Skip to main content
This guide explains how to configure HAProxy and the OneFirewall Fluent Bit adapter to collect HTTP traffic logs, forward them to OneFirewall, and enable pattern detection aligned with MITRE ATT&CK techniques.

Overview

The integration uses HAProxy as the ingress point and Fluent Bit as the log collection and forwarding layer.
  • HAProxy emits structured access logs with the HAPROXY_LOG prefix.
  • Fluent Bit receives HAProxy syslog events over UDP.
  • The OneFirewall Fluent Bit adapter parses the records using catchall_parser.
  • OneFirewall analyzes the traffic for malicious behavior and pattern detection mapped to MITRE ATT&CK.
  • Optional IPS reporting can send suspicious IP intelligence back to the OneFirewall cloud.

1. HAProxy Logging Configuration

Update the global section of your haproxy.cfg to send logs both to stdout and to the Fluent Bit adapter over UDP. 
global
  log stdout format raw local0
  log 172.17.0.1:31514 local0
The UDP destination must match the host and port exposed by the Fluent Bit adapter. In the Docker Compose example below, Fluent Bit listens on 172.17.0.1:31514 and forwards UDP traffic to container port 514.

2. HAProxy Frontend Configuration

In the HAProxy frontend, capture the relevant request headers and define a log format that the OneFirewall Fluent Bit adapter can parse. 
frontend balancer
  bind :80
  bind *:443 ssl crt /certs/ingress-ofa.pem
  timeout http-keep-alive 10s
  capture request header x-forwarded-for len 200
  capture request header Host len 64
  capture request header Cf-Pseudo-IPv4 len 64

  http-request deny if { hdr_ip(X-Forwarded-For) -f /ofa/ofa.csv }

  http-request set-var(txn.xff) req.hdr_ip(X-Forwarded-For,1)
  acl xff_private var(txn.xff) -m ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 127.0.0.0/8
  http-request set-log-level silent if xff_private || !{ var(txn.xff) -m found }
  log-format "HAPROXY_LOG %[var(txn.xff)] %ci %cp %fp %H \"%r\" %ST"
The last two directives are required for OneFirewall pattern detection:
  • http-request set-var(txn.xff) hdr(X-Forwarded-For) stores the original client IP from the X-Forwarded-For header.
  • log-format "HAPROXY_LOG ..." emits a predictable log structure containing the original IP, connection metadata, HTTP protocol, raw request, and status code.
The resulting log fields are:
FieldDescription
HAPROXY_LOGStatic prefix used by the parser
%[var(txn.xff)]Original client IP from X-Forwarded-For
%ciHAProxy client IP
%cpClient source port
%fpFrontend destination port
%HHTTP protocol version
%rFull HTTP request line
%STHTTP response status code

3. OneFirewall Fluent Bit Adapter

Add the OneFirewall Fluent Bit adapter to your Docker Compose stack. 
onefirewall-fluentbit-adapter:
  image: registry.onefirewall.com/onefirewall-fluentbit-adapter:v2
  environment:
    FIREWALL_PARSER: "catchall_parser"
    LOG_LEVEL: "info" # debug, info, warn, error
    ENABLE_STDOUT: "*_ofa_logs"
    DEBUG_LUA: "false"
    FLUSH_INTERVAL_SECONDS: "5" # 5 seconds
    OFA_EVENTS_FLUSH_INTERVAL: "5"
    OFA_POLL_INTERVAL_HOURS: "1"
    OFA_JWT_TOKEN: "TOKEN_OFA"
    OFA_API_URL: "https://app.onefirewall.com or http[s]://localhost:PORT"
    OFA_MIN_SCORE_TO_LOG: "2"
    OFA_LAST_EVENTS: "2000000"
    OFA_MEMBER_ID: "OFA-GID-"
    OFA_API_URL_CLOUD: "https://app.onefirewall.com"
    OFA_JWT_TOKEN_CLOUD: "OFA_TOKEN_FOR_IPS_REPORT"
    OFA_AGENT: "haproxy_waf"
    OFA_AGENT_LID: "report_xxxxx"
    OFA_AGENT_TAGS: "report_xxxxx"
    OFA_CONTRIBUTE: "0"
    OFA_IPS_FLUSH_INTERVAL: "300" # 5 minutes
    OFA_IPS_LIMIT: "1000"
    OFA_IPS_WORDS: "ofa_warning" # lowercase, comma-separated values
    OFA_IPS_PORTS: "443"
    SEND_TRAFFIC: "yes"
    ENABLE_ELASTIC_OUTPUT: "*_ofa_logs_OFF"
    ELASTIC_IP: "192.168.2.100"
    ELASTIC_PORT: "39220"
    ELASTIC_INDEX: "poc_traffic"
  ports:
    - "172.17.0.1:31514:514/udp"
For OFA_API_URL, provide only the protocol, host, and optional port, for example https://app.onefirewall.com or http://localhost:8080. Do not include the API path; the adapter resolves the required endpoint automatically.

4. Environment Variables

VariablePurpose
FIREWALL_PARSERSelects the parser used by the adapter. Use catchall_parser for this HAProxy log format.
OFA_JWT_TOKENToken used to authenticate with the target OneFirewall API.
OFA_API_URLOneFirewall API base URL cloud or local installation for clients. Use only protocol, host, and optional port.
OFA_MIN_SCORE_TO_LOGMinimum score required before events are logged by the adapter.
OFA_MEMBER_IDOneFirewall member identifier, used when sending data directly to Elasticsearch.
OFA_API_URL_CLOUDOneFirewall cloud URL used for IPS partner reporting, or local client installation if partner contribute or not to the OneFirewall Alliance
OFA_JWT_TOKEN_CLOUDToken used for IPS report submission to the OneFirewall cloud.
OFA_AGENTAgent type reported to OneFirewall. For HAProxy WAF deployments, use haproxy_waf.
OFA_AGENT_LIDLocal identifier for this reporting agent.
OFA_AGENT_TAGSTags associated with the generated reports.
OFA_CONTRIBUTEEnables or disables contribution mode. Use 0 to disable contribution.
OFA_IPS_FLUSH_INTERVALInterval, in seconds, used to flush IPS reports.
OFA_IPS_LIMITMaximum number of IPS items sent per flush.
OFA_IPS_WORDSKeywords used to select IPS events. Values must be lowercase and comma-separated.
OFA_IPS_PORTSPorts associated with IPS reporting.
SEND_TRAFFICEnables traffic forwarding to OneFirewall when set to yes.
ENABLE_ELASTIC_OUTPUTEnables or disables Elasticsearch output routing.
ELASTIC_IP, ELASTIC_PORT, ELASTIC_INDEXElasticsearch destination settings when direct Elasticsearch output is enabled.

5. MITRE ATT&CK Pattern Detection Flow

With this configuration, HAProxy provides enough context for OneFirewall to analyze web traffic and detect suspicious patterns. The HAPROXY_LOG records allow OneFirewall to evaluate request behavior such as suspicious paths, attack tooling, anomalous source IPs, abusive request patterns, and other indicators associated with MITRE ATT&CK techniques.

6. Validation Checklist

After deploying the configuration, verify the following:
  • HAProxy starts successfully with the updated global and frontend configuration.
  • UDP port 31514 is bound on 172.17.0.1 by the Fluent Bit adapter.
  • HAProxy logs contain the HAPROXY_LOG prefix.
  • The Fluent Bit adapter logs show parsed records matching *_ofa_logs.
  • OneFirewall receives traffic events from the haproxy_waf agent.
  • IPS reporting is enabled only when OFA_API_URL_CLOUD and OFA_JWT_TOKEN_CLOUD are configured with valid cloud credentials.

Result

Once enabled, HAProxy continues to serve traffic while producing structured logs for OneFirewall. The Fluent Bit adapter forwards those events for MITRE ATT&CK pattern detection, optional IPS reporting, and optional Elasticsearch output depending on the configured environment variables.