digitaldemocratic/dd-sso/docker/haproxy/haproxy.cnf.parts/tail-waf.cnf

#
# BEGIN: waf-tail.cnf
#
  # Internal traffic
  use_backend bk_web if { src 172.16.0.0/12 }

  default_backend bk_waf

# WAF farm where users' traffic is routed first
backend bk_waf
  mode http
  server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none

# Internal traffic passes through this backend
backend bk_web
  mode http
  server bk_web dd-sso-haproxy:81 resolvers mydns init-addr 127.0.0.1

# Traffic secured by the WAF arrives here
frontend ft_web
  bind :81 name http
  log global
  option httplog
  timeout client 25s
  maxconn 1000
#
# END: waf-tail.cnf
#
[WAF] Consolidate proxies and documentation The environment / dd.conf variables: PROXY_PROTOCOL and DISABLE_WAF determine how DD and HAProxy will behave. - PROXY_PROTOCOL: whether or not the PROXY protocol will be accepted - DISABLE_WAF: whether or not WAF will be enabled This simplifies maintenance, as well as the overall architecture and operation. While at it, we now publish images for DD's HAProxy as well. 2022-11-23 20:10:13 +01:00			`#`
			`# BEGIN: waf-tail.cnf`
			`#`
			`# Internal traffic`
			`use_backend bk_web if { src 172.16.0.0/12 }`

			`default_backend bk_waf`

			`# WAF farm where users' traffic is routed first`
			`backend bk_waf`
			`mode http`
			`server modsecurity dd-waf-apache:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none`

			`# Internal traffic passes through this backend`
			`backend bk_web`
			`mode http`
			`server bk_web dd-sso-haproxy:81 resolvers mydns init-addr 127.0.0.1`

			`# Traffic secured by the WAF arrives here`
			`frontend ft_web`
			`bind :81 name http`
			`log global`
			`option httplog`
			`timeout client 25s`
			`maxconn 1000`
			`#`
			`# END: waf-tail.cnf`
			`#`