Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make WAF errors fail closed by default. Add waf-fail-closed=false to override #954

Merged
merged 2 commits into from
Oct 29, 2022
Merged

Make WAF errors fail closed by default. Add waf-fail-closed=false to override #954

merged 2 commits into from
Oct 29, 2022

Conversation

mac-chaffee
Copy link
Contributor

@mac-chaffee mac-chaffee commented Oct 26, 2022
edited
Loading

Full issue is described here: haproxy/spoa-modsecurity#3

Note: This is a breaking change from 0.14 to 0.15

This PR changes the default behavior (that we copied from the upstream spoa-modsecurity docs) of allowing requests through if modsecurity errors out or times out. Now, only a valid response from modsecurity (txn.modsec.code=0) will allow requests through.

Users can go back to the old behavior by setting waf-fail-closed: false which would mean that e.g. a flood of requests could overload modsecurity-spoa and trigger timeouts, which would allow requests through without being scanned by modsecurity.

jcmoraisjr
jcmoraisjr reviewed Oct 27, 2022
View reviewed changes
Copy link
Owner

@jcmoraisjr jcmoraisjr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR! See a few updates below.

docs/content/en/docs/configuration/keys.md Outdated Show resolved Hide resolved
docs/content/en/docs/configuration/keys.md Outdated Show resolved Hide resolved
rootfs/etc/templates/haproxy/haproxy.tmpl Outdated Show resolved Hide resolved
@jcmoraisjr jcmoraisjr merged commit ff2953b into jcmoraisjr:master Oct 29, 2022
@mac-chaffee mac-chaffee mentioned this pull request Nov 16, 2022
Closed
jcmoraisjr added a commit that referenced this pull request Nov 21, 2022
@jcmoraisjr
Merge pull request #963 from mac-chaffee/revert-waf-fail-closed
635669c 
Revert "Merge pull request #954 from mac-chaffee/fail-closed"
jcmoraisjr added a commit that referenced this pull request Nov 29, 2022
@jcmoraisjr
Revert "Merge pull request #954 from mac-chaffee/fail-closed"
108550c 
This reverts commit ff2953b, reversing
changes made to 316b7ed.
jcmoraisjr pushed a commit that referenced this pull request Nov 29, 2022
@mac-chaffee @jcmoraisjr
Revert "Merge pull request #954 from mac-chaffee/fail-closed"
722049d 
This reverts commit ff2953b, reversing
changes made to 316b7ed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcmoraisjr jcmoraisjr jcmoraisjr left review comments

Assignees
No one assigned
Labels
v0.14 v0.15
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mac-chaffee @jcmoraisjr