]>
description | Block or rate limit untrusted requests to a web application |
last change | Fri, 14 Mar 2025 18:03:22 +0000 (18:03 +0000) |
URL | http://mivirldevekbr6wvubebfbxbzhxnqdv2z6ehnojgv63qsgnukfiix4yd.onion/git/web-application-firewall.git |
https://mivirl.dev/git/web-application-firewall.git |
Firewall implemented with HaProxy, Haproxy-JA4, and ModSecurity.
Proxies incoming requests and allows or blocks connections to the protected service using the following information:
When a request is blocked, a custom page will be displayed. The default will
return a page with a random GIF from a small set downloaded during the build
process (see video_scripts/get_videos.sh
).
All services used are sandboxed using systemd to limit access to just the files, binaries, and libraries needed to run them.
Should be run on a linux machine, currently only works with debian-based distributions:
sh build.sh
Copy the produced dist.tar
to the machine you want to run it on, extract,
make any config changes, then run dist/install.sh
.
The default configuration assumes the protected service is listening on port
2222. This can be changed by editing dist/haproxy/haproxy.cfg
and changing
the IP in the section backend backend_normal
tar -xf dist
cd dist
sudo sh ./install.sh
After install, the firewall can be started and stopped using waf.service
:
systemctl start waf.service
systemctl status waf*.service
systemctl stop waf.service
Enabling or disabling requires specifying all services:
systemctl enable waf.service waf_haproxy.service waf_modsecurity.service waf_darkhttpd.service
systemctl disable waf.service waf_haproxy.service waf_modsecurity.service waf_darkhttpd.service
Relevant files for configuration:
dist/haproxy/haproxy.cfg
- Configuration for haproxy, including what ports
it binds to.dist/waf_haproxy.service
- Systemd service for haproxy, must be edited to
add any new files to the sandbox or change what ports it's allowed to bind to.dist/darkhttpd/srv
- Directory of static files that will be served when the
client is blocked. Default is a page with a random GIF (see
video_scripts/get_videos.sh
).dist/modsecurity/modsecurity.conf
, dist/modsecurity/rules
- Rules used
for ModSecurity detections. Can be configured to reduce false positives.Map files are key-value pairs separated by a space. These are used to match
against for allow and block rules. Currently allow rules override block
rules, but this can be configured in dist/haproxy/haproxy.cfg
. Documentation
for map files can be found at the
Haproxy documentation
dist/haproxy/ja4_accept.map
- JA4 hashes to always allow access fordist/haproxy/ja4_block.map
- JA4 hashes to always deny access fordist/haproxy/ip_block.map
- IP addresses to always allow access fordist/haproxy/ip_accept.map
- IP addresses to always deny access forOnce installed to /opt/waf_configs
, it's still possible to edit files,
including while the services are running. If configuration files or
allow/blocklists are edited while the service is running, the inode for the
files must not change. This can be handled by setting :set backupcopy=yes
in vim, for example, or by overwriting with cat tempfile > config
. Once
the files have been changed, they need to be added to the systemd sandbox with
systemctl bind
and the service should be reloaded.
Adding a JA4 hash to the blocklist without stopping services:
echo 't13d1516h2_8daaf6152771_02713d6af862 block_rule_name' \
| sudo tee -a /opt/waf_configs/haproxy/ja4_block.map
sudo systemctl bind waf_haproxy.service /opt/waf_configs/haproxy/ja4_block.map /etc/haproxy/ja4_block.map
sudo systemctl reload waf_haproxy.service
systemctl stop waf.service
systemctl disable waf.service waf_haproxy.service waf_modsecurity.service waf_darkhttpd.service
rm -r /opt/waf_configs
userdel waf_user
2025-03-14 | mivirl | Add example allowed host master | commit | commitdiff | tree | snapshot |
2025-03-14 | mivirl | Remove conflicting NoExecPaths and ExecPaths settings | commit | commitdiff | tree | snapshot |
2025-03-14 | mivirl | Fix comparison in generated install.sh | commit | commitdiff | tree | snapshot |
2025-03-14 | mivirl | Add link to Haproxy-JA4 in README.md | commit | commitdiff | tree | snapshot |
2025-01-20 | mivirl | Initial commit | commit | commitdiff | tree | snapshot |
3 months ago | master | shortlog | log | tree |