HAProxy+SSL+WAF+Apache
Ref:http://blog.exceliance.fr/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/
http://blog.exceliance.fr/page/2/
http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Installation_for_Apache
----------------------------------------------------------------------------------------------------
1) Install Dependencies for Apache+ModSecurity
----------------------------------------------------------------------------------------------------
gcc
zlib-devel
openssl-devel
pcre-devel
apr-devel
libxml2-devel
libcurl-devel
expat-devel
ModSecurity 2.x works only with Apache 2.0.x or higher
mod_uniqueid
libapr and libapr-util
libpcre
libxml2
liblua v5.1.x
libcurl v7.15.1 or higher
----------------------------------------------------------------------------------------------------
2) Install HAProxy (frontend_http)
----------------------------------------------------------------------------------------------------
#cd /softwares/
#wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev17.tar.gz
#tar -zxvf haproxy-1.5-dev17.tar.gz
#cd haproxy-1.5-dev17
#make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
#make PREFIX=/opt/haproxy-ssl install
#rm -rf /softwares/haproxy-1.5-dev17
-------------------------------------------------------------------------------------------------
3) Generate SSL Certificates using openssl
-------------------------------------------------------------------------------------------------
#cd /opt/haproxy-ssl/certs/
#openssl genrsa -out haproxy.key 1024
#openssl req -new -key haproxy.key -out haproxy.csr
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MAHARASHTRA
Locality Name (eg, city) [Default City]:NAVI MUMBAI
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:secure.example.com
Email Address []: root@secure.example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#openssl x509 -req -days 365 -in haproxy.csr -signkey haproxy.key -out haproxy.crt
#cat haproxy.key haproxy.crt > haproxy.pem
-------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
4) Configure HAProxy to inbuild SSL Support
-------------------------------------------------------------------------------------------------
Note: Following file contains sample configuration
#vi /opt/haproxy-ssl/haproxy.cfg
# this config needs haproxy-1.5-dev17
global
daemon
maxconn 25000
defaults
mode http
timeout connect 15000ms
timeout client 50000ms
timeout server 50000ms
timeout queue 60s
listen frontend_http *:80
mode http
acl no_waf nbsrv(bk_waf) eq 0
use_backend bk_http if no_waf
default_backend bk_waf
backend bk_waf
mode http
option forwardfor
server s1 127.0.0.1:83 maxconn 1024 check
listen frontend_waf *:8000
mode http
acl https_uri url_beg /https/
redirect prefix https://secure.example.com if https_uri
default_backend bk_http
frontend ft_https
mode http
bind 0.0.0.0:443 ssl crt /opt/haproxy-ssl/certs/haproxy.pem
option forceclose
option forwardfor
acl http_uri url_beg /
acl https_uri url_beg /https/
redirect prefix http://secure.example.com if !https_uri http_uri
default_backend bk_http
backend bk_http
mode http
# cookie JSESSIONID prefix
cookie SRV insert indirect nocache
balance leastconn
option forceclose
option persist
option redispatch
option forwardfor
server server1 127.0.0.1:81 cookie server1_cookie maxconn 1024 check
server server2 127.0.0.1:82 cookie server2_cookie maxconn 1024 check
acl force_sticky_server1 hdr_sub(server1_cookie) TEST=true
force-persist if force_sticky_server1
acl force_sticky_server2 hdr_sub(server2_cookie) TEST=true
force-persist if force_sticky_server2
#/opt/haproxy-ssl/sbin/haproxy -f /opt/haproxy-ssl/haproxy.cfg
----------------------------------------------------------------------------------------------------
Note: Apache should be compile with --enable-unique-id --with-included-apr
----------------------------------------------------------------------------------------------------
5) Install Apache+Modsecurity (bk_waf)
----------------------------------------------------------------------------------------------------
#wget http://archive.apache.org/dist/httpd/httpd-2.2.21.tar.gz
#tar -zxvf httpd-2.2.21.tar.gz
#cd httpd-2.2.21
#./configure --prefix=/opt/apache83_waf1 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install
#vi /opt/apache83_waf1/conf/httpd.conf
Listen 83
User apache
Group apache
#/opt/apache83_waf1/bin/apachectl -k restart
#rm -rf /softwares/httpd-2.2.21
----------------------------------------------------------------------------------------------------
6) Install modsecurity
----------------------------------------------------------------------------------------------------
#wget http://www.modsecurity.org/tarball/2.7.2/modsecurity-apache_2.7.2.tar.gz
#tar -zxvf modsecurity-apache_2.7.2.tar.gz
#cd modsecurity-apache_2.7.2
#./configure --with-apxs=/opt/apache83_waf1/bin/apxs --with-apr=/opt/apache83_waf1/bin/apr-1-config --with-apu=/opt/apache83_waf1/bin/apu-1-config
#make
#make CFLAGS=-DMSC_TEST test
Note: If all tests are OK then run below command.
#make install
----------------------------------------------------------------------------------------------------
7) Download and Install ModSecurity Rules
----------------------------------------------------------------------------------------------------
#cd /softwares
#wget http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz/download
#tar -zxvf modsecurity-crs_2.2.5.tar.gz
#mv modsecurity-crs_2.2.5 /opt/modsecurity-crs
#mkdir -p /opt/apache83_waf1/modsecurity.d
#cd /opt/modsecurity-crs
#cp -r base_rules /opt/apache83_waf1/modsecurity.d/rules
#cp modsecurity_crs_10_setup.conf.example /opt/apache83_waf1/modsecurity.d/modsecurity_crs_10_setup.conf
----------------------------------------------------------------------------------------------------
#vi /opt/apache83_waf1/conf/httpd.conf
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
SecPcreMatchLimit 1000000
SecPcreMatchLimitRecursion 1000000
SecDataDir logs/
ServerName *
AddDefaultCharset UTF-8
Include modsecurity.d/modsecurity_crs_10_setup.conf
Include modsecurity.d/rules/*.conf
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
ProxyPreserveHost On
ProxyRequests off
ProxyVia Off
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
#/opt/apache83_waf1/bin/apachectl -k restart
#rm -rf /softwares/modsecurity-apache_2.7.2
> Verify security2_module is loaded using following command
#/opt/apache83_waf1/bin/httpd -M | grep security2_module
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
8) Install Apache (bk_http i.e. server1)
----------------------------------------------------------------------------------------------------
#wget http://archive.apache.org/dist/httpd/httpd-2.2.21.tar.gz
#tar -zxvf httpd-2.2.21.tar.gz
#cd httpd-2.2.21
#./configure --prefix=/opt/apache81_bk1 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install
#vi /opt/apache81_bk1/conf/httpd.conf
Listen 81
User apache
Group apache
#/opt/apache81_bk1/bin/apachectl -k restart
#rm -rf /softwares/httpd-2.2.21
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
9) Install Apache (bk_http i.e. server2)
----------------------------------------------------------------------------------------------------
#wget http://archive.apache.org/dist/httpd/httpd-2.2.21.tar.gz
#tar -zxvf httpd-2.2.21.tar.gz
#cd httpd-2.2.21
#./configure --prefix=/opt/apache82_bk2 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install
#vi /opt/apache82_bk2/conf/httpd.conf
Listen 82
User apache
Group apache
#/opt/apache82_bk2/bin/apachectl -k restart
#rm -rf /softwares/httpd-2.2.21
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
10) Install mod_rpaf to get the client IP in the bk_waf and bk_web for both tracking and logging.
----------------------------------------------------------------------------------------------------
#cd softwares
#wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
#tar -zxvf mod_rpaf-0.6.tar.gz
#cd mod_rpaf-0.6
#/opt/apache83_waf1/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
#vi /opt/apache83_waf1/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
# mod_rpaf Configuration
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
#/opt/apache83_waf1/bin/apachectl -k restart
#/opt/apache81_bk1/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
#vi /opt/apache81_bk1/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
# mod_rpaf Configuration
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
#/opt/apache81_bk1/bin/apachectl -k restart
#/opt/apache82_bk2/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
#vi /opt/apache82_bk2/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
# mod_rpaf Configuration
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
#/opt/apache82_bk2/bin/apachectl -k restart
#rm -rf /softwares/mod_rpaf-0.6
----------------------------------------------------------------------------------------------------
Ref:http://blog.exceliance.fr/2012/10/12/scalable-waf-protection-with-haproxy-and-apache-with-modsecurity/
http://blog.exceliance.fr/page/2/
http://blog.exceliance.fr/2012/09/10/how-to-get-ssl-with-haproxy-getting-rid-of-stunnel-stud-nginx-or-pound/
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-Installation_for_Apache
----------------------------------------------------------------------------------------------------
1) Install Dependencies for Apache+ModSecurity
----------------------------------------------------------------------------------------------------
gcc
zlib-devel
openssl-devel
pcre-devel
apr-devel
libxml2-devel
libcurl-devel
expat-devel
ModSecurity 2.x works only with Apache 2.0.x or higher
mod_uniqueid
libapr and libapr-util
libpcre
libxml2
liblua v5.1.x
libcurl v7.15.1 or higher
----------------------------------------------------------------------------------------------------
2) Install HAProxy (frontend_http)
----------------------------------------------------------------------------------------------------
#cd /softwares/
#wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev17.tar.gz
#tar -zxvf haproxy-1.5-dev17.tar.gz
#cd haproxy-1.5-dev17
#make TARGET=linux2628 CPU=native USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
#make PREFIX=/opt/haproxy-ssl install
#rm -rf /softwares/haproxy-1.5-dev17
-------------------------------------------------------------------------------------------------
3) Generate SSL Certificates using openssl
-------------------------------------------------------------------------------------------------
#cd /opt/haproxy-ssl/certs/
#openssl genrsa -out haproxy.key 1024
#openssl req -new -key haproxy.key -out haproxy.csr
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:MAHARASHTRA
Locality Name (eg, city) [Default City]:NAVI MUMBAI
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:secure.example.com
Email Address []: root@secure.example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#openssl x509 -req -days 365 -in haproxy.csr -signkey haproxy.key -out haproxy.crt
#cat haproxy.key haproxy.crt > haproxy.pem
-------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
4) Configure HAProxy to inbuild SSL Support
-------------------------------------------------------------------------------------------------
Note: Following file contains sample configuration
#vi /opt/haproxy-ssl/haproxy.cfg
# this config needs haproxy-1.5-dev17
global
daemon
maxconn 25000
defaults
mode http
timeout connect 15000ms
timeout client 50000ms
timeout server 50000ms
timeout queue 60s
listen frontend_http *:80
mode http
acl no_waf nbsrv(bk_waf) eq 0
use_backend bk_http if no_waf
default_backend bk_waf
backend bk_waf
mode http
option forwardfor
server s1 127.0.0.1:83 maxconn 1024 check
listen frontend_waf *:8000
mode http
acl https_uri url_beg /https/
redirect prefix https://secure.example.com if https_uri
default_backend bk_http
frontend ft_https
mode http
bind 0.0.0.0:443 ssl crt /opt/haproxy-ssl/certs/haproxy.pem
option forceclose
option forwardfor
acl http_uri url_beg /
acl https_uri url_beg /https/
redirect prefix http://secure.example.com if !https_uri http_uri
default_backend bk_http
backend bk_http
mode http
# cookie JSESSIONID prefix
cookie SRV insert indirect nocache
balance leastconn
option forceclose
option persist
option redispatch
option forwardfor
server server1 127.0.0.1:81 cookie server1_cookie maxconn 1024 check
server server2 127.0.0.1:82 cookie server2_cookie maxconn 1024 check
acl force_sticky_server1 hdr_sub(server1_cookie) TEST=true
force-persist if force_sticky_server1
acl force_sticky_server2 hdr_sub(server2_cookie) TEST=true
force-persist if force_sticky_server2
#/opt/haproxy-ssl/sbin/haproxy -f /opt/haproxy-ssl/haproxy.cfg
----------------------------------------------------------------------------------------------------
Note: Apache should be compile with --enable-unique-id --with-included-apr
----------------------------------------------------------------------------------------------------
5) Install Apache+Modsecurity (bk_waf)
----------------------------------------------------------------------------------------------------
#wget http://archive.apache.org/dist/httpd/httpd-2.2.21.tar.gz
#tar -zxvf httpd-2.2.21.tar.gz
#cd httpd-2.2.21
#./configure --prefix=/opt/apache83_waf1 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install
#vi /opt/apache83_waf1/conf/httpd.conf
Listen 83
User apache
Group apache
#/opt/apache83_waf1/bin/apachectl -k restart
#rm -rf /softwares/httpd-2.2.21
----------------------------------------------------------------------------------------------------
6) Install modsecurity
----------------------------------------------------------------------------------------------------
#wget http://www.modsecurity.org/tarball/2.7.2/modsecurity-apache_2.7.2.tar.gz
#tar -zxvf modsecurity-apache_2.7.2.tar.gz
#cd modsecurity-apache_2.7.2
#./configure --with-apxs=/opt/apache83_waf1/bin/apxs --with-apr=/opt/apache83_waf1/bin/apr-1-config --with-apu=/opt/apache83_waf1/bin/apu-1-config
#make
#make CFLAGS=-DMSC_TEST test
Note: If all tests are OK then run below command.
#make install
----------------------------------------------------------------------------------------------------
7) Download and Install ModSecurity Rules
----------------------------------------------------------------------------------------------------
#cd /softwares
#wget http://sourceforge.net/projects/mod-security/files/modsecurity-crs/0-CURRENT/modsecurity-crs_2.2.5.tar.gz/download
#tar -zxvf modsecurity-crs_2.2.5.tar.gz
#mv modsecurity-crs_2.2.5 /opt/modsecurity-crs
#mkdir -p /opt/apache83_waf1/modsecurity.d
#cd /opt/modsecurity-crs
#cp -r base_rules /opt/apache83_waf1/modsecurity.d/rules
#cp modsecurity_crs_10_setup.conf.example /opt/apache83_waf1/modsecurity.d/modsecurity_crs_10_setup.conf
----------------------------------------------------------------------------------------------------
#vi /opt/apache83_waf1/conf/httpd.conf
LoadFile /usr/lib64/libxml2.so
LoadFile /usr/lib64/liblua-5.1.so
LoadModule security2_module modules/mod_security2.so
SecPcreMatchLimit 1000000
SecPcreMatchLimitRecursion 1000000
SecDataDir logs/
ServerName *
AddDefaultCharset UTF-8
Include modsecurity.d/modsecurity_crs_10_setup.conf
Include modsecurity.d/rules/*.conf
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
ProxyPreserveHost On
ProxyRequests off
ProxyVia Off
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
#/opt/apache83_waf1/bin/apachectl -k restart
#rm -rf /softwares/modsecurity-apache_2.7.2
> Verify security2_module is loaded using following command
#/opt/apache83_waf1/bin/httpd -M | grep security2_module
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
8) Install Apache (bk_http i.e. server1)
----------------------------------------------------------------------------------------------------
#wget http://archive.apache.org/dist/httpd/httpd-2.2.21.tar.gz
#tar -zxvf httpd-2.2.21.tar.gz
#cd httpd-2.2.21
#./configure --prefix=/opt/apache81_bk1 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install
#vi /opt/apache81_bk1/conf/httpd.conf
Listen 81
User apache
Group apache
#/opt/apache81_bk1/bin/apachectl -k restart
#rm -rf /softwares/httpd-2.2.21
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
9) Install Apache (bk_http i.e. server2)
----------------------------------------------------------------------------------------------------
#wget http://archive.apache.org/dist/httpd/httpd-2.2.21.tar.gz
#tar -zxvf httpd-2.2.21.tar.gz
#cd httpd-2.2.21
#./configure --prefix=/opt/apache82_bk2 --enable-mods-shared=all --enable-so --enable-cgi --enable-proxy --enable-headers --enable-expires --enable-vhost-alias --enable-info --enable-rewrite --enable-speling --enable-usertrack --enable-deflate --enable-ssl --enable-mime-magic --enable-unique-id --with-included-apr
#make
#make install
#vi /opt/apache82_bk2/conf/httpd.conf
Listen 82
User apache
Group apache
#/opt/apache82_bk2/bin/apachectl -k restart
#rm -rf /softwares/httpd-2.2.21
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
10) Install mod_rpaf to get the client IP in the bk_waf and bk_web for both tracking and logging.
----------------------------------------------------------------------------------------------------
#cd softwares
#wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
#tar -zxvf mod_rpaf-0.6.tar.gz
#cd mod_rpaf-0.6
#/opt/apache83_waf1/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
#vi /opt/apache83_waf1/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
# mod_rpaf Configuration
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
#/opt/apache83_waf1/bin/apachectl -k restart
#/opt/apache81_bk1/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
#vi /opt/apache81_bk1/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
# mod_rpaf Configuration
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
#/opt/apache81_bk1/bin/apachectl -k restart
#/opt/apache82_bk2/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
#vi /opt/apache82_bk2/conf/httpd.conf
LoadModule rpaf_module modules/mod_rpaf-2.0.so
# mod_rpaf Configuration
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
RPAFheader X-Forwarded-For
#/opt/apache82_bk2/bin/apachectl -k restart
#rm -rf /softwares/mod_rpaf-0.6
----------------------------------------------------------------------------------------------------
No comments:
Post a Comment