PR 2/3: opt-in SPOE integration for Coraza WAF

Adds the plumbing that lets haproxy-manager talk to the coraza-spoa sidecar added in PR 1, while keeping the default behavior bit-identical for any deployment that doesn't set the new env var (the home network / standalone use cases). Single gate: HAPROXY_CORAZA_SPOE_BACKEND env var on the haproxy-manager container. Unset (default) = generate_config() renders zero SPOE-related output. Set (e.g. "coraza-spoa:9000") = three things happen at config generation time: 1. hap_listener.tpl injects 5 lines at the end of the frontend block: filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg http-request send-spoe-group coraza coraza-check ...placed AFTER rate-limit and IP-block guards so we don't waste WAF calls on requests we were going to drop anyway. 2. A new TCP backend (hap_coraza_spoa_backend.tpl) is appended: backend coraza-spoa-backend mode tcp server coraza-spoa <env-var-target> check ... 3. The SPOE engine config (hap_coraza_spoe_engine.tpl) is rendered and written to /etc/haproxy/coraza-spoe.cfg, defining the spoe-agent "coraza" + spoe-message "coraza-check". This sets: - option set-on-error continue (FAIL-OPEN if SPOA is unreachable) - timeout processing 100ms (per-request inspection budget) - app=str(haproxy) (matches sidecar's application name) Verification (template render only, before staging deploy): - hap_listener.tpl with no env var: 55 lines, zero SPOE references - hap_listener.tpl with env var: 62 lines, filter + send-spoe-group present - Engine cfg + backend block render with correct agent_target substitution Next: PR 3 wires this into WHP (sidecar deploy via container-manager.sh extension, server-settings UI for on/off, AI Monitor source for the audit log). Staging verification of PR 1 + PR 2 together happens after PR 3. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 16:49:29 -07:00
parent 4e0c22e9c9
commit 73b9104565
4 changed files with 102 additions and 2 deletions
--- a/templates/hap_coraza_spoe_engine.tpl
+++ b/templates/hap_coraza_spoe_engine.tpl
@@ -0,0 +1,50 @@
+# Coraza SPOE engine configuration.
+#
+# Written to /etc/haproxy/coraza-spoe.cfg by haproxy_manager.generate_config()
+# when HAPROXY_CORAZA_SPOE_BACKEND env var is set. Referenced from haproxy.cfg
+# via `filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg`.
+#
+# Engine name "coraza" must match the engine name in the filter line in the
+# main config and the application name "haproxy" must match the application
+# block name in coraza-spoa's config.yaml.
+
+[coraza]
+
+spoe-agent coraza
+    # The single message we send (defined below) — per-request inspection.
+    messages    coraza-check
+
+    # Prefix for any variables the agent sets back on the request.
+    option      var-prefix coraza
+
+    # FAIL-OPEN. If the SPOA is unreachable or times out, requests flow
+    # through uninspected rather than failing. For a hosting platform,
+    # availability beats unconditional inspection coverage.
+    option      set-on-error continue
+
+    # Aggressive timeouts: we don't want the WAF to materially slow page
+    # loads. processing 100ms is the per-request inspection budget.
+    timeout     hello       2s
+    timeout     idle        2m
+    timeout     processing  100ms
+
+    use-backend coraza-spoa-backend
+    log         global
+
+spoe-message coraza-check
+    # Send the request shape to Coraza for inspection.
+    # `app=str(haproxy)` matches the application named "haproxy" in
+    # coraza-spoa's config.yaml — that's how Coraza picks which ruleset
+    # to apply.
+    args        app=str(haproxy) \
+                src-ip=src \
+                src-port=src_port \
+                dest-ip=dst \
+                dest-port=dst_port \
+                method=method \
+                path=path \
+                query=query \
+                version=req.ver \
+                headers=req.hdrs \
+                body=req.body
+    event       on-frontend-http-request