Correct way to implement an IDS between relayd and httpd

Thu, 29 Oct 2020 07:28:04 -0700 

Hello misc users, 

I'm trying to have my http SSL protocol to be terminated by relayd, and then 
the resulting plain http protocol to be filtered by some WAF before being 
passed to httpd
I'm currently trying with suricata since it's in packages, but I'm open to 
suggestions.

What would be the correct way to use an IDS between relayd and httpd ?
If anyone had some tips to do it correctly it would be really helpfull.

The goal design is :
[web client WEB TCP443] => [Relayd (public ip)] => [TCP8180 Suricata] => 
[TCP8080 Httpd] 

I've currently managed to make relayd "relay to" httpd and it's working great !
However, I'm not to sure how do filtering with an IPS in the middle of relayd 
and httpd...

It seems that suricata can be reading  both an unix-socket file OR a network 
interface

Could be running it :
suricata -i vmx0 -d 8080  
=> but I would inspect all the trafic not just the HTTP protocol I got out of 
relayd so I think it would be messy ?
=> not sure if it is possible to tell suricata to read from 8180, to filter 
dangerous packets, and write output to 8180 per exemple ?

Maybe I could use socat to take relayd output (port TCP 8180) an bind it as a 
sock file ?
socat -d -d TCP4-LISTEN:8180,fork UNIX-CONNECT:/var/suricata/suricata.sock

And then read from this socket and give output to httpd :
suricata -c /etc/suricata/suricata.yaml --unix-socket 
/var/suricata/suricata.sock  -d 8080  

But I get an error : <Error> - [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(126)] - more 
than one run mode has been specified

Pasted important parts of my working config without suricata in the middle, in 
case it helps...

Using OpenBsd 7.8 stable

========================================
vi /etc/pf.conf

pass in on egress proto tcp from any to any port 80
pass in on egress proto tcp from any to any port 443
========================================
vi /etc/relayd.conf

relay "wwwsecure4" {
  listen on $external_ipv4 port 443 tls
  protocol wwwsecure
  forward to 127.0.0.1 port 8080
}
========================================
vi /etc/httpd.conf:

server "preprod.alienconsulting.net" {
    listen on 127.0.0.1 port 8080
    root "/htdocs/notSoMuchTrustedWebsite"
    directory index "index.php"
    location "/*.php" {
        fastcgi socket "/run/php-fpm.sock"
    }
}

Regards,
Romain

Reply via email to