test-example-projects/c_projects/19wnuster/contrib/modsecurity/README

ModSecurity for HAProxy
-----------------------

This is a third party daemon which speaks SPOE. It gives requests send by HAProxy
to ModSecurity and returns the verdict.

  Compilation
---------------

You must compile ModSecurity in standalone mode. Below an example for
ModSecurity-2.9.1. Note that ModSecurity depends the Apache APR. I assume that
the Apache dependencies are installed on the system.

   ./configure \
      --prefix=$PWD/INSTALL \
		--disable-apache2-module \
      --enable-standalone-module \
      --enable-pcre-study \
      --without-lua \
      --enable-pcre-jit
   make
	make -C standalone install
	mkdir -p $PWD/INSTALL/include
	cp standalone/*.h $PWD/INSTALL/include
	cp apache2/*.h $PWD/INSTALL/include

Note that this compilation method works, but is a little bit rustic. I can't
deal with Lua, I supposed that is a dependencies problem on my computer.

  Start the service
---------------------

After you have compiled it, to start the service, you just need to use "spoa"
binary:

    $> ./modsecurity  -h
    Usage: ./spoa [-h] [-d] [-p <port>] [-n <num-workers>] [-f <config-file>]
        -h                  Print this message
        -d                  Enable the debug mode
        -f <config-file>    Modsecurity configuration file
        -m <max-frame-size> Specify the maximum frame size (default : 16384)
        -p <port>           Specify the port to listen on (default: 12345)
        -n <num-workers>    Specify the number of workers (default: 5)
        -c <capability>     Enable the support of the specified capability
        -t <time>           Set a delay to process a message (default: 0)
                            The value is specified in milliseconds by default,
                            but can be in any other unit if the number is suffixed
                            by a unit (us, ms, s)

Note: A worker is a thread.


  Configure a SPOE to use the service
---------------------------------------

All information about SPOE configuration can be found in "doc/SPOE.txt". Here is
the configuration template to use for your SPOE with ModSecurity module:

   [modsecurity]

   spoe-agent modsecurity-agent
      messages check-request
      option var-prefix modsec
      timeout hello      100ms
      timeout idle       30s
      timeout processing 15ms
      use-backend spoe-modsecurity

   spoe-message check-request
      args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
      event on-frontend-http-request

The engine is in the scope "modsecurity". So to enable it, you must set the
following line in a frontend/listener section:

   frontend my-front
      ...
      filter spoe engine modsecurity config spoe-modsecurity.conf
      ...


Because, in SPOE configuration file, we declare to use the backend
"spoe-modsecurity" to communicate with the service, you must define it in
HAProxy configuration. For example:

   backend spoe-modsecurity
      mode tcp
      balance roundrobin
      timeout connect 5s
      timeout server  3m
      server modsec1 127.0.0.1:12345

The modsecurity action is returned in a variable called txn.modsec.code. It
contains the HTTP returned code. If the variable contains 0, the request is
clean.

   http-request deny if { var(txn.modsec.code) -m int gt 0 }

With this rule, all the request not clean are rejected.


  Known bugs, limitations and TODO list
-----------------------------------------

Modsecurity bugs:
-----------------

* When the audit_log is used with the directive "SecAuditLogType Serial", in
  some systems, the APR mutex initialisation silently fails, this causes a
  segmentation fault. For my own usage, I have a patched version of modsec where
  I use another mutex than "APR_LOCK_DEFAULT" like "APR_LOCK_PROC_PTHREAD"

   -    rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);
   +    rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_PROC_PTHREAD, mp);

* Configuration file loaded with wildcard (eg. Include rules/*.conf), are loaded
  in reverse alphabetical order. You can found a patch below. The ModSecurity
  team ignored this patch.

  https://github.com/SpiderLabs/ModSecurity/issues/1285
  http://www.arpalert.org/0001-Fix-bug-when-load-files.patch

  Or insert includes without wildcards.

Todo:
-----

* Clarify the partial body analysis.
* The response body is not yet analyzed.
* ModSecurity can't modify the response body.
* Implements real log management. Actually, the log are sent on stderr.
* Implements daemon things (forks, write a pid, etc.).
first commit 5 months ago			`ModSecurity for HAProxy`
			`-----------------------`

			`This is a third party daemon which speaks SPOE. It gives requests send by HAProxy`
			`to ModSecurity and returns the verdict.`

			`Compilation`
			`---------------`

			`You must compile ModSecurity in standalone mode. Below an example for`
			`ModSecurity-2.9.1. Note that ModSecurity depends the Apache APR. I assume that`
			`the Apache dependencies are installed on the system.`

			`./configure \`
			`--prefix=$PWD/INSTALL \`
			`--disable-apache2-module \`
			`--enable-standalone-module \`
			`--enable-pcre-study \`
			`--without-lua \`
			`--enable-pcre-jit`
			`make`
			`make -C standalone install`
			`mkdir -p $PWD/INSTALL/include`
			`cp standalone/*.h $PWD/INSTALL/include`
			`cp apache2/*.h $PWD/INSTALL/include`

			`Note that this compilation method works, but is a little bit rustic. I can't`
			`deal with Lua, I supposed that is a dependencies problem on my computer.`

			`Start the service`
			`---------------------`

			`After you have compiled it, to start the service, you just need to use "spoa"`
			`binary:`

			`$> ./modsecurity -h`
			`Usage: ./spoa [-h] [-d] [-p <port>] [-n <num-workers>] [-f <config-file>]`
			`-h Print this message`
			`-d Enable the debug mode`
			`-f <config-file> Modsecurity configuration file`
			`-m <max-frame-size> Specify the maximum frame size (default : 16384)`
			`-p <port> Specify the port to listen on (default: 12345)`
			`-n <num-workers> Specify the number of workers (default: 5)`
			`-c <capability> Enable the support of the specified capability`
			`-t <time> Set a delay to process a message (default: 0)`
			`The value is specified in milliseconds by default,`
			`but can be in any other unit if the number is suffixed`
			`by a unit (us, ms, s)`

			`Note: A worker is a thread.`


			`Configure a SPOE to use the service`
			`---------------------------------------`

			`All information about SPOE configuration can be found in "doc/SPOE.txt". Here is`
			`the configuration template to use for your SPOE with ModSecurity module:`

			`[modsecurity]`

			`spoe-agent modsecurity-agent`
			`messages check-request`
			`option var-prefix modsec`
			`timeout hello 100ms`
			`timeout idle 30s`
			`timeout processing 15ms`
			`use-backend spoe-modsecurity`

			`spoe-message check-request`
			`args unique-id method path query req.ver req.hdrs_bin req.body_size req.body`
			`event on-frontend-http-request`

			`The engine is in the scope "modsecurity". So to enable it, you must set the`
			`following line in a frontend/listener section:`

			`frontend my-front`
			`...`
			`filter spoe engine modsecurity config spoe-modsecurity.conf`
			`...`


			`Because, in SPOE configuration file, we declare to use the backend`
			`"spoe-modsecurity" to communicate with the service, you must define it in`
			`HAProxy configuration. For example:`

			`backend spoe-modsecurity`
			`mode tcp`
			`balance roundrobin`
			`timeout connect 5s`
			`timeout server 3m`
			`server modsec1 127.0.0.1:12345`

			`The modsecurity action is returned in a variable called txn.modsec.code. It`
			`contains the HTTP returned code. If the variable contains 0, the request is`
			`clean.`

			`http-request deny if { var(txn.modsec.code) -m int gt 0 }`

			`With this rule, all the request not clean are rejected.`


			`Known bugs, limitations and TODO list`
			`-----------------------------------------`

			`Modsecurity bugs:`
			`-----------------`

			`* When the audit_log is used with the directive "SecAuditLogType Serial", in`
			`some systems, the APR mutex initialisation silently fails, this causes a`
			`segmentation fault. For my own usage, I have a patched version of modsec where`
			`I use another mutex than "APR_LOCK_DEFAULT" like "APR_LOCK_PROC_PTHREAD"`

			`- rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_DEFAULT, mp);`
			`+ rc = apr_global_mutex_create(&msce->auditlog_lock, NULL, APR_LOCK_PROC_PTHREAD, mp);`

			`* Configuration file loaded with wildcard (eg. Include rules/*.conf), are loaded`
			`in reverse alphabetical order. You can found a patch below. The ModSecurity`
			`team ignored this patch.`

			`https://github.com/SpiderLabs/ModSecurity/issues/1285`
			`http://www.arpalert.org/0001-Fix-bug-when-load-files.patch`

			`Or insert includes without wildcards.`

			`Todo:`
			`-----`

			`* Clarify the partial body analysis.`
			`* The response body is not yet analyzed.`
			`* ModSecurity can't modify the response body.`
			`* Implements real log management. Actually, the log are sent on stderr.`
			`* Implements daemon things (forks, write a pid, etc.).`