Question posted in
Some documentation to get you started can be found here.

HAproxy with standalone mod_security routed to multiple web servers – Apache

I want to have one server with HAproxy and a standalone mod_security installed which routes every packets to mod_security first and check by its rules.

Then if there wasn’t anything suspicious in packets (SQL Injection, DOS Attacks, …) pass them back from mod_security to haproxy and haproxy routes them to multiple servers with different webservers.

Therefore I don’t need to install and config mod_security on all my webservers.

Tags:

2

Answers


  1. 0

    This is technically possible, possibly with running 2 instances of HAProxy. However, you will need a webserver to run underneath ModSec, typically Apache or nginx, and this kind of negates the advantage of not having to install ModSec on all your webservers.

    The standard setup is: haproxy -> reverse-proxies with ModSec -> application-servers

    Login or Signup to reply.
  2. 0

    Just to answer this old, but still valid, question:

    The solution should be to use HAProxies Stream Processing Offload Engine (SPOE) through the Stream Processing Offload Protocol (SPOP) to talk a Stream Processing Offload Agent (SPOA) which is a standalone modsecurity daemon.

    HAProxy example config from their github repo

       frontend my-front
      ...
      filter spoe engine modsecurity config spoe-modsecurity.conf
      ...
    enter code here

   backend spoe-modsecurity
      mode tcp
      balance roundrobin
      timeout connect 5s
      timeout server  3m
      server modsec1 127.0.0.1:12345

   # Block potential malicious requests with returncode < 0
   http-request deny if { var(txn.modsec.code) -m int gt 0 }

    There’s also a Github project where the daemon has been made available as Docker container

    Offical HAProxy blog post

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search