coraza waf fixes

ansibleguy · Dec 28, 2024 · cf04418 · cf04418
1 parent 604f8e7
commit cf04418
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -79,6 +79,7 @@ http-request set-var(txn.waf_app) str(app1) if { req.hdr(host) -i -m str ansible
 http-request set-var(txn.waf_app) str(default) if !{ var(txn.waf_app) -m found }
 
 filter spoe engine coraza config /etc/haproxy/waf-coraza-spoe.cfg
+http-request send-spoe-group coraza coraza-req
 ```
 
 ### Result

diff --git a/tasks/debian/app.yml b/tasks/debian/app.yml
@@ -25,8 +25,9 @@
     mode: 0750
 
 - name: "HAProxy WAF | Apps | {{ waf_app_name }} | Add rules {{ waf_app.ruleset_version }}"
-  ansible.builtin.command: |
-    cp -r {{ waf_app_rules_default_dir }}/rules/@owasp_crs {{ crs_dir }}
+  ansible.builtin.shell: |
+    cp -r {{ waf_app_rules_default_dir }}/rules/@owasp_crs {{ crs_dir }} &&
+    chown -R root:{{ WAF_HC.user }} {{ crs_dir }}
   args:
     creates: "{{ crs_dir }}"
   vars:

diff --git a/templates/etc/haproxy/waf-coraza-spoe.cfg.j2 b/templates/etc/haproxy/waf-coraza-spoe.cfg.j2
@@ -8,6 +8,7 @@ spoe-agent coraza-agent
 {% else %}
     messages    coraza-req
 {% endif %}
+    groups      coraza-req
     option      var-prefix      {{ WAF_CONFIG.spoa.var_prefix }}
     option      set-on-error    error
     timeout     hello           {{ WAF_CONFIG.spoa.timeout.hello }}
@@ -18,7 +19,9 @@ spoe-agent coraza-agent
 
 spoe-message coraza-req
     args app=var({{ WAF_HC.app_var }}) src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
-    event on-backend-http-request
+
+spoe-group coraza-req
+    messages coraza-req
 
 {% if WAF_CONFIG.response_check | bool %}
 spoe-message coraza-res