堆栈内存溢出
  简体   繁体   English

如何通过 Enterprise Linux 上的 haproxy 帮助缓解 log4j

[英]How do I help mitigate log4j via haproxy on Enterprise Linux

 原文  2021-12-16 21:34:32       proxy/ log4j/ redhat/ haproxy/ cve-2021-44228

问题描述

Based on this post , haproxy has provided mitigation acls rules that can be used to help fight against log4j attack requests getting proxied to the affected log4j apps.基于这篇文章,haproxy 提供了缓解 acls 规则,可用于帮助对抗 log4j 攻击请求被代理到受影响的 log4j 应用程序。

In reading some of the users comments, It came to my attention that many Enterprise Linux Haproxy system out there might be running an older haproxy version 1.5 which doesn't have the option http-buffer-request directive.在阅读一些用户评论时,我注意到许多 Enterprise Linux Haproxy 系统可能正在运行较旧的 haproxy 版本 1.5,它没有option http-buffer-request指令。 This directive is critical to any CVE you are trying to mitigate, even more so if this is your only option until you can upgrade the affected applications.该指令对于您尝试缓解的任何 CVE 都至关重要,如果这是您在升级受影响的应用程序之前的唯一选择,则更是如此。

what is the easiest way to upgrade and to what version?什么是最简单的升级方法以及升级到什么版本?

Answering my own question...回答我自己的问题...

Haproxy 1.6 is needed, however RH provides haproxy 1.8 from the RHSCL repo需要 Haproxy 1.6,但是 RH 从 RHSCL repo 提供了 haproxy 1.8

Make sure these repos are active on the system and install haproxy1.8确保这些存储库在系统上处于活动状态并安装 haproxy1.8

subscription-manager repos  --enable=rhel-7-server-optional-rpms --enable=rhel-7-server-rpms --enable=rhel-server-rhscl-7-rpms
yum install -y rh-haproxy18.x86_64

cat the current config into the 1.8 cfg file and run a quick test config将当前配置放入 1.8 cfg 文件并运行快速测试配置

cat /etc/haproxy/haproxy.cfg > /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg 
/opt/rh/rh-haproxy18/root/usr/sbin/haproxy -c -V -f  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg

^ correct any warns or alert errors, In my experience, its mainly directive order or check port strings on your backend services. ^ 更正任何警告或警报错误,根据我的经验,它主要是指令命令或检查后端服务上的端口字符串。 this is relatively simple to search the net for and correct这在网上搜索和纠正相对简单

nano  /etc/opt/rh/rh-haproxy18/haproxy/haproxy.cfg

Add the ACLS Rules, use unique names if using more than one listener/frontend in the cfg so they don't overlap添加 ACLS 规则,如果在 cfg 中使用多个侦听器/前端,请使用唯一名称,以免它们重叠

systemctl disable --now haproxy && systemctl enable --now rh-haproxy18-haproxy
yum remove -y haproxy && yum install -y rh-haproxy18-haproxy-syspaths.x86_64

^ the rh-haproxy18-haproxy-syspaths.x86_64 package replaced the haproxy service name so you do not have to update the systemctl scripts or even keepalived if you are using it to monitor haproxy service ^ rh-haproxy18-haproxy-syspaths.x86_64 package 替换了 haproxy 服务名称,因此如果您使用它来监控haproxy服务,则无需更新 systemctl 脚本甚至 keepalived

I use this within keepalived which works before and after我在keepalived中使用它,它在之前和之后都有效

killall -0 haproxy

1 个解决方案

解决方案1
 0  2021-12-17 00:18:57

HAProxy have blogged about this topic. HAProxy 有关于这个主题的博客。

December/2021 – CVE-2021-44228: Log4Shell Remote Code Execution Mitigation 2021 年 12 月 – CVE-2021-44228:Log4Shell 远程代码执行缓解

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在log4j框架中禁用net.lightbody.bmp(BrowserMobProxy)日志记录消息? - How do I disable net.lightbody.bmp (BrowserMobProxy) logging messages in log4j framework? 我可以在自己的库中对第三方库(例如log4j)创建“轻型”依赖吗? - Can I create a “light” dependency on third party libraries like log4j in my own library? haproxy - 如何进行虚拟主机和https转发? - haproxy - how to do virtualhost and https forwarding? 我们应该登录haproxy.log什么? - What should we log into haproxy.log? 如何在haproxy中重写URL - how to rewrite url in haproxy 如何获取HTTP :: Proxy来记录过滤器信息? - How do I get HTTP::Proxy to log filter information? 如何在Fuse ESB中记录对代理服务的输入? - How do I log input to a Proxy service in Fuse ESB? 如何使用 C# 通过套接字向客户端发送 cookie? - How do I send cookies to the client via a socket with C#? 如何通过 kubectl 代理访问此 Kubernetes 服务? - How do I access this Kubernetes service via kubectl proxy? 如何设置Glassfish通过代理服务器? - How do I set up Glassfish to go via a proxy server?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM