CODEWITHSUNDEEP
apachesecuritynginxhaproxymod-security
Amin Vakil
Amin Vakil

Reputation: 21

HAproxy with standalone mod_security routed to multiple web servers

I want to have one server with HAproxy and a standalone mod_security installed which routes every packets to mod_security first and check by its rules.

Then if there wasn't anything suspicious in packets (SQL Injection, DOS Attacks, ...) pass them back from mod_security to haproxy and haproxy routes them to multiple servers with different webservers.

Therefore I don't need to install and config mod_security on all my webservers.

Upvotes: 1

Views: 3997

Answers (2)

mat1010
mat1010

Reputation: 847

Just to answer this old, but still valid, question:

The solution should be to use HAProxies Stream Processing Offload Engine (SPOE) through the Stream Processing Offload Protocol (SPOP) to talk a Stream Processing Offload Agent (SPOA) which is a standalone modsecurity daemon.

HAProxy example config from their github repo

   frontend my-front
      ...
      filter spoe engine modsecurity config spoe-modsecurity.conf
      ...
    enter code here

   backend spoe-modsecurity
      mode tcp
      balance roundrobin
      timeout connect 5s
      timeout server  3m
      server modsec1 127.0.0.1:12345

   # Block potential malicious requests with returncode < 0
   http-request deny if { var(txn.modsec.code) -m int gt 0 }

There's also a Github project where the daemon has been made available as Docker container

Offical HAProxy blog post

Upvotes: 3

dune73
dune73

Reputation: 299

This is technically possible, possibly with running 2 instances of HAProxy. However, you will need a webserver to run underneath ModSec, typically Apache or nginx, and this kind of negates the advantage of not having to install ModSec on all your webservers.

The standard setup is: haproxy -> reverse-proxies with ModSec -> application-servers

Upvotes: 1

Related Questions