mirror of https://github.com/Aidaho12/haproxy-wi
Aidaho12
parent
914d04eede
commit
f272ec4ca2
|
|
@ -33,7 +33,7 @@ Support the project
|
|||
21. Alerting about HAProxy service state
|
||||
22. Metrics incoming connections
|
||||
23. Web acceleration settings
|
||||
24. Some functions WAF
|
||||
24. Web application firewall
|
||||
|
||||
|
||||
|
||||
|
|
@ -107,7 +107,7 @@ Login http://haproxy-wi-server/users.py, and add: users, groups and servers. Def
|
|||
|
||||
|
||||
|
||||
For Runtime API enable state file on HAproxt servers and need install socat on all haproxy servers, and configre HAProxy:
|
||||
For Runtime API, Metrics and Alerting enable state file and stat socket on HAproxt servers and need install socat on all haproxy servers, and configre HAProxy:
|
||||
```
|
||||
global
|
||||
stats socket *:1999 level admin
|
||||
|
|
|
|||
10
app/add.py
10
app/add.py
|
|
@ -36,6 +36,7 @@ print(output_from_parsed_template)
|
|||
|
||||
hap_configs_dir = funct.get_config_var('configs', 'haproxy_save_configs_dir')
|
||||
cert_path = sql.get_setting('cert_path')
|
||||
haproxy_dir = sql.get_setting('haproxy_dir')
|
||||
|
||||
if form.getvalue('mode') is not None:
|
||||
serv = form.getvalue('serv')
|
||||
|
|
@ -111,7 +112,7 @@ if form.getvalue('mode') is not None:
|
|||
options_split += " option http-pretend-keepalive\n"
|
||||
|
||||
if form.getvalue('blacklist') is not None:
|
||||
options_split += " tcp-request connection reject if { src -f /etc/haproxy/black/"+form.getvalue('blacklist')+" }\n"
|
||||
options_split += " tcp-request connection reject if { src -f "+haproxy_dir+"/black/"+form.getvalue('blacklist')+" }\n"
|
||||
|
||||
if form.getvalue('cookie'):
|
||||
cookie = " cookie "+form.getvalue('cookie_name')
|
||||
|
|
@ -165,8 +166,13 @@ if form.getvalue('mode') is not None:
|
|||
if cache == "2":
|
||||
cache_s = " http-request cache-use "+end_name+"\n http-response cache-store "+end_name+"\n"
|
||||
cache_set = "cache "+end_name+"\n total-max-size 4\n max-age 240\n"
|
||||
|
||||
waf = ""
|
||||
if form.getvalue('waf') is not None:
|
||||
waf = " filter spoe engine modsecurity config "+haproxy_dir+"/spoe-modsecurity.conf\n"
|
||||
waf += " http-request deny if { var(txn.modsec.code) -m int gt 0 }\n"
|
||||
|
||||
config_add = name + "\n" + bind + mode + "\n" + balance + options_split + filter + compression_s + cache_s + backend + servers_split + "\n" + cache_set
|
||||
config_add = name + "\n" + bind + mode + "\n" + balance + options_split + filter + compression_s + cache_s + waf + backend + servers_split + "\n" + cache_set
|
||||
cfg = hap_configs_dir + serv + "-" + funct.get_data('config') + ".cfg"
|
||||
|
||||
funct.get_config(serv, cfg)
|
||||
|
|
|
|||
41
app/funct.py
41
app/funct.py
|
|
@ -275,6 +275,9 @@ def install_haproxy(serv, **kwargs):
|
|||
if kwargs.get('syn_flood') == "1":
|
||||
syn_flood_protect(serv)
|
||||
|
||||
if kwargs.get('waf') == "1":
|
||||
waf_install(serv)
|
||||
|
||||
os.system("rm -f %s" % script)
|
||||
|
||||
def syn_flood_protect(serv, **kwargs):
|
||||
|
|
@ -296,6 +299,34 @@ def syn_flood_protect(serv, **kwargs):
|
|||
|
||||
os.system("rm -f %s" % script)
|
||||
|
||||
def waf_install(serv, **kwargs):
|
||||
import sql
|
||||
script = "waf.sh"
|
||||
tmp_config_path = sql.get_setting('tmp_config_path')
|
||||
proxy = sql.get_setting('proxy')
|
||||
haproxy_dir = sql.get_setting('haproxy_dir')
|
||||
ver = check_haproxy_version(serv)
|
||||
|
||||
os.system("cp scripts/%s ." % script)
|
||||
|
||||
commands = [ "chmod +x "+tmp_config_path+script+" && " +tmp_config_path+script +" PROXY=" + proxy+
|
||||
" HAPROXY_PATH="+haproxy_dir +" VERSION="+ver ]
|
||||
|
||||
upload(serv, tmp_config_path, script)
|
||||
ssh_command(serv, commands, print_out="1")
|
||||
|
||||
os.system("rm -f %s" % script)
|
||||
|
||||
def check_haproxy_version(serv):
|
||||
import sql
|
||||
haproxy_sock_port = sql.get_setting('haproxy_sock_port')
|
||||
ver = ""
|
||||
cmd="echo 'show info' |nc %s %s |grep Version |awk '{print $2}'" % (serv, haproxy_sock_port)
|
||||
output, stderr = subprocess_execute(cmd)
|
||||
for line in output:
|
||||
ver = line
|
||||
return ver
|
||||
|
||||
def upload(serv, path, file, **kwargs):
|
||||
full_path = path + file
|
||||
|
||||
|
|
@ -399,7 +430,7 @@ def server_status(stdout):
|
|||
proc_count = ""
|
||||
|
||||
for line in stdout:
|
||||
if "Ncat: Connection refused." not in line:
|
||||
if "Ncat: " not in line:
|
||||
for k in line:
|
||||
proc_count = k.split(":")[1]
|
||||
else:
|
||||
|
|
@ -417,8 +448,6 @@ def ssh_command(serv, commands, **kwargs):
|
|||
|
||||
if kwargs.get("ip") == "1":
|
||||
show_ip(stdout)
|
||||
elif kwargs.get("compare") == "1":
|
||||
compare(stdout)
|
||||
elif kwargs.get("show_log") == "1":
|
||||
show_log(stdout)
|
||||
elif kwargs.get("server_status") == "1":
|
||||
|
|
@ -448,7 +477,9 @@ def subprocess_execute(cmd):
|
|||
|
||||
def show_backends(serv, **kwargs):
|
||||
import json
|
||||
cmd='echo "show backend" |nc %s 1999' % serv
|
||||
import sql
|
||||
haproxy_sock_port = sql.get_setting('haproxy_sock_port')
|
||||
cmd='echo "show backend" |nc %s %s' % (serv, haproxy_sock_port)
|
||||
output, stderr = subprocess_execute(cmd)
|
||||
ret = ""
|
||||
for line in output:
|
||||
|
|
@ -491,6 +522,4 @@ def get_files(**kwargs):
|
|||
return sorted(return_files, reverse=True)
|
||||
else:
|
||||
return files
|
||||
|
||||
|
||||
|
||||
|
|
@ -254,7 +254,7 @@ if form.getvalue('servaction') is not None:
|
|||
command = [ cmd ]
|
||||
|
||||
if enable != "show":
|
||||
print('<center><h3>You %s %s on HAproxy %s. <a href="viewsttats.py?serv=%s" title="View stat" target="_blank">Look it</a> or <a href="edit.py" title="Edit">Edit something else</a></h3><br />' % (enable, backend, serv, serv))
|
||||
print('<center><h3>You %s %s on HAproxy %s. <a href="viewsttats.py?serv=%s" title="View stat" target="_blank">Look it</a> or <a href="edit.py" title="Edit">Edit something else</a></h3><br />' % (enable, backend, serv, serv))
|
||||
|
||||
funct.ssh_command(serv, command, show_log="1")
|
||||
action = 'edit.py ' + enable + ' ' + backend
|
||||
|
|
@ -374,7 +374,7 @@ if form.getvalue('masteradd'):
|
|||
os.system("rm -f %s" % script)
|
||||
|
||||
if form.getvalue('haproxyaddserv'):
|
||||
funct.install_haproxy(form.getvalue('haproxyaddserv'), syn_flood=form.getvalue('syn_flood'))
|
||||
funct.install_haproxy(form.getvalue('haproxyaddserv'), syn_flood=form.getvalue('syn_flood'), waf=form.getvalue('waf'))
|
||||
|
||||
if form.getvalue('table_metrics'):
|
||||
import http.cookies
|
||||
|
|
@ -475,8 +475,7 @@ if form.getvalue('metrics'):
|
|||
show(grid)
|
||||
|
||||
if form.getvalue('get_hap_v'):
|
||||
commands = [ "haproxy -v |grep ver|awk '{print $3}'" ]
|
||||
output = funct.ssh_command(serv, commands)
|
||||
output = funct.check_haproxy_version(serv)
|
||||
print(output)
|
||||
|
||||
if form.getvalue('bwlists'):
|
||||
|
|
|
|||
|
|
@ -17,12 +17,13 @@ def get_overview():
|
|||
|
||||
listhap = sql.get_dick_permit()
|
||||
commands = [ "ls -l %s |awk '{ print $6\" \"$7\" \"$8}'" % haproxy_config_path ]
|
||||
commands1 = [ "ps ax |grep waf/bin/modsecurity |grep -v grep |wc -l" ]
|
||||
servers = []
|
||||
|
||||
for server in listhap:
|
||||
server_status = ()
|
||||
cmd = 'echo "show info" |nc %s %s |grep -e "Process_num"' % (server[2], haproxy_sock_port)
|
||||
server_status = (server[1],server[2], funct.server_status(funct.subprocess_execute(cmd)), funct.ssh_command(server[2], commands))
|
||||
server_status = (server[1],server[2], funct.server_status(funct.subprocess_execute(cmd)), funct.ssh_command(server[2], commands), funct.ssh_command(server[2], commands1))
|
||||
servers.append(server_status)
|
||||
|
||||
template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value))
|
||||
|
|
|
|||
|
|
@ -35,14 +35,14 @@ fi
|
|||
if hash apt-get 2>/dev/null; then
|
||||
sudo apt-get install haproxy socat -y
|
||||
else
|
||||
sudo wget http://cbs.centos.org/kojifiles/packages/haproxy/1.8.1/5.el7/x86_64/haproxy18-1.8.1-5.el7.x86_64.rpm
|
||||
wget http://cbs.centos.org/kojifiles/packages/haproxy/1.8.1/5.el7/x86_64/haproxy18-1.8.1-5.el7.x86_64.rpm
|
||||
sudo yum install haproxy18-1.8.1-5.el7.x86_64.rpm -y
|
||||
fi
|
||||
|
||||
if [ $? -eq 1 ]
|
||||
then
|
||||
sudo yum install wget socat -y > /dev/null
|
||||
sudo wget http://cbs.centos.org/kojifiles/packages/haproxy/1.8.1/5.el7/x86_64/haproxy18-1.8.1-5.el7.x86_64.rpm
|
||||
wget http://cbs.centos.org/kojifiles/packages/haproxy/1.8.1/5.el7/x86_64/haproxy18-1.8.1-5.el7.x86_64.rpm
|
||||
sudo yum install haproxy18-1.8.1-5.el7.x86_64.rpm -y
|
||||
fi
|
||||
if [ $? -eq 1 ]
|
||||
|
|
@ -103,7 +103,7 @@ sudo sed -i 's/#$UDPServerRun 514/$UDPServerRun 514/g' /etc/rsyslog.conf
|
|||
sudo sed -i 's/#$ModLoad imudp/$ModLoad imudp/g' /etc/rsyslog.conf
|
||||
|
||||
sudo firewall-cmd --zone=public --add-port=8085/tcp --permanent
|
||||
sudo sudo firewall-cmd --reload
|
||||
sudo firewall-cmd --reload
|
||||
sudo setenforce 0
|
||||
sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
|
||||
sudo systemctl enable haproxy
|
||||
|
|
|
|||
|
|
@ -1,8 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [[ $1 == "enable" ]]; then
|
||||
if grep -q "net.ipv4.tcp_syncookie = 1" /etc/sysctl.conf; then
|
||||
if sudo grep -q "net.ipv4.tcp_syncookies = 1" /etc/sysctl.conf; then
|
||||
echo "SYN flood protectd allready enabled"
|
||||
exit 1
|
||||
else
|
||||
sudo bash -c cat <<EOF >> /etc/sysctl.conf
|
||||
# Protection SYN flood
|
||||
|
|
@ -11,16 +12,16 @@ net.ipv4.conf.all.rp_filter = 1
|
|||
net.ipv4.tcp_max_syn_backlog = 1024
|
||||
EOF
|
||||
|
||||
sudo sysctl -w net.ipv4.tcp_syncookies=1
|
||||
sudo sysctl -w net.ipv4.conf.all.rp_filter=1
|
||||
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=1024
|
||||
sudo sysctl -w net.ipv4.tcp_synack_retries=3
|
||||
sudo sysctl -w net.ipv4.tcp_syncookies=1
|
||||
sudo sysctl -w net.ipv4.conf.all.rp_filter=1
|
||||
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=1024
|
||||
sudo sysctl -w net.ipv4.tcp_synack_retries=3
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ $1 == "disable" ]]; then
|
||||
sed -i 's/net.ipv4.tcp_max_syn_backlog = 1024/net.ipv4.tcp_max_syn_backlog = 256/' /etc/sysctl.conf
|
||||
sed -i 's/net.ipv4.tcp_synack_retries = 3/net.ipv4.tcp_synack_retries = 5/' /etc/sysctl.conf
|
||||
sudo sed -i 's/net.ipv4.tcp_max_syn_backlog = 1024/net.ipv4.tcp_max_syn_backlog = 256/' /etc/sysctl.conf
|
||||
sudo sed -i 's/net.ipv4.tcp_synack_retries = 3/net.ipv4.tcp_synack_retries = 5/' /etc/sysctl.conf
|
||||
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=256
|
||||
sudo sysctl -w net.ipv4.tcp_synack_retries=5
|
||||
fi
|
||||
|
|
@ -0,0 +1,188 @@
|
|||
#!/bin/bash
|
||||
|
||||
for ARGUMENT in "$@"
|
||||
do
|
||||
|
||||
KEY=$(echo $ARGUMENT | cut -f1 -d=)
|
||||
VALUE=$(echo $ARGUMENT | cut -f2 -d=)
|
||||
|
||||
case "$KEY" in
|
||||
PROXY) PROXY=${VALUE} ;;
|
||||
VERSION) VERSION=${VALUE} ;;
|
||||
HAPROXY_PATH) HAPROXY_PATH=${VALUE} ;;
|
||||
*)
|
||||
esac
|
||||
|
||||
|
||||
done
|
||||
|
||||
VERSION_MAJ=$(echo $VERSION | awk -F"." '{print $1"."$2}')
|
||||
|
||||
if [[ $PROXY != "" ]]
|
||||
then
|
||||
export http_proxy="$PROXY"
|
||||
export https_proxy="$PROXY"
|
||||
echo "Exporting proxy"
|
||||
fi
|
||||
|
||||
if [ -f $HAPROXY_PATH/waf/modsecurity.conf ];then
|
||||
echo -e 'error: Haproxy WAF already installed. You can edit config<a href="/app/config.py" title="Edit HAProxy config">here</a> <br /><br />'
|
||||
exit 1
|
||||
fi
|
||||
wget -O /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm http://rpmfind.net/linux/centos/7.5.1804/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm
|
||||
wget -O /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm
|
||||
wget -O /tmp/modsecurity-2.9.2.tar.gz https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
|
||||
sudo yum install /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm httpd-devel libxml2-devel gcc curl-devel -y
|
||||
|
||||
if [ $? -eq 1 ]; then
|
||||
echo -e "Can't download waf application. Check Internet connection"
|
||||
exit 1
|
||||
fi
|
||||
cd /tmp
|
||||
sudo tar xf modsecurity-2.9.2.tar.gz
|
||||
cd /tmp/modsecurity-2.9.2
|
||||
sudo ./configure --prefix=/tmp/modsecurity-2.9.2 --enable-standalone-module --disable-mlogc --enable-pcre-study --without-lua --enable-pcre-jit
|
||||
sudo make
|
||||
sudo make -C standalone install
|
||||
if [ $? -eq 1 ]; then
|
||||
echo -e "Can't compile waf application"
|
||||
exit 1
|
||||
fi
|
||||
sudo mkdir -p /tmp/modsecurity-2.9.2/INSTALL/include
|
||||
sudo cp standalone/.libs/* /tmp/modsecurity-2.9.2/INSTALL/include
|
||||
sudo cp standalone/* /tmp/modsecurity-2.9.2/INSTALL/include
|
||||
sudo cp apache2/*.h /tmp/modsecurity-2.9.2/INSTALL/include
|
||||
|
||||
wget -O /tmp/haproxy-$VERSION.tar.gz http://www.haproxy.org/download/$VERSION_MAJ/src/haproxy-$VERSION.tar.gz
|
||||
|
||||
if [ $? -eq 1 ]; then
|
||||
echo -e "Can't download Haproxy application. Check Internet connection"
|
||||
exit 1
|
||||
fi
|
||||
cd /tmp
|
||||
sudo tar xf /tmp/haproxy-$VERSION.tar.gz
|
||||
sudo mkdir $HAPROXY_PATH/waf
|
||||
sudo mkdir $HAPROXY_PATH/waf/bin
|
||||
sudo mkdir $HAPROXY_PATH/waf/rules
|
||||
cd /tmp/haproxy-$VERSION/contrib/modsecurity
|
||||
sudo make MODSEC_INC=/tmp/modsecurity-2.9.2/INSTALL/include MODSEC_LIB=/tmp/modsecurity-2.9.2/INSTALL/include APACHE2_INC=/usr/include/httpd/ APR_INC=/usr/include/apr-1
|
||||
if [ $? -eq 1 ]; then
|
||||
echo -e "Can't compile waf application"
|
||||
exit 1
|
||||
fi
|
||||
sudo mv /tmp/haproxy-$VERSION/contrib/modsecurity/modsecurity $HAPROXY_PATH/waf/bin
|
||||
wget -O $HAPROXY_PATH/waf/modsecurity.conf https://github.com/SpiderLabs/ModSecurity/raw/v2/master/modsecurity.conf-recommended
|
||||
|
||||
sudo bash -c cat << EOF >> $HAPROXY_PATH/waf/modsecurity.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_10_ignore_static.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_11_avs_traffic.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_11_brute_force.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_11_dos_protection.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_13_xml_enabler.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_16_authentication_tracking.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_16_scanner_integration.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_16_username_tracking.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_16_username_tracking.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_20_protocol_violations.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_21_protocol_anomalies.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_23_request_limits.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_25_cc_known.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_25_cc_track_pan.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_30_http_policy.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_35_bad_robots.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_40_generic_attacks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_40_http_parameter_pollution.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_41_sql_injection_attacks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_41_xss_attacks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_42_comment_spam.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_42_tight_security.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_45_trojans.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_46_av_scanning.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_46_scanner_integration.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_46_slr_et_xss_attacks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_46_slr_et_lfi_attacks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_46_slr_et_sqli_attacks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_47_common_exceptions.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_49_inbound_blocking.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_50_outbound.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_55_marketing.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_56_pvi_checks.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_59_outbound_blocking.conf
|
||||
Include $HAPROXY_PATH/waf/rules/modsecurity_crs_60_correlation.conf
|
||||
EOF
|
||||
|
||||
wget -O $HAPROXY_PATH/waf/unicode.mapping https://github.com/SpiderLabs/ModSecurity/raw/v2/master/unicode.mapping
|
||||
wget -O /tmp/owasp.tar.gz https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/2.2.9.tar.gz
|
||||
cd /tmp/
|
||||
sudo tar xf /tmp/owasp.tar.gz
|
||||
sudo mv /tmp/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf
|
||||
sudo mv /tmp/owasp-modsecurity-crs-2.2.9/*rules/* $HAPROXY_PATH/waf/rules/
|
||||
sudo sed -i 's/#SecAction/SecAction/' $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf
|
||||
sudo rm -f /tmp/owasp.tar.gz
|
||||
|
||||
sudo bash -c cat << EOF > /etc/systemd/system/multi-user.target.wants/waf.service
|
||||
[Unit]
|
||||
Description=Defender WAF
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=$HAPROXY_PATH/waf/bin/modsecurity -n 4 -f $HAPROXY_PATH/waf/modsecurity.conf
|
||||
ExecReload=/bin/kill -USR2 $MAINPID
|
||||
KillMode=mixed
|
||||
|
||||
StandardOutput=syslog
|
||||
StandardError=syslog
|
||||
SyslogIdentifier=waf
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
|
||||
sudo bash -c cat << EOF > /etc/rsyslog.d/waf.conf
|
||||
if $programname startswith 'waf' then /var/log/waf.log
|
||||
& stop
|
||||
EOF
|
||||
|
||||
sudo bash -c cat << EOF > $HAPROXY_PATH/spoe-modsecurity.conf
|
||||
[modsecurity]
|
||||
spoe-agent modsecurity-agent
|
||||
messages check-request
|
||||
option var-prefix modsec
|
||||
timeout hello 100ms
|
||||
timeout idle 30s
|
||||
timeout processing 15ms
|
||||
use-backend spoe-modsecurity
|
||||
|
||||
spoe-message check-request
|
||||
args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
|
||||
event on-frontend-http-request
|
||||
EOF
|
||||
if sudo grep -q "backend spoe-modsecurity" $HAPROXY_PATH/haproxy.cfg; then
|
||||
echo -e "Backend for WAF exists"
|
||||
else
|
||||
sudo bash -c cat << EOF >> $HAPROXY_PATH/haproxy.cfg
|
||||
|
||||
backend spoe-modsecurity
|
||||
mode tcp
|
||||
timeout connect 5s
|
||||
timeout server 3m
|
||||
server waf 127.0.0.1:12345 check
|
||||
EOF
|
||||
fi
|
||||
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable waf
|
||||
sudo systemctl restart waf
|
||||
sudo rm -f /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm
|
||||
sudo rm -f /tmp/modsecurity-2.9.2.tar.gz
|
||||
sudo rm -f /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm
|
||||
sudo rm -rf /tmp/haproxy-$VERSION
|
||||
sudo rm -rf /tmp/haproxy-$VERSION.tar.gz
|
||||
sudo rm -rf /tmp/modsecurity-2.9.2
|
||||
|
||||
if [ $? -eq 1 ]; then
|
||||
echo "error: Can't start Haproxy WAF service <br /><br />"
|
||||
exit 1
|
||||
fi
|
||||
echo "success"
|
||||
|
|
@ -89,6 +89,7 @@
|
|||
<label for="slow_atack" title="Slow atack protect">Slow atack</label><input type="checkbox" id="slow_atack">
|
||||
<label for="ddos" title="DDOS atack protect">DDOS</label><input type="checkbox" id="ddos">
|
||||
<label for="blacklist_checkbox" title="Enable SSL Offloading">Blacklist</label><input type="checkbox" id="blacklist_checkbox">
|
||||
<label for="waf" title="Web application firewall">WAF</label><input type="checkbox" id="waf" name="waf" value="1">
|
||||
</span>
|
||||
<div id="blacklist-hide" style="display: none;">
|
||||
<br /><span class="tooltip tooltipTop">Enter the name of the blacklist, or press down:</span><br />
|
||||
|
|
@ -518,6 +519,7 @@
|
|||
</table>
|
||||
<div id="ajax-ssl"></div>
|
||||
</div>
|
||||
|
||||
{% if add %}
|
||||
<div class="alert alert-success">
|
||||
<h3>{{ add }} was success added</h3>
|
||||
|
|
@ -529,6 +531,7 @@
|
|||
<center><pre id="dialog-confirm-body"></pre></center>
|
||||
</div>
|
||||
<input type="hidden" id="group" value="{{ group }}">
|
||||
|
||||
<script>
|
||||
$( ".force_close" ).selectmenu({
|
||||
width: 180
|
||||
|
|
|
|||
|
|
@ -98,7 +98,7 @@
|
|||
</ul>
|
||||
</nav>
|
||||
<div class="copyright-menu">
|
||||
HAproxy-WI v3.0
|
||||
HAproxy-WI v3.1
|
||||
<br>
|
||||
<a href="https://www.patreon.com/haproxy_wi" title="Donate" target="_blank" style="color: #fff; margin-left: 30px; color: red;" class="patreon"> Patreon</a>
|
||||
</div>
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@
|
|||
<td class="padding10 first-collumn" style="width: 350px;">Note</td>
|
||||
<td class="padding10 first-collumn">Server</td>
|
||||
<td style="width: 150px;">SYN flood protect</td>
|
||||
<td style="width: 150px;"><span title="Web application firewall">WAF(?)</span></td>
|
||||
<td></td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
@ -23,6 +24,9 @@
|
|||
<td>
|
||||
<label for="syn_flood" title="Enable SYN flood protect"><input type="checkbox" id="syn_flood" checked>
|
||||
</td>
|
||||
<td>
|
||||
<label for="waf" title="Enable SYN flood protect"><input type="checkbox" id="waf">
|
||||
</td>
|
||||
<td>
|
||||
<a class="ui-button ui-widget ui-corner-all" id="install" title="Install HAProxy">Install</a>
|
||||
</td>
|
||||
|
|
|
|||
|
|
@ -97,7 +97,10 @@
|
|||
<td class="padding10 second-collumn">
|
||||
HAproxy status
|
||||
</td>
|
||||
<td class="padding10 third-collumn">
|
||||
<td class="padding10">
|
||||
WAF status
|
||||
</td>
|
||||
<td class="padding10 second-collumn">
|
||||
Action
|
||||
</td>
|
||||
<td class="padding10">
|
||||
|
|
|
|||
|
|
@ -1006,13 +1006,17 @@ $( function() {
|
|||
cur_url = cur_url[0].split('#');
|
||||
if (cur_url[0] == "/app/add.py") {
|
||||
$("#cache").checkboxradio( "disable" );
|
||||
$("#waf").checkboxradio( "disable" );
|
||||
$( "#serv" ).on('selectmenuchange',function() {
|
||||
change_select_acceleration("");
|
||||
change_select_waf("");
|
||||
});
|
||||
|
||||
$("#cache2").checkboxradio( "disable" );
|
||||
$("#waf2").checkboxradio( "disable" );
|
||||
$( "#serv2" ).on('selectmenuchange',function() {
|
||||
change_select_acceleration(2);
|
||||
change_select_acceleration("2");
|
||||
change_select_waf("2");
|
||||
});
|
||||
|
||||
$("#cache3").checkboxradio( "disable" );
|
||||
|
|
@ -1201,7 +1205,8 @@ function change_select_acceleration(id) {
|
|||
token: $('#token').val()
|
||||
},
|
||||
type: "GET",
|
||||
success: function( data ) {
|
||||
success: function( data ) {
|
||||
console.log(data)
|
||||
if(parseFloat(data) < parseFloat('1.8')) {
|
||||
$("#cache"+id).checkboxradio( "disable" );
|
||||
} else {
|
||||
|
|
@ -1210,7 +1215,25 @@ function change_select_acceleration(id) {
|
|||
}
|
||||
} );
|
||||
}
|
||||
|
||||
function change_select_waf(id) {
|
||||
$.ajax( {
|
||||
url: "options.py",
|
||||
data: {
|
||||
get_hap_v: 1,
|
||||
serv: $('#serv'+id+' option:selected').val(),
|
||||
token: $('#token').val()
|
||||
},
|
||||
type: "GET",
|
||||
success: function( data ) {
|
||||
console.log(data)
|
||||
if(parseFloat(data) < parseFloat('1.7')) {
|
||||
$("#waf"+id).checkboxradio( "disable" );
|
||||
} else {
|
||||
$("#waf"+id).checkboxradio( "enable" );
|
||||
}
|
||||
}
|
||||
} );
|
||||
}
|
||||
function replace_text(id_textarea, text_var) {
|
||||
var str = $(id_textarea).val();
|
||||
var len = str.length;
|
||||
|
|
|
|||
12
inc/users.js
12
inc/users.js
|
|
@ -87,9 +87,9 @@ $( function() {
|
|||
type: "GET",
|
||||
success: function( data ) {
|
||||
data = data.replace(/\s+/g,' ');
|
||||
if (data.indexOf('error') != '-1' || data.indexOf('alert') != '-1' || data.indexOf('Failed') != '-1') {
|
||||
if (data.indexOf('error') != '-1') {
|
||||
$("#ajax").html('<div class="alert alert-danger">'+data+'</data>');
|
||||
} else if (data.indexOf('success') != '-1' ){
|
||||
} else if (data.indexOf('success') != '-1'){
|
||||
$('.alert-danger').remove();
|
||||
$("#ajax").html('<div class="alert alert-success">All is ready!</data>');
|
||||
}
|
||||
|
|
@ -100,24 +100,30 @@ $( function() {
|
|||
$('#install').click(function() {
|
||||
$("#ajax").html('')
|
||||
var syn_flood = 0;
|
||||
var waf = 0;
|
||||
if ($('#syn_flood').is(':checked')) {
|
||||
syn_flood = '1';
|
||||
}
|
||||
if ($('#waf').is(':checked')) {
|
||||
waf = '1';
|
||||
}
|
||||
$("#ajax").html('<div class="alert alert-warning">Please don\'t close and don\'t represh page. Wait until the work is completed. This may take some time </div>');
|
||||
$.ajax( {
|
||||
url: "options.py",
|
||||
data: {
|
||||
haproxyaddserv: $('#haproxyaddserv').val(),
|
||||
syn_flood: syn_flood,
|
||||
waf: waf,
|
||||
token: $('#token').val()
|
||||
},
|
||||
type: "GET",
|
||||
success: function( data ) {
|
||||
data = data.replace(/\s+/g,' ');
|
||||
if (data.indexOf('error') != '-1' || data.indexOf('alert') != '-1' || data.indexOf('Failed') != '-1') {
|
||||
if (data.indexOf('error') != '-1' || data.indexOf('Failed') != '-1') {
|
||||
$("#ajax").html('<div class="alert alert-danger">'+data+'</data>');
|
||||
} else if (data.indexOf('success') != '-1' ){
|
||||
$('.alert-danger').remove();
|
||||
$('.alert-warning').remove();
|
||||
$("#ajax").html('<div class="alert alert-success">'+data+'</data>');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue