Josh Knapp
061309675b
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 2m11s
Two HAProxy parse errors caught in staging functional test: 1. coraza-spoe.cfg:39 'args': missing fetch method The args directive had backslash line continuations. HAProxy doesn't support those in SPOE configs — args must be one physical line. Collapsed to a single line. 2. coraza-spoe.cfg:50 Missing LF on last line Same trailing-LF issue we hit on haproxy.cfg one commit ago. The Jinja2 template ends with content rather than a newline, and write() doesn't add one. Belt-and-suspenders: explicitly append '\n' before writing if not already there. After this commit HAProxy validates the generated config cleanly. Will verify on staging now (combined SPOE injection + fail-open + active attack-detection tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
43 lines
1.8 KiB
Smarty
43 lines
1.8 KiB
Smarty
# Coraza SPOE engine configuration.
|
|
#
|
|
# Written to /etc/haproxy/coraza-spoe.cfg by haproxy_manager.generate_config()
|
|
# when HAPROXY_CORAZA_SPOE_BACKEND env var is set. Referenced from haproxy.cfg
|
|
# via `filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg`.
|
|
#
|
|
# Engine name "coraza" must match the engine name in the filter line in the
|
|
# main config and the application name "haproxy" must match the application
|
|
# block name in coraza-spoa's config.yaml.
|
|
|
|
[coraza]
|
|
|
|
spoe-agent coraza
|
|
# The single message we send (defined below) — per-request inspection.
|
|
messages coraza-check
|
|
|
|
# Prefix for any variables the agent sets back on the request.
|
|
option var-prefix coraza
|
|
|
|
# FAIL-OPEN. If the SPOA is unreachable or times out, requests flow
|
|
# through uninspected rather than failing. For a hosting platform,
|
|
# availability beats unconditional inspection coverage.
|
|
option set-on-error continue
|
|
|
|
# Aggressive timeouts: we don't want the WAF to materially slow page
|
|
# loads. processing 100ms is the per-request inspection budget.
|
|
timeout hello 2s
|
|
timeout idle 2m
|
|
timeout processing 100ms
|
|
|
|
use-backend coraza-spoa-backend
|
|
log global
|
|
|
|
spoe-message coraza-check
|
|
# Send the request shape to Coraza for inspection.
|
|
# `app=str(haproxy)` matches the application named "haproxy" in
|
|
# coraza-spoa's config.yaml — that's how Coraza picks which ruleset
|
|
# to apply.
|
|
# NOTE: args must be on ONE line. HAProxy does not support backslash
|
|
# line continuations in spoe configs (verified the hard way 2026-05-12).
|
|
args app=str(haproxy) src-ip=src src-port=src_port dest-ip=dst dest-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
|
|
event on-frontend-http-request
|