Josh Knapp
73b9104565
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m59s
Adds the plumbing that lets haproxy-manager talk to the coraza-spoa sidecar
added in PR 1, while keeping the default behavior bit-identical for any
deployment that doesn't set the new env var (the home network / standalone
use cases).
Single gate: HAPROXY_CORAZA_SPOE_BACKEND env var on the haproxy-manager
container. Unset (default) = generate_config() renders zero SPOE-related
output. Set (e.g. "coraza-spoa:9000") = three things happen at config
generation time:
1. hap_listener.tpl injects 5 lines at the end of the frontend block:
filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg
http-request send-spoe-group coraza coraza-check
...placed AFTER rate-limit and IP-block guards so we don't waste WAF
calls on requests we were going to drop anyway.
2. A new TCP backend (hap_coraza_spoa_backend.tpl) is appended:
backend coraza-spoa-backend
mode tcp
server coraza-spoa <env-var-target> check ...
3. The SPOE engine config (hap_coraza_spoe_engine.tpl) is rendered and
written to /etc/haproxy/coraza-spoe.cfg, defining the spoe-agent
"coraza" + spoe-message "coraza-check". This sets:
- option set-on-error continue (FAIL-OPEN if SPOA is unreachable)
- timeout processing 100ms (per-request inspection budget)
- app=str(haproxy) (matches sidecar's application name)
Verification (template render only, before staging deploy):
- hap_listener.tpl with no env var: 55 lines, zero SPOE references
- hap_listener.tpl with env var: 62 lines, filter + send-spoe-group present
- Engine cfg + backend block render with correct agent_target substitution
Next: PR 3 wires this into WHP (sidecar deploy via container-manager.sh
extension, server-settings UI for on/off, AI Monitor source for the audit
log). Staging verification of PR 1 + PR 2 together happens after PR 3.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
51 lines
1.8 KiB
Smarty
51 lines
1.8 KiB
Smarty
# Coraza SPOE engine configuration.
|
|
#
|
|
# Written to /etc/haproxy/coraza-spoe.cfg by haproxy_manager.generate_config()
|
|
# when HAPROXY_CORAZA_SPOE_BACKEND env var is set. Referenced from haproxy.cfg
|
|
# via `filter spoe engine coraza config /etc/haproxy/coraza-spoe.cfg`.
|
|
#
|
|
# Engine name "coraza" must match the engine name in the filter line in the
|
|
# main config and the application name "haproxy" must match the application
|
|
# block name in coraza-spoa's config.yaml.
|
|
|
|
[coraza]
|
|
|
|
spoe-agent coraza
|
|
# The single message we send (defined below) — per-request inspection.
|
|
messages coraza-check
|
|
|
|
# Prefix for any variables the agent sets back on the request.
|
|
option var-prefix coraza
|
|
|
|
# FAIL-OPEN. If the SPOA is unreachable or times out, requests flow
|
|
# through uninspected rather than failing. For a hosting platform,
|
|
# availability beats unconditional inspection coverage.
|
|
option set-on-error continue
|
|
|
|
# Aggressive timeouts: we don't want the WAF to materially slow page
|
|
# loads. processing 100ms is the per-request inspection budget.
|
|
timeout hello 2s
|
|
timeout idle 2m
|
|
timeout processing 100ms
|
|
|
|
use-backend coraza-spoa-backend
|
|
log global
|
|
|
|
spoe-message coraza-check
|
|
# Send the request shape to Coraza for inspection.
|
|
# `app=str(haproxy)` matches the application named "haproxy" in
|
|
# coraza-spoa's config.yaml — that's how Coraza picks which ruleset
|
|
# to apply.
|
|
args app=str(haproxy) \
|
|
src-ip=src \
|
|
src-port=src_port \
|
|
dest-ip=dst \
|
|
dest-port=dst_port \
|
|
method=method \
|
|
path=path \
|
|
query=query \
|
|
version=req.ver \
|
|
headers=req.hdrs \
|
|
body=req.body
|
|
event on-frontend-http-request
|