├── test
    ├── Dockerfile
    ├── curl.sh
    ├── spoe-modsecurity.conf
    ├── haproxy.cfg
    ├── docker-compose.yml
    └── run.sh
├── .github
    ├── workflows
    │   ├── test.yml
    │   └── image.yaml
    └── dependabot.yml
├── rootfs
    ├── spoa.patch
    ├── start.sh
    └── Dockerfile
├── README.md
└── LICENSE


/test/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine:latest
2 | 
3 | RUN apk add --no-cache bash tini curl
4 | 
5 | COPY ./curl.sh /
6 | 
7 | ENTRYPOINT ["tini", "--", "/curl.sh"]
8 | 


--------------------------------------------------------------------------------
/test/curl.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | # Split by comma
 5 | IFS=',' read -r -a lines <<< "$@"
 6 | 
 7 | for x in "${lines[@]}"; do
 8 |     # Split by space
 9 |     IFS=' ' read -r -a param <<< "${x[@]}"
10 |     echo "<========  ${param[*]}  ========>"
11 |     curl "${param[@]}"
12 |     echo -e '\n'
13 | done
14 | 


--------------------------------------------------------------------------------
/.github/workflows/test.yml:
--------------------------------------------------------------------------------
 1 | name: Test
 2 | on:
 3 |   push:
 4 |     branches:
 5 |     - master
 6 |   pull_request:
 7 | jobs:
 8 |   test:
 9 |     name: Test
10 |     runs-on: ubuntu-latest
11 |     steps:
12 |     - name: Checkout
13 |       uses: actions/checkout@v6
14 |     - name: Run
15 |       run: |
16 |         cd test
17 |         ./run.sh
18 | 


--------------------------------------------------------------------------------
/test/spoe-modsecurity.conf:
--------------------------------------------------------------------------------
 1 |  [modsecurity]
 2 |     spoe-agent modsecurity-agent
 3 |         messages     check-request
 4 |         option       var-prefix  modsec
 5 |         timeout      hello       100ms
 6 |         timeout      idle        30s
 7 |         timeout      processing  1s
 8 |         use-backend  spoe-modsecurity
 9 |     spoe-message check-request
10 |         args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body
11 |         event  on-frontend-http-request
12 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | # https://dependabot.com/docs/config-file-beta/validator/
 2 | ---
 3 | version: 2
 4 | updates:
 5 | 
 6 |   - package-ecosystem: "github-actions"
 7 |     directory: "/"
 8 |     schedule:
 9 |       interval: "monthly"
10 | 
11 |   # find * -iname dockerfile* -exec dirname {} \; | sort -u | uniq
12 | 
13 |   - package-ecosystem: "docker"
14 |     directory: "rootfs"
15 |     schedule:
16 |       interval: "monthly"
17 | 
18 |   - package-ecosystem: "docker"
19 |     directory: "test"
20 |     schedule:
21 |       interval: "monthly"
22 | 


--------------------------------------------------------------------------------
/test/haproxy.cfg:
--------------------------------------------------------------------------------
 1 | defaults
 2 |     # log global
 3 |     maxconn 100
 4 |     option redispatch
 5 |     option dontlognull
 6 |     option http-server-close
 7 |     option http-keep-alive
 8 |     timeout client          50s
 9 |     timeout client-fin      50s
10 |     timeout connect         5s
11 |     timeout http-keep-alive 1m
12 |     timeout http-request    5s
13 |     timeout queue           5s
14 |     timeout server          50s
15 |     timeout server-fin      50s
16 |     timeout tunnel          1h
17 | 
18 | frontend httpfront
19 |     mode http
20 |     bind *:8080
21 |     filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
22 |     http-request deny if { var(txn.modsec.code) -m int gt 0 }
23 |     default_backend echoserver
24 | 
25 | backend spoe-modsecurity
26 |     mode tcp
27 |     timeout connect 5s
28 |     timeout server  5s
29 |     server modsec-spoa1 modsecurity-spoa:12345
30 | 
31 | backend echoserver
32 |     mode http
33 |     server echoserver echoserver:8000 check weight 1 check inter 2s
34 | 


--------------------------------------------------------------------------------
/rootfs/spoa.patch:
--------------------------------------------------------------------------------
 1 | --- Makefile.orig
 2 | +++ Makefile
 3 | @@ -35,7 +35,7 @@
 4 | 
 5 |  CFLAGS  += -g -Wall -pthread
 6 |  INCS += -Iinclude -I$(MODSEC_INC) -I$(APACHE2_INC) -I$(APR_INC) -I$(LIBXML_INC) -I$(EVENT_INC)
 7 | -LIBS += -lpthread  $(EVENT_LIB) -levent_pthreads -lcurl -lapr-1 -laprutil-1 -lxml2 -lpcre -lyajl
 8 | +LIBS += -lpthread  $(EVENT_LIB) -levent_pthreads -lcurl -lapr-1 -laprutil-1 -lxml2 -lpcre -lpcre2-8 -lyajl
 9 | 
10 |  OBJS = spoa.o modsec_wrapper.o
11 | 
12 | --- spoa.c.orig
13 | +++ spoa.c
14 | @@ -1244,7 +1244,7 @@
15 |  {
16 |  	struct worker *worker = arg;
17 |  
18 | -	LOG(worker, "%u clients connected", worker->nbclients);
19 | +	DEBUG(worker, "%u clients connected", worker->nbclients);
20 |  }
21 |  
22 |  static void
23 | @@ -1478,7 +1478,7 @@
24 |  				goto disconnect;
25 |  			}
26 |  			if (client->status_code != SPOE_FRM_ERR_NONE)
27 | -				LOG(client->worker, "<%lu> Peer closed connection: %s",
28 | +				DEBUG(client->worker, "<%lu> Peer closed connection: %s",
29 |  				    client->id, spoe_frm_err_reasons[client->status_code]);
30 |  			goto disconnect;
31 |  	}
32 | 


--------------------------------------------------------------------------------
/rootfs/start.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -e
 3 | 
 4 | if [ $# -gt 0 ] && [ "$1" = "${1#-}" ]; then
 5 |     # First char isn't `-`, probably a `docker run -ti <cmd>`
 6 |     # Just exec and exit
 7 |     exec "$@"
 8 |     exit
 9 | fi
10 | 
11 | unset options configFiles
12 | while [ $# -gt 0 ]; do
13 |     case "$1" in
14 |         -f)
15 |             shift
16 |             configFiles="$configFiles $1"
17 |             ;;
18 |         --)
19 |             shift
20 |             configFiles="$configFiles $@"
21 |             break
22 |             ;;
23 |         *)
24 |             options="$options $1"
25 |             ;;
26 |     esac
27 |     shift
28 | done
29 | 
30 | configFiles="${configFiles:-/etc/modsecurity/modsecurity.conf /etc/modsecurity/owasp-modsecurity-crs.conf}"
31 | 
32 | conf=$(mktemp)
33 | for f in $configFiles; do
34 |     if [ ! -f "$f" ]; then
35 |         echo "File not found: $f" >&2
36 |         exit 1
37 |     fi
38 |     echo "Include $f"
39 | done > $conf
40 | 
41 | echo "Using options:${options:- <default>}"
42 | echo "Using config files:"
43 | sed -n 's/Include /  - /p' $conf
44 | 
45 | exec modsecurity $options -f $conf
46 | 


--------------------------------------------------------------------------------
/test/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | version: '3.6'
 3 | services:
 4 | 
 5 |   modsecurity-spoa:
 6 |     hostname: modsec
 7 |     build:
 8 |       context: ../rootfs
 9 |       dockerfile: Dockerfile
10 |     image: modsecurity-spoa-test
11 |     networks:
12 |       - modsec
13 | 
14 |   haproxy:
15 |     hostname: haproxy
16 |     image: haproxy:3.0-alpine
17 |     volumes:
18 |       - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
19 |       - ./spoe-modsecurity.conf:/etc/haproxy/spoe-modsecurity.conf:ro
20 |     networks:
21 |       - modsec
22 |       - echoserver
23 |       - client
24 |     depends_on:
25 |       - modsecurity-spoa
26 |       - echoserver
27 | 
28 |   echoserver:
29 |     hostname: echoserver
30 |     image: jcmoraisjr/dory
31 |     networks:
32 |       - echoserver
33 | 
34 |   client:
35 |     hostname: echoserver
36 |     build:
37 |       context: .
38 |       dockerfile: Dockerfile
39 |     image: curl-test
40 |     # Split parameters with ','
41 |     command: >
42 |       haproxy:8080,
43 |       haproxy:8080?p=/etc/passwd,
44 |       -X POST haproxy:8080
45 |     networks:
46 |       - client
47 |     depends_on:
48 |       - haproxy
49 | 
50 | networks:
51 |   modsec:
52 |   echoserver:
53 |   client:
54 | 


--------------------------------------------------------------------------------
/.github/workflows/image.yaml:
--------------------------------------------------------------------------------
 1 | name: image
 2 | on:
 3 |   push:
 4 |     tags:
 5 |     - '*'
 6 | jobs:
 7 |   build-image:
 8 |     runs-on: ubuntu-latest
 9 |     env:
10 |       EXTRA_TAGS:
11 |     steps:
12 |     - name: Configure envvars
13 |       run: |
14 |         GIT_TAG="${GITHUB_REF#refs/tags/}"
15 |         TAGS=$(
16 |           for repository in quay.io/jcmoraisjr; do
17 |             for project in modsecurity-spoa; do
18 |               for tag in "$GIT_TAG" ${{ env.EXTRA_TAGS }}; do
19 |                 echo -n "${repository}/${project}:${tag},"
20 |               done
21 |             done
22 |           done
23 |         )
24 |         echo "GIT_TAG=$GIT_TAG" >> $GITHUB_ENV
25 |         echo "TAGS=$TAGS" >> $GITHUB_ENV
26 |     - uses: actions/checkout@v6
27 |     - uses: docker/login-action@v3 
28 |       with:
29 |         registry: docker.io
30 |         username: ${{ secrets.DOCKERHUB_USERNAME }}
31 |         password: ${{ secrets.DOCKERHUB_TOKEN }}
32 |     - uses: docker/login-action@v3 
33 |       with:
34 |         registry: quay.io
35 |         username: ${{ secrets.QUAY_USERNAME }}
36 |         password: ${{ secrets.QUAY_TOKEN }}
37 |     - uses: docker/setup-qemu-action@v3
38 |     - uses: docker/setup-buildx-action@v3
39 |     - uses: docker/build-push-action@v6
40 |       with:
41 |         context: rootfs
42 |         platforms: linux/amd64,linux/arm64/v8,linux/arm/v7
43 |         push: true
44 |         tags: ${{ env.TAGS }}
45 | 


--------------------------------------------------------------------------------
/test/run.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | PROJECT_NAME="modsec"
 5 | COMPOSE="docker-compose"
 6 | if ! which $COMPOSE; then
 7 |     COMPOSE="docker compose"
 8 | fi
 9 | 
10 | # Functions
11 | 
12 | function ci_log_entry() {
13 | 
14 |     local LOG_TYPE="${1:?Needs log type}"
15 |     local LOG_MSG="${2:?Needs log message}"
16 |     local COLOR='\033[93m'
17 |     local ENDCOLOR='\033[0m'
18 | 
19 |     echo -e "${COLOR}$(date "+%Y-%m-%d %H:%M:%S") [$LOG_TYPE] ${LOG_MSG}${ENDCOLOR}"
20 | 
21 | }
22 | 
23 | # ci_log_group_* functions are used to make Github Actions output cleaner
24 | function ci_log_group_start(){
25 |     local LOG_TYPE="${1:?Needs log type}"
26 |     local LOG_MSG="${2:?Needs log message}"
27 | 
28 |     if [ -n "${CI:-}" ]; then
29 |         echo "::group::${LOG_MSG}"
30 |     else
31 |         ci_log_entry "${LOG_TYPE}" "${LOG_MSG}"
32 |     fi
33 | }
34 | 
35 | function ci_log_group_end {
36 |     if [ -n "${CI:-}" ]; then
37 |         echo "::endgroup::"
38 |     fi
39 | }
40 | 
41 | function containers_down {
42 | 
43 |     ci_log_entry "INFO" "Terminating containers"
44 |     $COMPOSE -p "$PROJECT_NAME" down
45 | 
46 | }
47 | 
48 | # Always terminate containers
49 | 
50 | trap containers_down EXIT
51 | 
52 | # Run
53 | 
54 | ci_log_group_start "INFO" "Build containers"
55 | $COMPOSE -p "$PROJECT_NAME" build
56 | ci_log_group_end
57 | 
58 | ci_log_group_start "INFO" "Starting containers"
59 | $COMPOSE -p "$PROJECT_NAME" up --force-recreate --detach haproxy
60 | ci_log_group_end
61 | 
62 | ci_log_group_start "INFO" "Running tests"
63 | $COMPOSE -p "$PROJECT_NAME" run client
64 | ci_log_group_end
65 | 
66 | ci_log_group_start "INFO" "Showing logs"
67 | $COMPOSE -p "$PROJECT_NAME" logs modsecurity-spoa
68 | ci_log_group_end
69 | 


--------------------------------------------------------------------------------
/rootfs/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine:3.22.2
 2 | 
 3 | ARG HAPROXY_MODSEC_REF=3c895f3e7dd291dba19d57ba054b277e6fb80ca4
 4 | ARG HAPROXY_MODSEC_SHA256=645ff6fd6fe1394462bd6b82ee5430606c631b83021f8b5cd7eca2b62b427970
 5 | ARG MODSEC_VERSION=2.9.11
 6 | ARG MODSEC_SHA256=1fe16eb96b6093f062cef73ec8b7ae481a59813766d49a7f5e4d1b85900e239e
 7 | 
 8 | ADD spoa.patch /
 9 | 
10 | RUN apk upgrade --no-cache \
11 |  && apk add --no-cache --virtual .build-modsecurity \
12 |         curl \
13 |         openssl \
14 |         patch \
15 |         tar \
16 |         make \
17 |         gcc \
18 |         libc-dev \
19 |         linux-headers \
20 |         apache2-dev \
21 |         pcre-dev \
22 |         pcre2-dev \
23 |         libxml2-dev \
24 |         libevent-dev \
25 |         curl-dev \
26 |         yajl-dev \
27 |     && curl -fsSLo /tmp/modsecurity.tar.gz https://github.com/owasp-modsecurity/ModSecurity/releases/download/v${MODSEC_VERSION}/modsecurity-v${MODSEC_VERSION}.tar.gz \
28 |     && curl -fsSLo /tmp/haproxy-modsecurity.zip https://github.com/haproxy/spoa-modsecurity/archive/${HAPROXY_MODSEC_REF}.zip \
29 |     && echo "$MODSEC_SHA256  /tmp/modsecurity.tar.gz" | sha256sum -c \
30 |     && mkdir -p /usr/src/modsecurity \
31 |     && tar xzf /tmp/modsecurity.tar.gz --strip-components=1 -C /usr/src/modsecurity \
32 |     && rm /tmp/modsecurity.tar.gz \
33 |     && echo "$HAPROXY_MODSEC_SHA256  /tmp/haproxy-modsecurity.zip" | sha256sum -c \
34 |     && unzip -d /usr/src /tmp/haproxy-modsecurity.zip \
35 |     && mv /usr/src/spoa-modsecurity-${HAPROXY_MODSEC_REF} /usr/src/haproxy-modsecurity \
36 |     && cd /usr/src/haproxy-modsecurity \
37 |     && patch -p0 </spoa.patch \
38 |     && rm /tmp/haproxy-modsecurity.zip \
39 |     && cd /usr/src/modsecurity \
40 |     && ./configure \
41 |         --prefix=/usr/src/modsecurity/INSTALL \
42 |         --disable-apache2-module \
43 |         --enable-standalone-module \
44 |         --enable-pcre-study \
45 |         --without-lua \
46 |         --enable-pcre-jit \
47 |     && make -C standalone install \
48 |     && mkdir -p INSTALL/include \
49 |     && cp standalone/*.h apache2/*.h INSTALL/include \
50 |     && cd / \
51 |     && make -C /usr/src/haproxy-modsecurity \
52 |         MODSEC_INC=/usr/src/modsecurity/INSTALL/include \
53 |         MODSEC_LIB=/usr/src/modsecurity/INSTALL/lib \
54 |         APACHE2_INC=/usr/include/apache2 \
55 |         APR_INC=/usr/include/apr-1 \
56 |     && mv /usr/src/haproxy-modsecurity/modsecurity /usr/local/bin/ \
57 |     && rm -rf /usr/src/haproxy-modsecurity /usr/src/modsecurity \
58 |     && deps=$( \
59 |         scanelf --needed --nobanner --format '%n#p' /usr/local/bin/modsecurity \
60 |             | tr ',' '\n' | sed 's/^/so:/' \
61 |     ) \
62 |     && apk add --no-cache $deps tini \
63 |     && apk del --no-cache .build-modsecurity
64 | 
65 | ARG OWASP_MODSEC_VERSION=v4.16.0
66 | ARG OWASP_MODSEC_SHA256=923e16dceea02a6afb06176cecefe29f305fc2cbd613eec60655e274d3b5dce2
67 | 
68 | RUN mkdir -p /etc/modsecurity/owasp-modsecurity-crs \
69 |     && wget -qO/etc/modsecurity/modsecurity.conf https://github.com/owasp-modsecurity/ModSecurity/raw/v2/master/modsecurity.conf-recommended \
70 |     && wget -qO/etc/modsecurity/unicode.mapping https://github.com/owasp-modsecurity/ModSecurity/raw/v2/master/unicode.mapping \
71 |     && wget -qO/tmp/owasp.tar.gz https://github.com/coreruleset/coreruleset/archive/${OWASP_MODSEC_VERSION}.tar.gz \
72 |     && echo "$OWASP_MODSEC_SHA256  /tmp/owasp.tar.gz" | sha256sum -c \
73 |     && tar xzf /tmp/owasp.tar.gz --strip-components=1 -C /etc/modsecurity/owasp-modsecurity-crs \
74 |     && rm /tmp/owasp.tar.gz \
75 |     && find \
76 |             /etc/modsecurity/owasp-modsecurity-crs \
77 |             -type f -name '*.example' \
78 |         | while read -r f; do cp -p "$f" "${f%.example}"; done \
79 |     && sed -i.example \
80 |         's/^SecRuleEngine .*/SecRuleEngine On/' \
81 |         /etc/modsecurity/modsecurity.conf \
82 |     && sed -i.example \
83 |         's/^\(SecDefaultAction "phase:[12]\),log,auditlog,pass"/\1,log,noauditlog,deny,status:403"/' \
84 |         /etc/modsecurity/owasp-modsecurity-crs/crs-setup.conf \
85 |     && find \
86 |             /etc/modsecurity/owasp-modsecurity-crs \
87 |             -type f -maxdepth 1 -name '*.conf' \
88 |         | sort | sed 's/^/Include /' > /etc/modsecurity/owasp-modsecurity-crs.conf \
89 |     && find \
90 |             /etc/modsecurity/owasp-modsecurity-crs/rules \
91 |             -type f -maxdepth 1 -name '*.conf' \
92 |         | sort | sed 's/^/Include /' >> /etc/modsecurity/owasp-modsecurity-crs.conf
93 | 
94 | COPY . /
95 | 
96 | ENTRYPOINT ["tini", "--", "/start.sh"]
97 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # HAProxy agent for ModSecurity
  2 | 
  3 | HAProxy [agent](http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#9.3) (SPOA)
  4 | for [ModSecurity](http://www.modsecurity.org) web application firewall
  5 | ([WAF](https://en.wikipedia.org/wiki/Web_application_firewall)).
  6 | 
  7 | [![Docker Repository on Quay](https://quay.io/repository/jcmoraisjr/modsecurity-spoa/status "Docker Repository on Quay")](https://quay.io/repository/jcmoraisjr/modsecurity-spoa)
  8 | 
  9 | ## SPOP and HAProxy Version
 10 | 
 11 | The current [SPOP](https://www.haproxy.org/download/2.2/doc/SPOE.txt) version is v2, used since modsecurity-spoa v0.4. This agent version works on HAProxy 1.8.10 and newer.
 12 | 
 13 | SPOP v1 is used on modsecurity-spoa v0.1 to v0.3. This agent version works on HAProxy up to 1.8.9.
 14 | 
 15 | ## Agent Configuration
 16 | 
 17 | Command line syntax:
 18 | 
 19 | ```
 20 | $ docker run -p 12345:12345 quay.io/jcmoraisjr/modsecurity-spoa [options] [-- <config-file1> [<config-file2> ...] ]
 21 | ```
 22 | 
 23 | `config-files` can be used either after `--` (see above) or from `-f` option (see below).
 24 | The only difference is that the later supports only one filename. All config-files found
 25 | will be used, included in the same order as they have been declared.
 26 | 
 27 | ### Customize the Configuration Files
 28 | 
 29 | In order to use the default configuration in your customization, you should copy the following files from the image:
 30 | ```
 31 | docker create --name modsec quay.io/jcmoraisjr/modsecurity-spoa
 32 | docker cp modsec:/etc/modsecurity .
 33 | docker rm modsec
 34 | ```
 35 | 
 36 | Download and customize the configuration files for either the [ModSecurity repository](https://github.com/SpiderLabs/ModSecurity/blob/v2/master/modsecurity.conf-recommended) or from [OWASP repository](https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.3/dev/crs-setup.conf.example).
 37 | Use the copied files from the previous code section in your run command:
 38 | ```
 39 | docker run -p 12345:12345 -v $PWD/modsecurity:/etc/modsecurity quay.io/jcmoraisjr/modsecurity-spoa -n 1
 40 | ```
 41 | 
 42 | If you do not want to include the default configuration files and only use the configuration files (ex./ custom-config.conf) that you design, leave out the copied default configuration files from before in your run command:
 43 | ```
 44 | docker run -p 12345:12345 -v $PWD/modsecurity:/etc/modsecurity quay.io/jcmoraisjr/modsecurity-spoa -n 1 -- /etc/modsecurity/custom-config.conf
 45 | ```
 46 | 
 47 | ### Running without Config Files
 48 | 
 49 | If no config-file is declared, the following will be used:
 50 | 
 51 | * `/etc/modsecurity/modsecurity.conf`: ModSecurity recommended config, from ModSecurity [repository](https://github.com/SpiderLabs/ModSecurity/tree/v2/master)
 52 |     * Changes: `SecRuleEngine`, changed from `DetectionOnly` to `On`
 53 | * `/etc/modsecurity/owasp-modsecurity-crs.conf`: Generic attack detection rules for ModSecurity, from OWASP ModSecurity CRS [repository](https://github.com/SpiderLabs/owasp-modsecurity-crs)
 54 |     * Changes: `SecDefaultAction`, `phase:1` and `phase:2`, changed from `log,auditlog,pass` to `log,noauditlog,deny,status:403`
 55 | 
 56 | Options are: (from modsecurity agent -h)
 57 | 
 58 | ```
 59 |     -h                   Print this message
 60 |     -d                   Enable the debug mode
 61 |     -f <config-file>     ModSecurity configuration file
 62 |     -m <max-frame-size>  Specify the maximum frame size (default : 16384)
 63 |     -p <port>            Specify the port to listen on (default : 12345)
 64 |     -n <num-workers>     Specify the number of workers (default : 10)
 65 |     -c <capability>      Enable the support of the specified capability
 66 |     -t <time>            Set a delay to process a message (default: 0)
 67 |                            The value is specified in milliseconds by default,
 68 |                            but can be in any other unit if the number is suffixed
 69 |                            by a unit (us, ms, s)
 70 | 
 71 |     Supported capabilities: fragmentation, pipelining, async
 72 | ```
 73 | 
 74 | ## HAProxy configuration
 75 | 
 76 | Configure modsecurity-spoa as a HAProxy SPOE agent. See also SPOE filter
 77 | [doc](http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#9.3)
 78 | and SPOE [spec](https://www.haproxy.org/download/1.8/doc/SPOE.txt).
 79 | 
 80 | Changes to `haproxy.cfg` - change `127.0.0.1:12345` below to the
 81 | modsecurity-spoa endpoint:
 82 | 
 83 | ```
 84 |     frontend httpfront
 85 |         mode http
 86 |         ...
 87 |         filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
 88 |         http-request deny if { var(txn.modsec.code) -m int gt 0 }
 89 |         ...
 90 |     backend spoe-modsecurity
 91 |         mode tcp
 92 |         server modsec-spoa1 127.0.0.1:12345
 93 | ```
 94 | 
 95 | Create a `/etc/haproxy/spoe-modsecurity.conf`:
 96 | 
 97 | ```
 98 |     [modsecurity]
 99 |     spoe-agent modsecurity-agent
100 |         messages     check-request
101 |         option       var-prefix  modsec
102 |         timeout      hello       100ms
103 |         timeout      idle        30s
104 |         timeout      processing  1s
105 |         use-backend  spoe-modsecurity
106 |     spoe-message check-request
107 |         args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body
108 |         event  on-frontend-http-request
109 | ```
110 | 
111 | ## Test with docker
112 | 
113 | ```
114 | (cd ./test && ./run.sh)
115 | ```
116 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "{}"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright {yyyy} {name of copyright owner}
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------