OZON innovates by integrating ModSecurity with HAProxy

OZON, the startup specialized in eCommerce cybersecurity, has integrated ModSecurity® web application firewall into HAProxy® and decides to bring its R&D work to the open source community.

More than 15 years after they were released as open source projects, both HAProxy and ModSecurity have experienced tremendous improvements and have become de-facto standards in their respective fields: HAProxy as a web Load Balancer and ModSecurity as a Web Application Firewall (WAF).  They are now widely used by major companies, operators and service providers around the world.

Seeking a web reverse proxy able to withstand the huge traffic variations of eCommerce sites, OZON carried out a comparative evaluation of NGINX®, Apache® and HAProxy technologies. The verdict?

HAProxy emerges as a winner and plays a key role in OZON’s cloud platform. Unlike NGINX and Apache, HAProxy was designed from the beginning to be a reverse proxy and not a web server.

The reliability and performance of HAProxy are no longer to demonstrate.

Thierry Fournier, a founding partner of OZON, is one of the main contributors to HAProxy. Among many other things, Thierry has implemented the support for Lua programming language.

Thierry leads OZON’s R&D team who brought some functional improvements to HAProxy such as:

  • SSL / TLS fingerprinting,
  • Adding and improving metrics performance,
  • Integration of ModSecurity Web Application Firewall.

As a web load balancer, HAProxy is a central component in Internet infrastructures and therefore well positioned to perform security analysis on the flows. Until now, nobody had made the effort to port a web application firewall on HAProxy. It’s now done!

OZON realized an integration of ModSecurity, a major web application firewall on the market, within HAProxy.

Since latest HAProxy version (v1.7) released last November, the availability of the Stream Processing Offloading Protocol (SPOP) makes possible to communicate with external agents not compatible with HAProxy’s internal architecture, such a web application firewall, and more generally any component which requires frequent updates, file system accesses, long processing or important memory allocations.

OZON has developed the SPOA agent that allows a ModSecurity analysis into the flows processed by HAProxy.

The main advantage of using the SPOP protocol is to delegate the heavy security processes to ModSecurity, without impacting HAProxy performance and while providing a very appreciable horizontal scalability. On this technological foundation, the performance measured at OZON far exceeds that obtained with other technologies on the market, especially in terms of latency, regardless of the traffic volume of protected eCommerce sites.

At OZON, we believe in the power of relying on solid open source foundations on top of which anyone is free to implement his own ideas. A strong community maintaining a solid core allows OZON’s R&D to focus exclusively on cybersecurity innovations.

After more than 6 months of successful testing, OZON has decided to bring its R&D work to the open source community. In today’s cyber threat landscape, where automatization and sophistication are key words, a Web Application Firewall (WAF) must protect every eCommerce site at least. It’s vital.

____________________

«  HAProxy is a registered trademark of HAProxy Technologies »

«  NGINX is a registered trademark of Nginx, Inc. »

«  ModSecurity is a registered trademark of Trustwave Holdings, Inc. »

«  Apache is a registered trademark of the Apache Software Foundation »

Régis Rocroy

Engaged in IT security at the beginning of the Internet revolution, I’m acting as security consultant and security architect for accounts in banking and eCommerce.