks for sharing.
      Set this up myself and worked really well.

      1 Reply Last reply Reply Quote 0
      • D
        dragoangel
        last edited by Sep 13, 2021, 9:17 AM

        Thanks, cool

        Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
        Unifi AP-AC-LR with EAP RADIUS, US-24

        1 Reply Last reply Reply Quote 0
        • P
          paulbr
          last edited by Sep 14, 2021, 10:38 AM

          Have run this for almost a week now and tested this using a WAF tester and got some good results. I have however made some tweaks to the rules as I noticed that if the container is offline and not serving requests for HAProxy the traffic would then go unchecked.

          The following changes were made which results in a 403 error protecting the backend application if the WAF container is not running.

          963b85c5-b8a9-48af-b0be-e37a02dbf526-image.png
          f3708142-bbda-4c7c-9e8b-a19f667e36c9-image.png

          1 Reply Last reply Reply Quote 2
          • P
            paulbr
            last edited by Sep 14, 2021, 10:42 AM

            For anyone interested in the WAF tester I used the following docker container.

            docker run -v ${PWD}/reports:/go/src/gotestwaf/reports --network="host" wallarm/gotestwaf --url={url of application under test} --verbose --skipWAFBlockCheck
            
            1 Reply Last reply Reply Quote 2
            • W
              WorldDrknss
              last edited by Jun 24, 2022, 4:40 AM

              I know this is an old topic, but has anyone got this working lately with pfsense 2.6?

              P 1 Reply Last reply Jun 24, 2022, 8:59 AM Reply Quote 0
              • P
                paulbr @WorldDrknss
                last edited by Jun 24, 2022, 8:59 AM

                @worlddrknss yep, still working well for me. Only thing I noticed is that the config file needs to be done manually and not via filer as this strips the trailing line break which haproxy doesnt like.

                W 1 Reply Last reply Jun 24, 2022, 1:23 PM Reply Quote 0
                • W
                  WorldDrknss @paulbr
                  last edited by Jun 24, 2022, 1:23 PM

                  @paulbr do you know which version of the SPOE image you are using? The latest version 0.8 from the link above gives me the following failure:

                  See Logs:
                  1656043101.401659 [00] ModSecurity: LIBXML compiled version="2.9.12"
                  1656043101.401849 [00] ModSecurity: StatusEngine call: "2.9.5,nginx,1.7.0/1.7.0,8.44/8.44 2020-02-12,(null),2.9.12,d1"
                  1656043106.408018 [00] ModSecurity: StatusEngine call failed. Query: GIXDSLRVFRXGO2LOPAWDCLRXFYYC6MJO.G4XDALBYFY2DILZYFY2DIIBSGAZDALJQ.GIWTCMRMFBXHK3DMFEWDELRZFYYTELDE.GE.165604310

                  I also noticed there was no communication from haproxy to this instance which stopped my sites from loading after implementing the error options as you described above.

                  1 Reply Last reply Reply Quote 0
                  • M
                    microsim1970 @lncc63
                    last edited by Jan 17, 2025, 2:06 PM

                    @lncc63

                    Hello,
                    Sorry for my ignorance but can you provide the way you have dokerized the WAF from jcmoraisjr/modsecurity-spoa ??
                    May be is not the right place to post this question but on jcmoraisjr git page I can't find any guide to pull the image or so on...

                    Can you provide any help?
                    Thanks,
                    Gianluca

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                      This community forum collects and processes your personal information.
                      consent.not_received