Merge pull request #1070 from crowdsecurity/simplify_waf_setup

simplify waf setup for nginx/openresty

Author: buixor

crowdsec-docs/docs/appsec/quickstart/haproxy_spoa.mdx

@@ -3,77 +3,52 @@ id: haproxy_spoa
 title: QuickStart - HAProxy (SPOA)
 ---
 
-import UnderlineTooltip from '@site/src/components/underline-tooltip';
-
 # CrowdSec WAF QuickStart for HAProxy (SPOA)
 
-## Objectives
-
-Set up the [AppSec Component](/appsec/intro.md#introduction) to protect web applications running behind [HAProxy](https://www.haproxy.org/) using the **HAProxy SPOA remediation component**.
-
-You will:
-- Enable CrowdSec AppSec (WAF) in the Security Engine.
-- Install and configure `crowdsec-haproxy-spoa-bouncer` so HAProxy can forward HTTP requests to AppSec.
-- Validate everything by triggering a test detection.
+Protect web applications running behind [HAProxy](https://www.haproxy.org/) with CrowdSec's [AppSec (WAF) Component](/appsec/intro.md#introduction), using the HAProxy SPOA remediation component to forward HTTP requests.
 
 ## Prerequisites
 
-1. If you're new to the [AppSec Component](/appsec/intro.md#introduction) or **W**eb **A**pplication **F**irewalls, start with the [Introduction](/appsec/intro.md#introduction).
-2. It's assumed that you have already installed:
-   - **CrowdSec [Security Engine](/intro.mdx)**: for installation, refer to the [QuickStart guide](/u/getting_started/installation/linux).
-   - **HAProxy**: already running and proxying your application(s).
-   - **HAProxy SPOA [Remediation Component](/u/bouncers/intro)**: `crowdsec-haproxy-spoa-bouncer`.
-
-:::tip Already did the base setup?
-If you already completed the [General Setup](general.mdx) (collections + acquisition), skip to [Remediation Component Setup](#remediation-component-setup).
-:::
-
-## AppSec Component Setup
+Make sure the following are already done on the machine running HAProxy (each is a single-page install guide):
 
-### Collection installation
+1. **CrowdSec Security Engine** installed and running — see the [Linux quickstart](/u/getting_started/installation/linux).
+2. **HAProxy** already running and proxying your application(s).
+3. **HAProxy SPOA bouncer** (`crowdsec-haproxy-spoa-bouncer`) installed and registered against the CrowdSec LAPI — see the [SPOA bouncer guide](/u/bouncers/haproxy_spoa).
 
-Install the main AppSec rule collections:
+## 1. Install the AppSec rule collections
 
 ```bash
-sudo cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
+sudo cscli collections install \
+    crowdsecurity/appsec-virtual-patching \
+    crowdsecurity/appsec-generic-rules
 ```
 
-These <UnderlineTooltip tooltip="Collections are bundles of parsers, scenarios, and AppSec rules/configuration items.">collections</UnderlineTooltip> provide virtual patching (CVE rules), generic WAF detections, and the default AppSec configuration.
+This pulls the [`appsec-virtual-patching`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) collection (rules for known CVEs, auto-updated daily) and the [`appsec-generic-rules`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules) collection (common attack patterns), plus the default AppSec configuration.
 
-### Setup the acquisition
+## 2. Turn on the AppSec Component
 
-Create `/etc/crowdsec/acquis.d/appsec.yaml` (see the [AppSec datasource](/log_processor/data_sources/appsec.md) for the full reference):
+Create the acquisition file, then restart CrowdSec:
 
-```yaml title="/etc/crowdsec/acquis.d/appsec.yaml"
+```bash
+sudo mkdir -p /etc/crowdsec/acquis.d
+sudo tee /etc/crowdsec/acquis.d/appsec.yaml > /dev/null <<'EOF'
 appsec_configs:
   - crowdsecurity/appsec-default
 labels:
   type: appsec
 listen_addr: 127.0.0.1:7422
 source: appsec
-```
-
-Restart CrowdSec:
-
-```bash
+EOF
 sudo systemctl restart crowdsec
 ```
 
 :::warning
-Do not expose the AppSec Component to the internet. It should only be reachable from your reverse proxy.
+Keep `listen_addr` on `127.0.0.1` — the AppSec Component must only be reachable from your reverse proxy.
 :::
 
-## Remediation Component Setup
-
-### Install and configure the HAProxy SPOA bouncer
-
-Read here how to install the SPOA remediation component: [HAProxy SPOA remediation component docs](/u/bouncers/haproxy_spoa).
-
-Once the bouncer is installed and able to talk to CrowdSec LAPI, you only need to enable **AppSec forwarding**.
-
-### Enable AppSec forwarding in the bouncer (YAML)
+## 3. Enable AppSec forwarding in the SPOA bouncer
 
-In `/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml`, configure the AppSec endpoint the bouncer should query for WAF evaluation:
+Edit `/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml` and add the `appsec_url` plus the `appsec` block under your host(s):
 
 ```yaml title="/etc/crowdsec/bouncers/crowdsec-spoa-bouncer.yaml"
 # AppSec (WAF forwarding)
@@ -96,58 +71,51 @@ sudo systemctl restart crowdsec-spoa-bouncer
 If AppSec runs on a different host (or in containers), update `appsec_url` to the correct reachable address.
 :::
 
-:::warning AppSec limitations with HAProxy SPOA (important)
-HAProxy SPOA forwarding is constrained by HAProxy/SPOE/SPOA mechanics:
-- Request bodies are only available if you enable buffering (`option http-buffer-request`) and they must fit within tight size limits (commonly capped at ~50KB in examples).
-- When the body is too large (uploads, large JSON, etc.), you typically fall back to a “no-body” SPOE group, which means **body-dependent WAF rules cannot match**.
-- You are not doing full “streaming” inspection: SPOA works with what HAProxy can capture and send to the agent within buffer/frame limits.
+## 4. Verify
 
-CrowdSec AppSec is still a single “source of truth” for rules/config: you can point multiple WAF-capable integrations to the same AppSec endpoint so rule updates stay in sync across your infrastructure.
-
-Recommended layered approach:
-- Use HAProxy SPOA for **edge enforcement** (IP/range/country decisions, ban/captcha) and lightweight WAF evaluation when the request fits within the configured limits.
-- Put a full-featured L7 proxy/WAF-capable integration **downstream** (or protect the app directly) when you need deeper inspection of large bodies, file uploads, or application-specific request parsing. Examples of WAF-capable integrations include:
-  - [Nginx/OpenResty](nginxopenresty.mdx)
-  - [Traefik](traefik.mdx)
-  - [WordPress](wordpress.mdx)
-:::
-
-## Testing the AppSec Component + Remediation Component
-
-:::note
-Adjust the URL below to match your HAProxy frontend (HTTP/HTTPS, port, hostname).
-:::
-
-If you try to access `http(s)://<your-haproxy-url>/.env`, your request should be blocked:
+Hit an endpoint that should trip an AppSec rule (adjust the URL to match your HAProxy frontend):
 
 ```bash
-curl -i http://<your-haproxy-url>/.env
+curl -I http://<your-haproxy-url>/.env
 ```
 
-![appsec-denied](/img/appsec_denied.png)
+You should get an `HTTP/1.1 403 Forbidden` response.
 
-You can also check AppSec metrics:
+Check that CrowdSec recorded the block:
 
 ```bash
 sudo cscli metrics show appsec
 ```
 
-### Explanation
+<details>
+<summary>What just happened?</summary>
 
-What happened in the test above is:
+1. `curl` hit HAProxy at `/.env`.
+2. HAProxy forwarded the request to the SPOA remediation component.
+3. The bouncer queried the AppSec Component at `appsec_url`.
+4. The request matched the [`vpatch-env-access`](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access) rule.
+5. AppSec answered `403`; HAProxy blocked the request.
 
-1. You requested `/.env` through HAProxy.
-2. HAProxy forwarded the request to the SPOA remediation component (SPOE/SPOA).
-3. The remediation component queried the AppSec Component at `appsec_url`.
-4. The request matched the [AppSec rule to detect `.env` access](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access).
-5. AppSec returned a blocking action (HTTP 403) to the remediation component.
-6. HAProxy blocked the request.
+</details>
 
-## Next steps
+## AppSec limitations with HAProxy SPOA
 
-You are now running the AppSec Component on your CrowdSec Security Engine with HAProxy SPOA.
+HAProxy SPOA forwarding is constrained by HAProxy/SPOE/SPOA mechanics:
+- Request bodies are only available if you enable buffering (`option http-buffer-request`) and must fit within tight size limits (commonly capped at ~50 KB).
+- When the body is too large (uploads, large JSON, etc.), you typically fall back to a "no-body" SPOE group, which means **body-dependent WAF rules cannot match**.
+- This is not full streaming inspection: SPOA works with what HAProxy can capture within buffer/frame limits.
+
+CrowdSec AppSec is a single source of truth for rules — you can point multiple WAF-capable integrations at the same AppSec endpoint so rule updates stay in sync.
+
+Recommended layered approach:
+- Use HAProxy SPOA for **edge enforcement** (IP/range/country decisions, ban/captcha) and lightweight WAF evaluation when the request fits within the configured limits.
+- Put a full-featured L7 proxy/WAF-capable integration **downstream** (or protect the app directly) when you need deeper inspection of large bodies, file uploads, or application-specific request parsing. Examples:
+  - [Nginx/OpenResty](nginxopenresty.mdx)
+  - [Traefik](traefik.mdx)
+  - [WordPress](wordpress.mdx)
+
+## Next steps
 
-As the next steps, you can:
-- Monitor WAF alerts with `sudo cscli alerts list` and in the [CrowdSec Console](https://app.crowdsec.net).
-- Review the [AppSec troubleshooting guide](/appsec/troubleshooting.md) and the [HAProxy SPOA remediation component docs](/u/bouncers/haproxy_spoa) if you need to investigate or refine the deployment.
+- Monitor WAF alerts with `sudo cscli alerts list` or in the [CrowdSec Console](https://app.crowdsec.net).
+- Review the [AppSec troubleshooting guide](/appsec/troubleshooting.md) and the [HAProxy SPOA bouncer docs](/u/bouncers/haproxy_spoa) if you need to investigate or refine the deployment.
 - Explore [WAF deployment strategies](/appsec/advanced_deployments.mdx) if you want to expand beyond this initial setup.