Fix coraza args and message names to match current expiremental branch

jcmoraisjr · Nov 21, 2022 · a3e109f · a3e109f
1 parent 29fb6a2
commit a3e109f
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 6 deletions.
diff --git a/pkg/converters/ingress/types/defaults.go b/pkg/converters/ingress/types/defaults.go
@@ -25,7 +25,7 @@ const (
 	// Ref: https://github.com/haproxy/spoa-modsecurity/blob/3c895f3e7dd291dba19d57ba054b277e6fb80ca4/README#L70
 	defaultModsecurityArgs = "unique-id method path query req.ver req.hdrs_bin req.body_size req.body"
 	// Ref: https://github.com/corazawaf/coraza-spoa/blob/179cf897147e165ccc1b8974888d8029737b7af5/doc/config/coraza.cfg#L14
-	DefaultCorazaArgs = "id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body"
+	DefaultCorazaArgs = "app=hdr(host) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body"
 )
 
 func CreateDefaults() map[string]string {

diff --git a/pkg/haproxy/instance_test.go b/pkg/haproxy/instance_test.go
@@ -4900,15 +4900,18 @@ func TestModSecurity(t *testing.T) {
 			endpoints: []string{"10.0.0.101:9000"},
 			backendExp: `
     filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
-    http-request deny if { var(txn.coraza.fail) -m int eq 1 }`,
+    http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
+    http-request deny if !{ var(txn.coraza.fail) -m int eq 0 }`,
 			modsecExp: `
     timeout connect 1s
     timeout server  2s
     server modsec-spoa0 10.0.0.101:9000`,
 			modsecOtherExp: `
+    messages     coraza-req
     option       var-prefix  coraza`,
 			modsecAgentExp: `
-    args   id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
+spoe-message coraza-req
+    args   app=hdr(host) id=unique-id src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
     event  on-backend-http-request`,
 			useCoraza: true,
 		},
@@ -4952,7 +4955,19 @@ func TestModSecurity(t *testing.T) {
 backend spoe-modsecurity
     mode tcp` + test.modsecExp
 		}
-		c.checkConfig(`
+		if test.useCoraza {
+			c.checkConfig(`
+<<global>>
+<<defaults>>
+    unique-id-format        %[uuid()]
+backend d1_app_8080
+    mode http` + test.backendExp + `
+    server s1 172.17.0.11:8080 weight 100
+<<backends-default>>
+<<frontends-default>>
+<<support>>` + modsec)
+		} else {
+			c.checkConfig(`
 <<global>>
 <<defaults>>
 backend d1_app_8080
@@ -4961,6 +4976,8 @@ backend d1_app_8080
 <<backends-default>>
 <<frontends-default>>
 <<support>>` + modsec)
+		}
+
 		if test.modsecAgentExp != "" {
 			c.containsText("spoe-modsecurity.conf", c.readConfig(c.tempdir+"/spoe-modsecurity.conf"), test.modsecAgentExp)
 		}

diff --git a/rootfs/etc/templates/haproxy/haproxy.tmpl b/rootfs/etc/templates/haproxy/haproxy.tmpl
@@ -184,6 +184,10 @@ defaults
 {{- if $global.Timeout.Tunnel }}
     timeout tunnel          {{ $global.Timeout.Tunnel }}
 {{- end }}
+{{- /* Coraza will crash if the unique-id isn't set, which requires us to set the format here */}}
+{{- if $global.UseCoraza }}
+    unique-id-format        %[uuid()]
+{{- end }}
 {{- range $snippet := $global.CustomDefaults }}
     {{ $snippet }}
 {{- end }}
@@ -583,7 +587,8 @@ backend {{ $backend.ID }}
 {{- if eq $waf.Mode "deny" }}
 {{- range $pathIDs := $wafCfg.PathIDs $i }}
 {{- if $global.UseCoraza }}
-    http-request deny if { var(txn.coraza.fail) -m int eq 1 }
+    http-request deny deny_status 504 if { var(txn.coraza.error) -m int gt 0 }
+    http-request deny if !{ var(txn.coraza.fail) -m int eq 0 }
 {{- else }}
     http-request deny if { var(txn.modsec.code) -m int gt 0 }
 {{- end }}

diff --git a/rootfs/etc/templates/modsecurity/modsecurity.tmpl b/rootfs/etc/templates/modsecurity/modsecurity.tmpl
@@ -9,16 +9,24 @@
 {{- $modsec := .Global.ModSecurity }}
 [modsecurity]
 spoe-agent modsecurity-agent
-    messages     check-request
 {{- if .Global.UseCoraza }}
+    messages     coraza-req
     option       var-prefix  coraza
 {{- else }}
+    messages     check-request
     option       var-prefix  modsec
 {{- end }}
     timeout      hello       {{ $modsec.Timeout.Hello }}
     timeout      idle        {{ $modsec.Timeout.Idle }}
     timeout      processing  {{ $modsec.Timeout.Processing }}
     use-backend  spoe-modsecurity
+    log          global
+    option       dontlog-normal
+
+{{- if .Global.UseCoraza }}
+spoe-message coraza-req
+{{- else }}
 spoe-message check-request
+{{- end }}
     args   {{ $modsec.Args | join " " }}
     event  on-backend-http-request