search close

HAProxy SPOE Module Install

access_time Updated Oct 5, 2022

Stream Processing Offload Engine (SPOE) enables HAProxy to send traffic to external programs for out-of-band processing. The HAProxy SPOE Module communicates with the Signal Sciences agent via SPOE, enabling the module to block requests using HAProxy Access Control Lists (ACLs) based on the agent response.

Requirements

Installation

Download via package manager

The HAProxy SPOE module can be installed via the package manager of most major OS versions:

OS Command
Alpine
sudo apk add sigsci-module-haproxy
CentOS
sudo yum install sigsci-module-haproxy
Debian
sudo apt-get install sigsci-module-haproxy
Ubuntu
sudo apt-get install sigsci-module-haproxy

Configure the agent

Add the following line to your agent configuration file (located by default at /etc/sigsci/agent.conf) to enable HAProxy SPOE support:

haproxy-spoa-enabled=true

Chroot directory configuration

Note: This section may not be required for your installation. If you have set HAProxy’s chroot directory, you will need to modify the commands below to reflect your custom chroot directory by following the instructions in this section.

If your HAProxy configuration has been modified to set a chroot directory for HAProxy, you will need to update your Signal Sciences agent configuration to reflect this. The default location of the agent socket file (/var/run/sigsci.sock) will be inaccessible to the HAProxy module outside of your specified chroot directory.

  1. Create the directory structure for the Unix domain socket by running the following command, replacing HAPROXY-CHROOT-DIRECTORY with your HAProxy chroot directory:

    sudo mkdir -p /HAPROXY-CHROOT-DIRECTORY/var/run/
  2. Add the following line to your agent configuration file (located by default at /etc/sigsci/agent.conf) to specify the new socket file location under chroot:

    rpc-address="unix:/haproxy-chroot-directory/var/run/sigsci.sock"

Configure HAProxy

Add SPOA backend

Append the content of /opt/signalsciences/haproxy-spoe/backend.txt to your HAProxy configuration file:

sed "-i.`date +%F`" -e '$/opt/signalsciences/haproxy-spoe/backend.txt' /etc/haproxy/haproxy.cfg

Update frontend section

Copy the content of /opt/signalsciences/haproxy-spoe/frontend-2.2.txt to each HTTP frontend section of your HAProxy configuration file:

sed -i -e '/frontend/r/opt/signalsciences/haproxy-spoe/frontend-2.2.txt' /etc/haproxy/haproxy.cfg

Copy the content of /opt/signalsciences/haproxy-spoe/frontend-1.8.txt to each HTTP frontend section of your HAProxy configuration file:

sed -i -e '/frontend/r/opt/signalsciences/haproxy-spoe/frontend-1.8.txt' /etc/haproxy/haproxy.cfg

Upgrading

To upgrade the HAProxy SPOE module:

  1. Download and install the latest version of the module.

  2. Configure the HAProxy module.

  3. Restart HAProxy for the new module version to be detected.