Enabling App and API Protection for HAProxy
Este producto no es compatible con el
sitio Datadog seleccionado. (
).
App and API Protection for HAProxy is in Preview
To try the preview of App and API Protection for HAProxy, use the following setup instructions.
You can enable App and API Protection for your HAProxy instances. The Datadog HAProxy integration leverages HAProxy’s Stream Processing Offload Engine (SPOE) to inspect and protect traffic for threat detection at the edge of your infrastructure.
Prerequisites
Enabling threat detection
Get started
The App and API Protection HAProxy integration uses HAProxy’s Stream Processing Offload Engine (SPOE) to call a Datadog Stream Processing Offload Agent (SPOA). The SPOA analyzes requests and responses.
To enable App and API Protection for HAProxy, do the following:
- Deploy the Datadog HAProxy SPOA container.
- Update your HAProxy configuration files to integrate with the SPOA
SPOA container
Deploy the Datadog HAProxy SPOA image available in the Datadog GitHub Container Registry. The SPOA listens for SPOE connections from HAProxy and sends security events to your Datadog Agent.
See Configuration for available configuration options about the SPOA container.
HAProxy configuration files
All required HAProxy configuration files are available in the repository folder. For information about updates and changes about the configuration, refer to the configuration changelog.
The following files are needed for your setup:
spoe.cfg: Core SPOE engine configuration file.global-config.cfg: Configuration lines to include in your global section.frontend-config.cfg: Configuration lines to add at the top of each frontend you want to protect.backend.cfg: Defines the SPOA backend used by the SPOE engine.datadog_aap_blocking_response.lua: Lua script for blocking responses.
Guidance for setting up each file is provided below.
spoe.cfg
The spoe.cfg file is responsible for declaring the SPOE agent and its configuration. This file should be saved to disk, for example at /usr/local/etc/haproxy/spoe.cfg. The location of this file is referenced via the DD_SPOA_SPOA_CONF_FILE environment variable, which is configured within the global section.
It is important that no custom modifications are made to this file.
global-config.cfg
The global-config.cfg file loads the required Lua script and configures the necessary variables for the integration. Its contents should be incorporated into the global section of your haproxy.cfg configuration file.
You can adjust the values as needed for your environment. Review the comments within the file for further guidance on each setting.
frontend-config.cfg
The frontend-config.cfg file attaches the SPOE filter to your frontend. This section should be placed at the very top of each frontend section you want to protect, before other filters and the router.
This section ensures that:
- Request and response events are sent to the SPOA
- Datadog tracing headers are injected when applicable
- The Lua helper is conditionally invoked for blocking
It is important that no custom modifications are made to this part of the configuration.
backend.cfg
The backend.cfg file defines the spoa-backend used by the SPOE engine and for health checks. This configuration should be appended near the end of your haproxy.cfg file.
Be sure to modify the server spoa1 <host>:<port> line so that it references your deployed SPOA container instance.
Note: For high availability and redundancy, you can configure multiple SPOA agent servers by adding additional server lines (for example, server spoa1 ..., server spoa2 ..., etc.). HAProxy will automatically load-balance and failover between these SPOA agents, ensuring continued protection even if one agent becomes unavailable.
datadog_aap_blocking_response.lua
The datadog_aap_blocking_response.lua script is responsible for sending a custom blocking response when the SPOA instructs HAProxy to block a request. This script could be stored in a location such as /etc/haproxy/lua/datadog_aap_blocking_response.lua, and the lua-load directive in the global section should reference this path.
It is important that no custom modifications are made to this file.
Note: This Lua script is not invoked on every request processed by HAProxy. It is only invoked when a request is blocked by App and API Protection. This design ensures optimal performance by avoiding the overhead of running Lua code for all requests.
Validation
After this configuration is complete, the library collects security data from your application and sends it to the Agent. The Agent sends the data to Datadog, where out-of-the-box detection rules flag attacker techniques and potential misconfigurations so you can take steps to remediate.
To see App and API Protection threat detection in action, send known attack patterns to your application. For example, trigger the Security Scanner Detected rule by running a file that contains the following curl script:
for ((i=1;i<=250;i++));
do
# Target existing service's routes
curl https://your-application-url/existing-route -A dd-test-scanner-log;
# Target non existing service's routes
curl https://your-application-url/non-existing-route -A dd-test-scanner-log;
done
Note: The dd-test-scanner-log value is supported in the most recent releases.
A few minutes after you enable your application and send known attack patterns to it, threat information appears in the Application Signals Explorer and vulnerability information appears in the Vulnerabilities explorer.
Configuration
The Datadog HAProxy SPOA container supports the following configuration settings:
| Environment variable | Default value | Description |
|---|
DD_HAPROXY_SPOA_HOST | 0.0.0.0 | Host on which the SPOA and HTTP health server listen. |
DD_HAPROXY_SPOA_PORT | 3000 | Port used by the SPOA that accepts communication with HAProxy. |
DD_HAPROXY_SPOA_HEALTHCHECK_PORT | 3080 | Port used for the HTTP server for health checks. |
DD_APPSEC_BODY_PARSING_SIZE_LIMIT | 0 | Maximum size of bodies to process in bytes. If 0, bodies are not processed. Recommended: 10000000 (10MB). |
DD_SERVICE | spoa | Service name shown in the Datadog UI. |
Configure the SPOA to send traces to your Datadog Agent using the following environment variables:
| Environment variable | Default value | Description |
|---|
DD_AGENT_HOST | localhost | Host of a running Datadog Agent. |
DD_TRACE_AGENT_PORT | 8126 | Port of a running Datadog Agent. |
Datadog Go Tracer and HAProxy integration
The HAProxy integration is built on top of the Datadog Go Tracer and inherits all of its environment variables. See Configuring the Go Tracing Library and App and API Protection Library Configuration.
Note: As the Datadog SPOA is built on top of the Datadog Go Tracer, it generally follows the same release process as the tracer, and its Docker images are tagged with the corresponding tracer version (for example, v2.4.0). In some cases, early release versions might be published between official tracer releases, and these images are tagged with a suffix such as -docker.1.
Keeping your configuration up to date
Because HAProxy’s SPOE integration involves both a runtime component (the SPOA container image) and HAProxy configuration, upgrades can require changes in both places.
The reference HAProxy configuration and an associated changelog are available to help you monitor and track updates:
Recommended upgrade practices
- Pin your SPOA image to a specific version and upgrade intentionally after reviewing the configuration changelog.
- Centralize the Datadog configuration so it is easily updatable.
- Track the reference configuration and changelog and compare your configuration to it when upgrading.
Limitations
The HAProxy integration has the following limitations:
- Asynchronous (observability) mode is not currently supported.
For additional details on the HAProxy integration compatibilities, refer to the HAProxy integration compatibility page.
Further Reading
Más enlaces, artículos y documentación útiles:
