HAProxy Module Install

Requirements

• HAProxy 1.7 or higher
• Lua module enabled on host
• Signal Sciences agent installed for your OS

Note: The HAProxy module can be used with any OS because it is Lua code.

Installation

Follow these steps to install the HAProxy module.

Configure the agent

Note: This section may not be required for your installation. If you have set HAProxy’s chroot directory, you will need to modify the commands below to reflect your custom chroot directory by following the instructions in this section.

If your HAProxy configuration has been modified to set a chroot directory for HAProxy, you will need to update your Signal Sciences agent configuration to reflect this. The default location of the agent socket file (/var/run/sigsci.sock) will be inaccessible to the HAProxy module outside of your specified chroot directory.

1. Create the directory structure for the Unix domain socket by running the following command, replacing HAPROXY-CHROOT-DIRECTORY with your HAProxy chroot directory:

   sudo mkdir -p /HAPROXY-CHROOT-DIRECTORY/var/run/
   

2. Add the following line to your agent configuration file (located by default at /etc/sigsci/agent.conf) to specify the new socket file location under chroot:

   rpc-address="unix:/haproxy-chroot-directory/var/run/sigsci.sock"
   

Module installation

Install the HAProxy module using a package manager or manually.

Install with Package Manager

The HAProxy module can be installed via the package manager of most major OS versions:

• Alpine: sudo apk add sigsci-module-haproxy
• CentOS: sudo yum install sigsci-module-haproxy
• Debian: sudo apt-get install sigsci-module-haproxy
• Ubuntu: sudo apt-get install sigsci-module-haproxy

Install manually

Alternatively, the HAProxy module can be manually installed.

1. Download the latest version of the HAProxy module.

   wget https://dl.signalsciences.net/sigsci-module-haproxy/sigsci-module-haproxy_latest.tar.gz
   

2. Create the directory the HAProxy module will be moved to.

   sudo mkdir -p /usr/local/lib/lua/5.3/sigsci/
   

3. Extract the HAProxy archive to the new directory.

   tar xvzf sigsci-module-haproxy_latest.tar.gz -C /usr/local/lib/lua/5.3/sigsci/
   

HAProxy configuration changes

After installing the HAProxy module, edit your HAProxy configuration file (located by default at /etc/haproxy/haproxy.cfg) to add the following lines:

global
    ...
    #Signal Sciences
    lua-load /usr/local/lib/lua/5.3/sigsci/SignalSciences.lua
    pidfile /var/run/haproxy.pid
    ...

frontend http-in
    ...
    #Signal Sciences
    #Required for buffering request body to ensure inspection is performed
    #Can also be set in the "defaults" section
    option http-buffer-request

    #Signal Sciences
    http-request lua.sigsci_prerequest
    http-response lua.sigsci_postrequest
    ...

HAProxy 1.9+

If you are running HAProxy 1.9 or higher, in addition to the HAProxy configuration file edits above, you will also need to add the following line to the frontend http-in context:

    ...
    # for haproxy-1.9 and above add the following:
    http-request use-service lua.sigsci_send_block if { var(txn.sigsci_block) -m bool }
    ...

Configuration

Configuration changes are typically not required for the HAProxy module to work. However, it is possible to override the default settings if needed. To do so, you must create an override.lua file in which to add these configuration directives. Then, update the global section of your HAProxy config file (/usr/local/etc/haproxy/haproxy.cfg) to load this over-ride config file.

Example of configuration

global
   ...
   lua-load /path/to/override.lua
   ...

Over-ride Directives

These directives may be used in your over-ride config file.

Example of over-ride configuration

sigsci.agenthost = "192.0.2.243"
sigsci.agentport = 9090
sigsci.extra_blocking_resp_hdr = "Access-Control-Allow-Origin: https://example.com"

Upgrading

To upgrade the HAProxy module, download and install the latest version of the module.

After installing, restart HAProxy for the new module version to be detected.