Transfer of real client IP

[sstsarel]

Hello, I'm testing modsec and haproxy in the logs of my container, the client IP is always 127.0.0.1
example
1697202928.470503 [00] [client 127.0.0.1] ModSecurity: Warning. Operator GE matched 5 at TX:inbound_anomaly_score.
I can’t find how to make it work with a real IP client
Please tell me what needs to be done?

[JsdBEnZ7Rt9orgOfa1Ep1e4n]

Same for me, for the moment i use this trick

[sstsarel]

I already tried this but it doesn't work for me(((
I raise a container on another node
docker run -p 12345:12345 -v $PWD/modsecurity:/etc/modsecurity -d quay.io/jcmoraisjr/modsecurity-spoa -n 1

on haproxy I have it like this

`global
daemon
user haproxy
group haproxy
chroot /var/lib/haproxy
maxconn 4096
log localhost local0
log-send-hostname
stats socket /run/haproxy-master.sock mode 660 level admin
stats timeout 60s

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch 1
retries 3
retry-on all-retryable-errors
timeout http-request 180s
timeout client 300s
timeout queue 60s
timeout connect 300s
timeout server 300s
timeout check 10s
timeout http-keep-alive 10s

backend my_backend
balance roundrobin
server server1 10.0.0.1:80 check
server server2 10.0.0.2:80 check

backend spoe-modsecurity
mode tcp
timeout connect 5s
timeout server 3m
server modsec-spoa1 10.0.0.3:12345

frontend fe_main
bind :80
unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
unique-id-header X-Unique-ID
log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %[unique-id]"
filter spoe engine modsecurity config /etc/haproxy/spoe-modsecurity.conf
http-request deny if { var(txn.modsec.code) -m int gt 0 }
default_backend my_backend`

but in the logs
1697228856.345744 [00] [client 127.0.0.1] ModSecurity: Warning. Matched phrase "etc/passwd"

I still don’t understand why logs are not written to
SecAuditLogType Serial
SecAuditLog /var/log/moaudit.log
SecAuditLogFormat JSON

moaudit.log file is empty

[sstsarel]

Tell me why not all parameters are accepted?

Maybe because of this the normal IP is not transmitted?

spoe-message check-request
args unique-id method path query req.ver req.hdrs_bin req.body_size req.body

spoe-message check-request
args unique-id src src_port dst dst_port method path query req.ver req.hdrs_bin req.body_size req.body

[JsdBEnZ7Rt9orgOfa1Ep1e4n]

This solution works

Use this fork : https://github.com/infra-octave/spoa-modsecurity

spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

[sstsarel]

Это решение работает

Use this fork : https://github.com/infra-octave/spoa-modsecurity

spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

Well, I wanted to figure out why the docker from this turnip does not work as expected
compiling from the source I got the desired result, but using this image I get the wrong client IP

[mat1010]

This solution works

Use this fork : https://github.com/infra-octave/spoa-modsecurity

spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

haproxy/spoa-modsecurity@master...infra-octave:spoa-modsecurity:master#diff-8c7cd210990f9430651c54ed753427ec1bb59cc3f4ae2003daed70f490e3a6d0R251
This only works for ipv4, right?

[JsdBEnZ7Rt9orgOfa1Ep1e4n]

This solution works
Use this fork : https://github.com/infra-octave/spoa-modsecurity
spoe-modsecurity.conf

 [modsecurity]
    spoe-agent modsecurity-agent
        messages     check-request
        option       var-prefix  modsec
        timeout      hello       100ms
        timeout      idle        30s
        timeout      processing  1s
        use-backend  spoe-modsecurity
    spoe-message check-request
        args   unique-id method path query req.ver req.hdrs_bin req.body_size req.body src src_port dst_port 
        event  on-frontend-http-request

haproxy/[email protected]:spoa-modsecurity:master#diff-8c7cd210990f9430651c54ed753427ec1bb59cc3f4ae2003daed70f490e3a6d0R251 This only works for ipv4, right?

I don't test with ipv6