Hi.
On 14.12.21 10:18, Olivier D wrote:
Hi,
Le lun. 13 déc. 2021 à 19:38, John Lauro <johnala...@gmail.com
<mailto:johnala...@gmail.com>> a écrit :
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent)
-i "\$\{jndi:" }
was not catching the bad traffic. I think the escapes were causing issues
in the matching.
The following did work:
http-request deny deny_status 405 if { url_sub -i -f
/etc/haproxy/bad_header.lst }
http-request deny deny_status 405 if { hdr_sub(user-agent)
-i -f /etc/haproxy/bad_header.lst }
and in bad_header.lst
${jndi:
I tried
http-request deny deny_status 405 if { url_sub -i "\$\{jndi:" or hdr_sub(user-agent) -i
"\$\{jndi:" }
and
http-request deny deny_status 405 if { url_sub -i ${jndi: or
hdr_sub(user-agent) -i ${jndi: }
without success. Can anyone tell what's wrong with both syntaxes ? And how to
escape special chars
correctly ?
There is now a blog post on haproxy.com how to configure haproxy to protect the
backend applications against
the log4j attack.
https://www.haproxy.com/blog/december-2021-log4shell-mitigation/
Olivier
Regards
Alex