]> _ Git - web-application-firewall.git/summary
 
descriptionBlock or rate limit untrusted requests to a web application
last changeFri, 14 Mar 2025 18:03:22 +0000 (18:03 +0000)
readme

Web Application Firewall

Firewall implemented with HaProxy, Haproxy-JA4, and ModSecurity.

Proxies incoming requests and allows or blocks connections to the protected service using the following information:

When a request is blocked, a custom page will be displayed. The default will return a page with a random GIF from a small set downloaded during the build process (see video_scripts/get_videos.sh).

All services used are sandboxed using systemd to limit access to just the files, binaries, and libraries needed to run them.

Building and installing

Should be run on a linux machine, currently only works with debian-based distributions:

sh build.sh

Copy the produced dist.tar to the machine you want to run it on, extract, make any config changes, then run dist/install.sh.

The default configuration assumes the protected service is listening on port 2222. This can be changed by editing dist/haproxy/haproxy.cfg and changing the IP in the section backend backend_normal

tar -xf dist
cd dist
sudo sh ./install.sh

Usage

After install, the firewall can be started and stopped using waf.service:

systemctl start waf.service
systemctl status waf*.service
systemctl stop waf.service

Enabling or disabling requires specifying all services:

systemctl enable waf.service waf_haproxy.service waf_modsecurity.service waf_darkhttpd.service
systemctl disable waf.service waf_haproxy.service waf_modsecurity.service waf_darkhttpd.service

Configuration

Relevant files for configuration:

Map files are key-value pairs separated by a space. These are used to match against for allow and block rules. Currently allow rules override block rules, but this can be configured in dist/haproxy/haproxy.cfg. Documentation for map files can be found at the Haproxy documentation

Configuring after installation

Once installed to /opt/waf_configs, it's still possible to edit files, including while the services are running. If configuration files or allow/blocklists are edited while the service is running, the inode for the files must not change. This can be handled by setting :set backupcopy=yes in vim, for example, or by overwriting with cat tempfile > config. Once the files have been changed, they need to be added to the systemd sandbox with systemctl bind and the service should be reloaded.

Adding a JA4 hash to the blocklist without stopping services:

echo 't13d1516h2_8daaf6152771_02713d6af862 block_rule_name' \
    | sudo tee -a /opt/waf_configs/haproxy/ja4_block.map
sudo systemctl bind waf_haproxy.service /opt/waf_configs/haproxy/ja4_block.map /etc/haproxy/ja4_block.map
sudo systemctl reload waf_haproxy.service

Uninstalling

systemctl stop waf.service
systemctl disable waf.service waf_haproxy.service waf_modsecurity.service waf_darkhttpd.service
rm -r /opt/waf_configs
userdel waf_user
shortlog
2025-03-14 mivirlAdd example allowed host master
2025-03-14 mivirlRemove conflicting NoExecPaths and ExecPaths settings
2025-03-14 mivirlFix comparison in generated install.sh
2025-03-14 mivirlAdd link to Haproxy-JA4 in README.md
2025-01-20 mivirlInitial commit
heads
3 months ago master