refactored script-kiddy excludes

ansibleguy · May 28, 2024 · b48c241 · b48c241
1 parent 8fd0634
commit b48c241
Show file tree

Hide file tree

Showing 9 changed files with 23 additions and 9 deletions.
diff --git a/ExampleWAF.md b/ExampleWAF.md
@@ -12,7 +12,9 @@ NOTE: The feature-set this role provides does not come lose to the one [availabl
 haproxy:
   waf:
     script_kiddy:
-      excludes: ['.zip']  # exclude specific entries from the script-kiddy filters
+      disable: ['.zip']  # disable specific entries from the script-kiddy filters
+      exclude:  # exclude by path sub-string (at runtime)
+        - '.well_known/'
 
   frontends:
     fe_web:

diff --git a/defaults/main/0_hardcoded.yml b/defaults/main/0_hardcoded.yml
@@ -33,6 +33,7 @@ HAPROXY_HC:
       script_kiddy_beg: 'waf-script-kiddy-path-beg.lst'
       script_kiddy_end: 'waf-script-kiddy-path-end.lst'
       script_kiddy_sub: 'waf-script-kiddy-path-sub.lst'
+      script_kiddy_exc: 'waf-script-kiddy-excludes.lst'
       crawler_full: 'waf-crawler-ua-full.lst'
       crawler_sub: 'waf-crawler-ua-sub.lst'
       bot_sub: 'waf-bot-ua-sub.lst'

diff --git a/defaults/main/2_waf.yml b/defaults/main/2_waf.yml
@@ -3,7 +3,7 @@
 defaults_waf:
   # NOTE: the block-code is very limited if you want to use an errorfile!
   #   see: https://www.haproxy.com/documentation/haproxy-configuration-manual/latest/#http-request%20return
-  block_code: 425
+  block_code: 400
   block_errorfile: true
 
   # todo: search parameters and body of http requests for SQLi/Path-Traversal/XSS/...
@@ -138,7 +138,10 @@ defaults_waf:
       - 'github-camo'
 
   script_kiddy:
-    excludes: []  # user-defined excludes
+    disable: []  # matches that should not be blocked (user-defined); checked at templating stage
+
+    exclude:  # sub-string safelist to be excluded (user-defined); checked at runtime
+      - '.well-known/acme-challenge'
 
     path_beg:
       - '/cgi-bin/'

diff --git a/tasks/debian/config.yml b/tasks/debian/config.yml
@@ -12,6 +12,7 @@
     - '{{ HAPROXY_HC.file.lst.script_kiddy_beg }}'
     - '{{ HAPROXY_HC.file.lst.script_kiddy_end }}'
     - "{{ HAPROXY_HC.file.lst.script_kiddy_sub }}"
+    - "{{ HAPROXY_HC.file.lst.script_kiddy_exc }}"
     - "{{ HAPROXY_HC.file.lst.crawler_full }}"
     - "{{ HAPROXY_HC.file.lst.crawler_sub }}"
     - "{{ HAPROXY_HC.file.lst.bot_sub }}"

diff --git a/templates/etc/haproxy/conf.d/inc/security.j2 b/templates/etc/haproxy/conf.d/inc/security.j2
@@ -62,7 +62,8 @@
 {% endif %}
 {% if cnf.security.block_script_kiddies | bool %}
     # block script-kiddy requests
-    http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if { path -m beg -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_beg }} }
-    http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if { path -m end -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_end }} }
-    http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if { path -m sub -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_sub }} }
+    acl script_kiddy_excluded path -m sub -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_exc }}
+    http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if !script_kiddy_excluded { path -m beg -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_beg }} }
+    http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if !script_kiddy_excluded { path -m end -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_end }} }
+    http-request deny status {{ HAPROXY_WAF.block_code }} {{ BLOCK_ERRORFILE }} if !script_kiddy_excluded { path -m sub -i -f {{ HAPROXY_HC.path.lst }}/{{ HAPROXY_HC.file.lst.script_kiddy_sub }} }
 {% endif %}
diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-excludes.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-excludes.lst.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+{% for path in HAPROXY_WAF.script_kiddy.exclude %}
+{{ path | lower }}
+{% endfor %}
+
diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-path-beg.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-path-beg.lst.j2
@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
 
 {% for path in HAPROXY_WAF.script_kiddy.path_beg %}
-{%   if path not in HAPROXY_WAF.script_kiddy.excludes %}
+{%   if path not in HAPROXY_WAF.script_kiddy.disable %}
 {{ path | lower }}
 {%   endif %}
 {% endfor %}

diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-path-end.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-path-end.lst.j2
@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
 
 {% for path in HAPROXY_WAF.script_kiddy.path_end %}
-{%   if path not in HAPROXY_WAF.script_kiddy.excludes %}
+{%   if path not in HAPROXY_WAF.script_kiddy.disable %}
 {{ path | lower }}
 {%   endif %}
 {% endfor %}

diff --git a/templates/etc/haproxy/lst/waf-script-kiddy-path-sub.lst.j2 b/templates/etc/haproxy/lst/waf-script-kiddy-path-sub.lst.j2
@@ -1,7 +1,7 @@
 # {{ ansible_managed }}
 
 {% for path in HAPROXY_WAF.script_kiddy.path_sub %}
-{%   if path not in HAPROXY_WAF.script_kiddy.excludes %}
+{%   if path not in HAPROXY_WAF.script_kiddy.disable %}
 {{ path | lower }}
 {%   endif %}
 {% endfor %}