Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/haproxy : using standard logging #4564

Open
cookiemonsteruk opened this issue Feb 26, 2025 · 1 comment
Open

net/haproxy : using standard logging #4564

cookiemonsteruk opened this issue Feb 26, 2025 · 1 comment
Labels
support Community support

Comments

@cookiemonsteruk
Copy link

cookiemonsteruk commented Feb 26, 2025
edited
Loading

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

What is my goal
I am wanting to have crowdsec to parse the haproxy logs so that it can identify and block intrusion attempts.

Describe the solution you'd like
This might be more of a question but I'll try using the Feature Request template.
I have haproxy setup with the guide on the OPN forum to set up from user hellsite (link to be added).
Also I have setup crowdsec on OPN according to their documentation to monitor haproxy logs. This means some passthroughs are added to haproxy, but none of them modify haproxy logging.

** What is the problem?**
The cordsec haproxy parsers aren't identifying the intrusion attempts. They currently state that it could be because they have only tested the httplog type of haproxy logging and at present they think the logs in OPN are not "standard". I am following this theory in parallel.

Describe alternatives you've considered
I've been reading the haproxy manual for community version 2.8.14-1 and compared with my config, I can only see standard statements i.e. tcplog, httplog. But when I look at the log file contents, I see some fields that I was not expecting.

What is the question then?
Are we using standard logging and how can we explain the entries, for example:
<134>1 2025-02-26T04:29:22+00:00 OPNsense.moomooland haproxy 27719 - [meta sequenceId="1486"] 4.227.36.95:49668 [26/Feb/2025:04:29:22.330] 1_HTTPS_frontend/192.168.5.100:443: SSL handshake failure (error:0A000412:SSL routines::sslv3 alert bad certificate)
I note the <134>1 which according the haproxy manual, the line should begin with the date:time

Additional context
I am adding my haproxy config:

# Frontend: 0_SNI_frontend (listens on 853, 5000,443)
frontend 0_SNI_frontend
    bind 0.0.0.0:853 name 0.0.0.0:853 
    bind 0.0.0.0:5000 name 0.0.0.0:5000 
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    default_backend SSL_backend

    # logging options
    option tcplog

# Frontend: 1_HTTP_frontend (listening on 192.168.5.100:80 i.e. http only)
frontend 1_HTTP_frontend
    bind 192.168.5.100:80 name 192.168.5.100:80 accept-proxy 
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: NoSSL_Condition
    acl acl_619439805021f2.97978352 ssl_fc

    # ACTION: HTTPtoHTTPS_rule
    http-request redirect scheme https code 301 if !acl_619439805021f2.97978352

# Frontend: 1_TCP_frontend (Listening on 192.168.5.100:853)
frontend 1_TCP_frontend
    bind 192.168.5.100:853 name 192.168.5.100:853 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/61dc51606078d9.11258474.certlist 
    mode tcp
    default_backend nginx_backend-tcp
    timeout client 15m

    # logging options
    option tcplog

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)] 

# Frontend (DISABLED): 2_HTTP_frontend (listening on 192.168.5.100:5000 i.e. http only)

# Frontend: 1_HTTPS_frontend (Listening on 192.168.5.100:5000)
frontend 1_HTTPS_frontend
    http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    bind 192.168.5.100:5000 name 192.168.5.100:5000 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/648b26ac6f5421.99835538.certlist 
    bind 192.168.5.100:443 name 192.168.5.100:443 accept-proxy ssl curves secp384r1  no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384 ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/648b26ac6f5421.99835538.certlist 
    mode http
    option http-keep-alive

    # logging options
    option httplog

    # ACTION: PUBLIC_SUBDOMAINS_map-rule
    # NOTE: actions with no ACLs/conditions will always match
    use_backend %[req.hdr(host),lower,map_dom(/tmp/haproxy/mapfiles/619521e7265391.88020289.txt)] 
    # WARNING: pass through options below this line
    stick-table type ip size 10k expire 30m # declare a stick table to cache captcha verifications
    http-request lua.crowdsec_allow # action to identify crowdsec remediation
    http-request track-sc0 src if { var(req.remediation) -m str "captcha-allow" } # cache captcha allow decision 
    http-request redirect location %[var(req.redirect_uri)] if { var(req.remediation) -m str "captcha-allow" } # redirect to initial url
    http-request use-service lua.reply_captcha if { var(req.remediation) -m str "captcha" } # serve captcha template if remediation is captcha
    http-request use-service lua.reply_ban if { var(req.remediation) -m str "ban" } # serve ban template if remediation is ban
    

# Backend: SSL_backend ()
backend SSL_backend
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server SSL_server 192.168.5.100 send-proxy-v2 check-send-proxy

# Backend: nginx_backend-tcp ()
backend nginx_backend-tcp
    # health checking is DISABLED
    mode tcp
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    server nginx_2 192.168.5.1:8054 resolve-prefer ipv4 send-proxy check-send-proxy

# Backend: bastion_backend (bastion_backend)
backend bastion_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    option forwardfor
    server bastion-1 192.168.5.157:5000 

# Backend: smokeping_backend (smokeping_backend)
backend smokeping_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    option forwardfor
    server bastion-1-smokeping 192.168.5.157:80 

# Backend: nextcloud_backend (nextcloud_backend)
backend nextcloud_backend
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # WARNING: pass through options below this line
    #acl url_discovery path /.well-known/caldav /.well-known/carddav
    #http-request redirect location /remote.php/dav/ code 301 if url_discovery
    
    acl caldav-endpoint path_beg /.well-known/caldav                                                   
    http-request set-path /remote.php/dav if caldav-endpoint
    
    acl carddav-endpoint path_beg /.well-known/carddav      
    http-request set-path /remote.php/dav if carddav-endpoint
    http-reuse safe
    option forwardfor
    server nextcloud 192.168.5.158:80 

# Backend: crowdsec (crowdsec backend needed for lua)
backend crowdsec
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server crowdsec 192.168.5.1:8081 

# Backend: captcha_verifier (captcha_verifier)
backend captcha_verifier
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    http-reuse safe
    server turnstile_verifier challenges.cloudflare.com:443 



# statistics are DISABLED

Thanks.
@fraenki fraenki added the support Community support label Feb 27, 2025
@fraenki
Copy link
Member

fraenki commented Feb 27, 2025
edited
Loading

how can we explain the entries

The additional log fields are added by syslog-ng, the log system used by OPNsense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Community support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fraenki @cookiemonsteruk