templates/hap_coraza_spoe_engine.tpl

# Coraza SPOE engine configuration.
#
# Written to /etc/haproxy/coraza-spoe.cfg by haproxy_manager.generate_config()
# when HAPROXY_CORAZA_SPOE_BACKEND env var is set. Referenced from haproxy.cfg
# via `filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg`.
#
# Engine name "coraza" must match the engine name in the filter line in the
# main config and the application name "haproxy" must match the application
# block name in coraza-spoa's config.yaml.

[coraza]

spoe-agent coraza
    # The single message we send (defined below) — per-request inspection.
    messages    coraza-check

    # Prefix for any variables the agent sets back on the request.
    option      var-prefix coraza

    # FAIL-OPEN. If the SPOA is unreachable or times out, requests flow
    # through uninspected rather than failing. For a hosting platform,
    # availability beats unconditional inspection coverage.
    option      set-on-error continue

    # Aggressive timeouts: we don't want the WAF to materially slow page
    # loads. processing 100ms is the per-request inspection budget.
    timeout     hello       2s
    timeout     idle        2m
    timeout     processing  100ms

    use-backend coraza-spoa-backend
    log         global

spoe-message coraza-check
    # Send the request shape to Coraza for inspection.
    # `app=str(haproxy)` matches the application named "haproxy" in
    # coraza-spoa's config.yaml — that's how Coraza picks which ruleset
    # to apply.
    # NOTE: args must be on ONE line. HAProxy does not support backslash
    # line continuations in spoe configs (verified the hard way 2026-05-12).
    args app=str(haproxy) src-ip=src src-port=src_port dest-ip=dst dest-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
    event on-frontend-http-request
PR 2/3: opt-in SPOE integration for Coraza WAF Adds the plumbing that lets haproxy-manager talk to the coraza-spoa sidecar added in PR 1, while keeping the default behavior bit-identical for any deployment that doesn't set the new env var (the home network / standalone use cases). Single gate: HAPROXY_CORAZA_SPOE_BACKEND env var on the haproxy-manager container. Unset (default) = generate_config() renders zero SPOE-related output. Set (e.g. "coraza-spoa:9000") = three things happen at config generation time: 1. hap_listener.tpl injects 5 lines at the end of the frontend block: filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg http-request send-spoe-group coraza coraza-check ...placed AFTER rate-limit and IP-block guards so we don't waste WAF calls on requests we were going to drop anyway. 2. A new TCP backend (hap_coraza_spoa_backend.tpl) is appended: backend coraza-spoa-backend mode tcp server coraza-spoa <env-var-target> check ... 3. The SPOE engine config (hap_coraza_spoe_engine.tpl) is rendered and written to /etc/haproxy/coraza-spoe.cfg, defining the spoe-agent "coraza" + spoe-message "coraza-check". This sets: - option set-on-error continue (FAIL-OPEN if SPOA is unreachable) - timeout processing 100ms (per-request inspection budget) - app=str(haproxy) (matches sidecar's application name) Verification (template render only, before staging deploy): - hap_listener.tpl with no env var: 55 lines, zero SPOE references - hap_listener.tpl with env var: 62 lines, filter + send-spoe-group present - Engine cfg + backend block render with correct agent_target substitution Next: PR 3 wires this into WHP (sidecar deploy via container-manager.sh extension, server-settings UI for on/off, AI Monitor source for the audit log). Staging verification of PR 1 + PR 2 together happens after PR 3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-12 16:49:29 -07:00			`# Coraza SPOE engine configuration.`
			`#`
			`# Written to /etc/haproxy/coraza-spoe.cfg by haproxy_manager.generate_config()`
			`# when HAPROXY_CORAZA_SPOE_BACKEND env var is set. Referenced from haproxy.cfg`
			# via `filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg`.
			`#`
			`# Engine name "coraza" must match the engine name in the filter line in the`
			`# main config and the application name "haproxy" must match the application`
			`# block name in coraza-spoa's config.yaml.`

			`[coraza]`

			`spoe-agent coraza`
			`# The single message we send (defined below) — per-request inspection.`
			`messages coraza-check`

			`# Prefix for any variables the agent sets back on the request.`
			`option var-prefix coraza`

			`# FAIL-OPEN. If the SPOA is unreachable or times out, requests flow`
			`# through uninspected rather than failing. For a hosting platform,`
			`# availability beats unconditional inspection coverage.`
			`option set-on-error continue`

			`# Aggressive timeouts: we don't want the WAF to materially slow page`
			`# loads. processing 100ms is the per-request inspection budget.`
			`timeout hello 2s`
			`timeout idle 2m`
			`timeout processing 100ms`

			`use-backend coraza-spoa-backend`
			`log global`

			`spoe-message coraza-check`
			`# Send the request shape to Coraza for inspection.`
			# `app=str(haproxy)` matches the application named "haproxy" in
			`# coraza-spoa's config.yaml — that's how Coraza picks which ruleset`
			`# to apply.`
fix(coraza-spoe): collapse args to one line + ensure trailing LF on spoe cfg Two HAProxy parse errors caught in staging functional test: 1. coraza-spoe.cfg:39 'args': missing fetch method The args directive had backslash line continuations. HAProxy doesn't support those in SPOE configs — args must be one physical line. Collapsed to a single line. 2. coraza-spoe.cfg:50 Missing LF on last line Same trailing-LF issue we hit on haproxy.cfg one commit ago. The Jinja2 template ends with content rather than a newline, and write() doesn't add one. Belt-and-suspenders: explicitly append '\n' before writing if not already there. After this commit HAProxy validates the generated config cleanly. Will verify on staging now (combined SPOE injection + fail-open + active attack-detection tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-12 17:07:12 -07:00			`# NOTE: args must be on ONE line. HAProxy does not support backslash`
			`# line continuations in spoe configs (verified the hard way 2026-05-12).`
			`args app=str(haproxy) src-ip=src src-port=src_port dest-ip=dst dest-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body`
			`event on-frontend-http-request`