HAProxy module install
Last updated 2023-03-29
Requirements
- HAProxy 1.7 or higher
- Lua module enabled on host
- Next-Gen WAF agent
NOTE
The HAProxy module can be used with any operating system because it is Lua code.
Installation
Follow these steps to install the HAProxy module.
Configure the agent
NOTE
This section may not be required for your installation. If you have set HAProxy's chroot directory, you will need to modify the commands below to reflect your custom chroot directory by following the instructions in this section.
If your HAProxy configuration has been modified to set a chroot directory for HAProxy, you will need to update your Next-Gen WAF agent configuration to reflect this. The default location of the agent socket file (/var/run/sigsci.sock) will be inaccessible to the HAProxy module outside of your specified chroot directory.
Create the directory structure for the Unix domain socket by running the following command, replacing
HAPROXY-CHROOT-DIRECTORYwith your HAProxy chroot directory:$ sudo mkdir -p /HAPROXY-CHROOT-DIRECTORY/var/run/Add the following line to your agent configuration file (located by default at
/etc/sigsci/agent.conf) to specify the new socket file location under chroot:rpc-address="unix:/haproxy-chroot-directory/var/run/sigsci.sock"
Module installation
Install the HAProxy module using a package manager or manually.
Install with Package Manager
The HAProxy module can be installed via the package manager of most major operating system versions:
- Alpine:
sudo apk add sigsci-module-haproxy - CentOS:
sudo yum install sigsci-module-haproxy - Debian:
sudo apt-get install sigsci-module-haproxy - Ubuntu:
sudo apt-get install sigsci-module-haproxy
Install manually
Alternatively, the HAProxy module can be manually installed.
Download the latest version of the HAProxy module.
$ wget https://dl.signalsciences.net/sigsci-module-haproxy/sigsci-module-haproxy_latest.tar.gzCreate the directory the HAProxy module will be moved to.
$ sudo mkdir -p /usr/local/lib/lua/5.3/sigsci/Extract the HAProxy archive to the new directory.
$ tar xvzf sigsci-module-haproxy_latest.tar.gz -C /usr/local/lib/lua/5.3/sigsci/
HAProxy configuration changes
After installing the HAProxy module, edit your HAProxy configuration file (located by default at /etc/haproxy/haproxy.cfg) to add the following lines:
1global2 ...3 #Signal Sciences4 lua-load /usr/local/lib/lua/5.3/sigsci/SignalSciences.lua5 pidfile /var/run/haproxy.pid6 ...7
8frontend http-in9 ...10 #Signal Sciences11 #Required for buffering request body to ensure inspection is performed12 #Can also be set in the defaults section13 option http-buffer-request14
15 #Signal Sciences16 http-request lua.sigsci_prerequest17 http-response lua.sigsci_postrequest18 ...HAProxy 1.9+
If you are running HAProxy 1.9 or higher, in addition to the HAProxy configuration file edits above, you will also need to add the following line to the frontend http-in context:
1...2 # for haproxy-1.9 and above add the following:3 http-request use-service lua.sigsci_send_block if { var(txn.sigsci_block) -m bool }4 ...Configuration
Configuration changes are typically not required for the HAProxy module to work. However, it is possible to override the default settings if needed. To do so, you must create an override.lua file in which to add these configuration directives. Then, update the global section of your HAProxy config file (/usr/local/etc/haproxy/haproxy.cfg) to load this over-ride config file.
Example of configuration
1global2 ...3 lua-load /path/to/override.lua4 ...Over-ride Directives
These directives may be used in your override config file.
| Name | Description |
|---|---|
sigsci.agenthost | The IP address or path to unix domain socket the SignalSciences Agent is listening on, default: /var/run/sigsci.sock (unix domain socket). |
sigsci.agentport | The local port (when using TCP) that the agent listens on, default: nil |
sigsci.timeout | Agent socket timeout (in seconds), default: 1 (0 means off). |
sigsci.maxpost | Maximum POST body size in bytes, default: 100000 |
sigsci.extra\_blocking\_resp\_hdr | User may supply a response header to be added upon 406 responses, default: "" |
Example of over-ride configuration
1sigsci.agenthost = "192.0.2.243"2sigsci.agentport = 90903sigsci.extra_blocking_resp_hdr = "Access-Control-Allow-Origin: https://example.com"Upgrading
To upgrade the HAProxy module, download and install the latest version of the module.
After installing, restart HAProxy for the new module version to be detected.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
