Hi All
Well, this is not a bug, just a new requirement that I want to connect the libmodsecurity to the haproxy community.
As we know, the HAProxy has a SPOE to offload the stream out of the haproxy, and there is a SPOE for the V2 Modsecurithy.
Now since the modsecurity has split the core to libmodsecurity, and has much more functionalities, and it just static function calls, no network/protocols engaged, so the performance should be much better than the SPOE.
So I'm trying to request this connector, anyone doing this?
And if I want to implement it, then any guidance for it, I'm still new to this.
Thanks in advance.
Bali
@leibaogit,
That is a very welcoming addition. We have a group of developers that are working on something similar. Instead of creating the connector in C, they use the golang ModSecurity library bindings to expand their haproxy.
In their case, they are building this ingress-security-agent.
They already have a working prototype that is showing exciting performance perspectives.
@rikatz can talk more about what they are doing.
We have this WhatsApp chat (soon to migrate to Slack) where we are actively discussing possibilities on how to consume libModSecurity in good shape on such env.
They also pointed me to the issue haproxy/haproxy#1021.
No doubt that the go-lang binding adds a little overhead in terms of processing, but, made the implementation quicker.
I am wondering if you guys can work together.
Hello @leibaogit
We've been discussing some way to provide modsecurity to be consumed by the Kubernetes Ingresses (mainly haproxy and nginx) in a independent way. Like instead of compiling nginx with the whole modsecurity things, having a separate scalable modsecurity container that can be the effective "judger" for those ingresses.
With this introduction, ISA (the referenced project by @zimmerle) is a Go program that have now two connectors: one SPOE (for HAProxy) and one OpenResty (for NGINX) and they can, for sure be used independently of if you're using HAProxy or NGINX as a kubernetes ingress or not.
As @zimmerle said, there are some caveats of performance because of Go/CGO but we're working to make this as fast as possible, and let the admin scale this as necessary :)
Let me know any other information I can provide you so we can work together to make this possible. Also, I'm not against having also a pure SPOE C Modsec v3, I'm just not doing this because I can't program in C :P
Thanks @rikatz @zimmerle for replying.
As discussed in this issue, seems directly connect to the haproxy is not a good option, and as suggested, we still need the SPOE support which can offload the analysis to a bigger cluster to unblock the high efficient lb/gw.
And glad to know there's already discussion on this, and want to know whether the solution can be work independently with the haproxy? If so, then that can help a lot for us.
@leibaogit @rikatz, since you guys are introduced, can I close this issue?
@leibaogit, you may want to share the project where we can find the progress on the implementation.
@zimmerle very glad you introduced us, and with these information, we will try to leverage, and if more questions on these, we will open new one, so now we can close this issue, thanks.
My pleasure :) :rocket: :rocket:
Most helpful comment
Hello @leibaogit
We've been discussing some way to provide modsecurity to be consumed by the Kubernetes Ingresses (mainly haproxy and nginx) in a independent way. Like instead of compiling nginx with the whole modsecurity things, having a separate scalable modsecurity container that can be the effective "judger" for those ingresses.
With this introduction, ISA (the referenced project by @zimmerle) is a Go program that have now two connectors: one SPOE (for HAProxy) and one OpenResty (for NGINX) and they can, for sure be used independently of if you're using HAProxy or NGINX as a kubernetes ingress or not.
As @zimmerle said, there are some caveats of performance because of Go/CGO but we're working to make this as fast as possible, and let the admin scale this as necessary :)
Let me know any other information I can provide you so we can work together to make this possible. Also, I'm not against having also a pure SPOE C Modsec v3, I'm just not doing this because I can't program in C :P