HAProxy SPOE module install

IMPORTANT

This guide only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, you can only deploy the Next-Gen WAF with the Edge WAF deployment method.

Stream Processing Offload Engine (SPOE) enables HAProxy to send traffic to external programs for out-of-band processing. The HAProxy SPOE Module communicates with the Next-Gen WAF agent via SPOE, enabling the module to block requests using HAProxy Access Control Lists (ACLs) based on the agent response.

Requirements

Installation

Follow these steps to install the HAProxy SPOE module.

Download via package manager

The HAProxy SPOE module can be installed via the package manager of most major operating system versions:

  • Alpine: sudo apk add sigsci-module-haproxy
  • CentOS: sudo yum install sigsci-module-haproxy
  • Debian: sudo apt-get install sigsci-module-haproxy
  • Ubuntu: sudo apt-get install sigsci-module-haproxy

Configure the agent

Add the following line to your agent configuration file (located by default at /etc/sigsci/agent.conf) to enable HAProxy SPOE support:

haproxy-spoa-enabled=true

Chroot directory configuration

NOTE

This section may not be required for your installation. If you have set HAProxy's chroot directory, you will need to modify the commands below to reflect your custom chroot directory by following the instructions in this section.

If your HAProxy configuration has been modified to set a chroot directory for HAProxy, you will need to update your Next-Gen WAF agent configuration to reflect this. The default location of the agent socket file (/var/run/sigsci.sock) will be inaccessible to the HAProxy module outside of your specified chroot directory.

  1. Create the directory structure for the Unix domain socket by running the following command, replacing HAPROXY-CHROOT-DIRECTORY with your HAProxy chroot directory:

    $ sudo mkdir -p /HAPROXY-CHROOT-DIRECTORY/var/run/
  2. Add the following line to your agent configuration file (located by default at /etc/sigsci/agent.conf) to specify the new socket file location under chroot:

    rpc-address="unix:/haproxy-chroot-directory/var/run/sigsci.sock"

Configure HAProxy

Follow these steps to configure HAProxy.

Add SPOA backend

Append the content of /opt/signalsciences/haproxy-spoe/backend.txt to your HAProxy configuration file:

$ sed "-i.`date +%F`" -e '$r/opt/signalsciences/haproxy-spoe/backend.txt' /etc/haproxy/haproxy.cfg

Update frontend section

For HAProxy v2.2 and above, copy the content of /opt/signalsciences/haproxy-spoe/frontend-2.2.txt to each HTTP frontend section of your HAProxy configuration file:

$ sed -i -e '/^\s*frontend/r/opt/signalsciences/haproxy-spoe/frontend-2.2.txt' /etc/haproxy/haproxy.cfg

For HAProxy v1.8 and v2.0, copy the content of /opt/signalsciences/haproxy-spoe/frontend-1.8.txt to each HTTP frontend section of your HAProxy configuration file:

$ sed -i -e '/^\s*frontend/r/opt/signalsciences/haproxy-spoe/frontend-1.8.txt' /etc/haproxy/haproxy.cfg

Upgrading

To upgrade the HAProxy SPOE module:

  1. Download and install the latest version of the module.
  2. Configure the HAProxy module.
  3. Restart HAProxy for the new module version to be detected.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.