waf-fail-closed=true rejects all requests

[mac-chaffee]

Description of the problem

See haproxy/spoa-modsecurity#3 (comment)

While testing, I discovered that this comment is not entirely true:
https://github.com/haproxy/spoa-modsecurity/blob/3c895f3e7dd291dba19d57ba054b277e6fb80ca4/spoa.c#L93

When spoa-modsecurity approves a request, it actually sets txn.modsec.code to -1, meaning my changes in #954 aren't correct.

But there's a bigger problem: you can't actually tell the difference between spoa-modsecurity throwing certain errors and approving a request since the response is -1 either way.

Expected behavior

waf-fail-closed=true still lets in valid requests.

This might end up being hard to fix since we might need the upstream spoa-modsecurity to change the behavior of the return code. Maybe just a revert of #954 is the best bet for now. Thoughts?

Environment information

HAProxy Ingress version: master branch

[jcmoraisjr]

Hi, that makes sense, good catch. I share the opinion that the best option is to fix that upstream and reintroduce the feature as soon as we can say it works. The job isn't lost since we're using version control =) Merging the revert and look forward any news on this subject. Thanks!