cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
220b28f0c4777acf4c9c4efc0c3d39cf7318fbbe
haproxy-manager-base/coraza-spoa/config.yaml
Josh Knapp 6d43308073
All checks were successful
Build and push coraza-spoa / Build-and-Push (push) Successful in 41s
Details
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 54s
Details
coraza: pre-CRS Include for runtime per-host exemptions (load-order fix) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-14 07:55:51 -07:00

73 lines
2.9 KiB
YAML
Raw Blame History

# Coraza-SPOA configuration for WHP haproxy-manager integration.
#
# One named application "haproxy" — the haproxy-manager spoe template
# references this same name in its spoe-agent block, so the SPOA knows
# which rules to apply when HAProxy dispatches a request.
#
# Mode: SecRuleEngine DetectionOnly globally; overrides.conf promotes
# specific high-confidence rule ID ranges to enforcement individually.
# This is the safest posture for v1 — every rule logs, but only the
# unambiguous ones (scanner UAs, RCE, LFI, webshells, Log4Shell) block.
bind: 0.0.0.0:9000
# Process-level logging (separate from per-request audit logging below)
log_level: info
log_file: /dev/stdout
log_format: json
# Fallback when the request doesn't match a named application — we only
# have one, so it's also the default.
default_application: haproxy
applications:
- name: haproxy
directives: |
# CRS-bundled defaults: recommended Coraza settings + CRS setup +
# the rule pack itself (~16 MB of rules embedded in the binary).
Include @coraza.conf-recommended
Include @crs-setup.conf.example
# Runtime-managed PRE-CRS exclusions written by WHP UI. Empty by default.
# Loaded BEFORE the CRS rules so per-host ctl:ruleRemoveById exemptions
# fire in phase:1 BEFORE the CRS rule they're trying to exempt would
# otherwise match. Server-wide overrides live in local-overrides.conf
# (loaded after CRS) instead.
Include /etc/coraza/pre-overrides.conf
Include @owasp_crs/*.conf
# WHP-specific overrides — day-one enforce list, plus tuning for
# the customer mix (WordPress, WooCommerce, Divi). Read this file
# to see exactly what blocks vs what's detect-only.
Include /etc/coraza/overrides.conf
# Runtime-managed POST-CRS overrides written by WHP UI. Empty by default.
Include /etc/coraza/local-overrides.conf
# Global mode: log all alerts, block only what overrides.conf
# explicitly promotes via ctl:ruleEngine=On.
SecRuleEngine DetectionOnly
# Audit log: JSON to a bind-mounted file so AI Monitor + log
# rotation can pick it up. RelevantOnly means we don't log every
# passing request, only ones that triggered at least one rule.
SecAuditEngine RelevantOnly
SecAuditLog /var/log/coraza/audit.log
SecAuditLogFormat JSON
SecAuditLogParts ABIJDEFHKZ
# HAProxy sends request-only events for v1. Response inspection adds
# latency on every page render with marginal additional protection
# for our customer mix; can be turned on later if we want it.
response_check: false
# Transactions cache for 60s. SPOE protocol is fire-and-forget per
# request, so this is just how long Coraza holds context for any
# multi-stage processing.
transaction_ttl_ms: 60000
log_level: info
log_file: /var/log/coraza/spoa.log
log_format: json
Reference in New Issue View Git Blame Copy Permalink