Hi.

On 14.12.21 10:18, Olivier D wrote:
Hi,

Le lun. 13 déc. 2021 à 19:38, John Lauro <johnala...@gmail.com 
<mailto:johnala...@gmail.com>> a écrit :

    http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) 
-i "\$\{jndi:" }
    was not catching the bad traffic.  I think the escapes were causing issues 
in the matching.

    The following did work:
                     http-request deny deny_status 405 if { url_sub -i -f 
/etc/haproxy/bad_header.lst }
                     http-request deny deny_status 405 if { hdr_sub(user-agent) 
-i -f /etc/haproxy/bad_header.lst }
    and in bad_header.lst
    ${jndi:


  I tried
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i 
"\$\{jndi:" }
and
http-request deny deny_status 405 if { url_sub -i ${jndi: or 
hdr_sub(user-agent) -i ${jndi: }

without success. Can anyone tell what's wrong with both syntaxes ? And how to 
escape special chars
correctly ?

There is now a blog post on haproxy.com how to configure haproxy to protect the 
backend applications against
the log4j attack.

https://www.haproxy.com/blog/december-2021-log4shell-mitigation/

Olivier

Regards
Alex

Reply via email to