Create import_haproxy_waf.py

2025-12-17 17:55:48 +00:00 · 2024-12-21 09:08:22 +01:00 · 2024-12-21 09:08:22 +01:00 · 4f238e10a2
commit 4f238e10a2
parent a76150763a
1 changed files with 63 additions and 0 deletions
--- a/import_haproxy_waf.py
+++ b/import_haproxy_waf.py
@ -0,0 +1,63 @@
+import os
+import subprocess
+import logging
+
+logging.basicConfig(level=logging.INFO, format="%(asctime)s - %(levelname)s - %(message)s")
+
+# Paths
+WAF_DIR = "waf_patterns/haproxy"
+HAPROXY_WAF_DIR = "/etc/haproxy/waf/"
+HAPROXY_CONF = "/etc/haproxy/haproxy.cfg"
+
+INCLUDE_STATEMENT = "    acl bad_bot hdr_sub(User-Agent) -i waf/bots.acl"
+
+def copy_waf_files():
+    logging.info("Copying HAProxy WAF patterns...")
+
+    # Ensure the target directory exists
+    os.makedirs(HAPROXY_WAF_DIR, exist_ok=True)
+
+    # Copy acl files
+    for file in ["bots.acl", "waf.acl"]:
+        src_path = os.path.join(WAF_DIR, file)
+        dst_path = os.path.join(HAPROXY_WAF_DIR, file)
+        
+        if os.path.exists(src_path):
+            subprocess.run(["cp", src_path, dst_path], check=True)
+            logging.info(f"[+] {file} copied to {HAPROXY_WAF_DIR}")
+        else:
+            logging.warning(f"[!] {file} not found in {WAF_DIR}")
+
+def update_haproxy_conf():
+    logging.info("Ensuring WAF patterns are included in haproxy.cfg...")
+
+    with open(HAPROXY_CONF, "r") as f:
+        config = f.read()
+
+    if INCLUDE_STATEMENT not in config:
+        logging.info("Adding WAF rules to haproxy.cfg...")
+        with open(HAPROXY_CONF, "a") as f:
+            f.write(
+                f"\n# WAF and Bot Protection\n"
+                f"frontend http-in\n"
+                f"    bind *:80\n"
+                f"    default_backend web_backend\n"
+                f"    acl bad_bot hdr_sub(User-Agent) -i waf/bots.acl\n"
+                f"    acl waf_attack path_reg waf/waf.acl\n"
+                f"    http-request deny if bad_bot\n"
+                f"    http-request deny if waf_attack\n"
+            )
+    else:
+        logging.info("WAF patterns already included in haproxy.cfg.")
+
+def reload_haproxy():
+    logging.info("Testing HAProxy configuration...")
+    subprocess.run(["haproxy", "-c", "-f", HAPROXY_CONF], check=True)
+    logging.info("Reloading HAProxy to apply new WAF rules...")
+    subprocess.run(["systemctl", "reload", "haproxy"], check=True)
+
+if __name__ == "__main__":
+    copy_waf_files()
+    update_haproxy_conf()
+    reload_haproxy()
+    logging.info("[✔] HAProxy configured with latest WAF rules.")