Skip to content

Commit

Permalink
Fixed allowing action & HAProxy logging
Browse files Browse the repository at this point in the history
  • Loading branch information
zc-devs committed Jul 12, 2023
1 parent dd5eb86 commit b8fb9b5
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 29 deletions.
2 changes: 1 addition & 1 deletion docker/haproxy/haproxy.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ frontend test_frontend
bind *:443 ssl crt /usr/local/etc/haproxy/example.com.pem alpn h2,http/1.1
unique-id-format %[uuid()]
unique-id-header X-Unique-ID
log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ spoa-error:\ %[var(txn.coraza.error)]\ waf-hit:\ %[var(txn.coraza.fail)]"
log-format "%ci:%cp\ [%t]\ %ft\ %b/%s\ %Th/%Ti/%TR/%Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}r\ %ID\ spoa-error:\ %[var(txn.coraza.error)]\ waf-action:\ %[var(txn.coraza.action)]"

filter spoe engine coraza config /usr/local/etc/haproxy/coraza.cfg

Expand Down
43 changes: 15 additions & 28 deletions internal/spoa.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,6 @@ import (
"go.uber.org/zap/zapcore"
)

const (
// miss sets the detection result to safe.
miss = iota
// hit opposite to Miss.
hit
)

// TODO - in coraza v3 ErrorLogCallback is currently in the internal package
type ErrorLogCallback = func(rule types.MatchedRule)

Expand Down Expand Up @@ -67,14 +60,7 @@ func (s *SPOA) Start(bind string) error {
return nil
}

func (s *SPOA) processInterruption(it *types.Interruption, code int) []spoe.Action {
//if it.Status == 0 {
// tx.variables.responseStatus.Set("", []string{"403"})
//} else {
// status := strconv.Itoa(int(it.Status))
// tx.variables.responseStatus.Set("", []string{status})
//}

func (s *SPOA) processInterruption(it *types.Interruption) []spoe.Action {
return []spoe.Action{
spoe.ActionSetVar{
Name: "status",
Expand All @@ -99,14 +85,15 @@ func (s *SPOA) processInterruption(it *types.Interruption, code int) []spoe.Acti
}
}

func (s *SPOA) message(code int) []spoe.Action {
return []spoe.Action{
func (s *SPOA) allowAction() []spoe.Action {
act := []spoe.Action{
spoe.ActionSetVar{
Name: "fail",
Name: "action",
Scope: spoe.VarScopeTransaction,
Value: code,
Value: "allow",
},
}
return act
}

func (s *SPOA) readHeaders(headers string) (http.Header, error) {
Expand Down Expand Up @@ -292,7 +279,7 @@ func (s *SPOA) processRequest(spoeMsg *spoe.Message) ([]spoe.Action, error) {
tx = app.waf.NewTransactionWithID(req.id)
if tx.IsRuleEngineOff() {
app.logger.Warn("Rule engine is Off, Coraza is not going to process any rule")
return s.message(miss), nil
return s.allowAction(), nil
}

err = req.init()
Expand All @@ -315,26 +302,26 @@ func (s *SPOA) processRequest(spoeMsg *spoe.Message) ([]spoe.Action, error) {
return nil, err
}
if it != nil {
return s.processInterruption(it, hit), nil
return s.processInterruption(it), nil
}

tx.ProcessConnection(string(req.srcIp), req.srcPort, string(req.dstIp), req.dstPort)
tx.ProcessURI(req.path+"?"+req.query, req.method, "HTTP/"+req.version)

it = tx.ProcessRequestHeaders()
if it != nil {
return s.processInterruption(it, hit), nil
return s.processInterruption(it), nil
}

it, err = tx.ProcessRequestBody()
if err != nil {
return nil, err
}
if it != nil {
return s.processInterruption(it, hit), nil
return s.processInterruption(it), nil
}

return s.message(miss), nil
return s.allowAction(), nil
}

func (s *SPOA) processResponse(spoeMsg *spoe.Message) ([]spoe.Action, error) {
Expand Down Expand Up @@ -387,21 +374,21 @@ func (s *SPOA) processResponse(spoeMsg *spoe.Message) ([]spoe.Action, error) {
return nil, err
}
if it != nil {
return s.processInterruption(it, hit), nil
return s.processInterruption(it), nil
}

it = tx.ProcessResponseHeaders(resp.status, "HTTP/"+resp.version)
if it != nil {
return s.processInterruption(it, hit), nil
return s.processInterruption(it), nil
}

it, err = tx.ProcessResponseBody()
if err != nil {
return nil, err
}
if it != nil {
return s.processInterruption(it, hit), nil
return s.processInterruption(it), nil
}

return s.message(miss), nil
return s.allowAction(), nil
}

0 comments on commit b8fb9b5

Please sign in to comment.