diff --git a/ExampleWAF.md b/ExampleWAF.md index 26dd282..425d588 100644 --- a/ExampleWAF.md +++ b/ExampleWAF.md @@ -12,7 +12,9 @@ NOTE: The feature-set this role provides does not come lose to the one [availabl haproxy: waf: script_kiddy: - excludes: ['.zip'] # exclude specific entries from the script-kiddy filters + disable: ['.zip'] # disable specific entries from the script-kiddy filters + exclude: # exclude by path sub-string (at runtime) + - '.well_known/' frontends: fe_web: diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml index d8c213d..e167856 100644 --- a/defaults/main/0_hardcoded.yml +++ b/defaults/main/0_hardcoded.yml @@ -33,6 +33,7 @@ HAPROXY_HC: script_kiddy_beg: 'waf-script-kiddy-path-beg.lst' script_kiddy_end: 'waf-script-kiddy-path-end.lst' script_kiddy_sub: 'waf-script-kiddy-path-sub.lst' + script_kiddy_exc: 'waf-script-kiddy-excludes.lst' crawler_full: 'waf-crawler-ua-full.lst' crawler_sub: 'waf-crawler-ua-sub.lst' bot_sub: 'waf-bot-ua-sub.lst' diff --git a/defaults/main/2_waf.yml b/defaults/main/2_waf.yml index 756fa64..6e7fe21 100644 --- a/defaults/main/2_waf.yml +++ b/defaults/main/2_waf.yml @@ -3,7 +3,7 @@ defaults_waf: # NOTE: the block-code is very limited if you want to use an errorfile! # see: https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#http-request%20return - block_code: 425 + block_code: 400 block_errorfile: true # todo: search parameters and body of http requests for SQLi/Path-Traversal/XSS/... @@ -138,7 +138,10 @@ defaults_waf: - 'github-camo' script_kiddy: - excludes: [] # user-defined excludes + disable: [] # matches that should not be blocked (user-defined); checked at templating stage + + exclude: # sub-string safelist to be excluded (user-defined); checked at runtime + - '.well-known/acme-challenge' path_beg: - '/cgi-bin/' diff --git a/tasks/debian/config.yml b/tasks/debian/config.yml index 7121519..90243ca 100644 --- a/tasks/debian/config.yml +++ b/tasks/debian/config.yml @@ -12,6 +12,7 @@ - '{{ HAPROXY_HC.file.lst.script_kiddy_beg }}' - '{{ HAPROXY_HC.file.lst.script_kiddy_end }}' - "{{ HAPROXY_HC.file.lst.script_kiddy_sub }}" + - "{{ HAPROXY_HC.file.lst.script_kiddy_exc }}" - "{{ HAPROXY_HC.file.lst.crawler_full }}" - "{{ HAPROXY_HC.file.lst.crawler_sub }}" - "{{ HAPROXY_HC.file.lst.bot_sub }}" diff --git a/templates/etc/haproxy/conf.d/inc/security.j2 b/templates/etc/haproxy/conf.d/inc/security.j2 index cfa859f..3fc3af2 100644 --- a/templates/etc/haproxy/conf.d/inc/security.j2 +++ b/templates/etc/haproxy/conf.d/inc/security.j2 @@ -62,7 +62,8 @@ {% endif %} {% if cnf.security.block_script_kiddies | bool %} # block script-kiddy requests - http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if { path -m beg -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_beg }} } - http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if { path -m end -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_end }} } - http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if { path -m sub -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_sub }} } + acl script_kiddy_excluded path -m sub -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_exc }} + http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if !script_kiddy_excluded { path -m beg -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_beg }} } + http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if !script_kiddy_excluded { path -m end -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_end }} } + http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if !script_kiddy_excluded { path -m sub -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_sub }} } {% endif %} diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-excludes.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-excludes.lst.j2 new file mode 100644 index 0000000..a6f93b7 --- /dev/null +++ b/templates/etc/haproxy/lst/waf-script-kiddy-excludes.lst.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +{% for path in HAPROXY_WAF.script_kiddy.exclude %} +{{ path | lower }} +{% endfor %} + diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-path-beg.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-path-beg.lst.j2 index 51c6075..c4680b6 100644 --- a/templates/etc/haproxy/lst/waf-script-kiddy-path-beg.lst.j2 +++ b/templates/etc/haproxy/lst/waf-script-kiddy-path-beg.lst.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} {% for path in HAPROXY_WAF.script_kiddy.path_beg %} -{% if path not in HAPROXY_WAF.script_kiddy.excludes %} +{% if path not in HAPROXY_WAF.script_kiddy.disable %} {{ path | lower }} {% endif %} {% endfor %} diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-path-end.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-path-end.lst.j2 index 7abd9da..f766269 100644 --- a/templates/etc/haproxy/lst/waf-script-kiddy-path-end.lst.j2 +++ b/templates/etc/haproxy/lst/waf-script-kiddy-path-end.lst.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} {% for path in HAPROXY_WAF.script_kiddy.path_end %} -{% if path not in HAPROXY_WAF.script_kiddy.excludes %} +{% if path not in HAPROXY_WAF.script_kiddy.disable %} {{ path | lower }} {% endif %} {% endfor %} diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-path-sub.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-path-sub.lst.j2 index dfe2b19..c06963b 100644 --- a/templates/etc/haproxy/lst/waf-script-kiddy-path-sub.lst.j2 +++ b/templates/etc/haproxy/lst/waf-script-kiddy-path-sub.lst.j2 @@ -1,7 +1,7 @@ # {{ ansible_managed }} {% for path in HAPROXY_WAF.script_kiddy.path_sub %} -{% if path not in HAPROXY_WAF.script_kiddy.excludes %} +{% if path not in HAPROXY_WAF.script_kiddy.disable %} {{ path | lower }} {% endif %} {% endfor %}