SPOE engine filter ACL rules

Help!
1

Hellow, just trying to wrap my head arround why i can’t setup acl rules on the filter like bellow lines.
I really don`t wanna send to coraza any message if is local network.

If i use if !is_local_network on the requests everything is okey i bypass the checks but still the messages arrive at coraza for no reason i know is local network and i dont care.

acl is_local_network src 192.168.1.0/24 192.168.40.0/24 10.10.10.0/24

	filter spoe engine coraza config /etc/haproxy-coraza/coraza.cfg if !is_local_network
	http-request send-spoe-group coraza coraza-req
	http-request redirect code 302 location %[var(txn.coraza.data)] if { var(txn.coraza.action) -m str redirect }
	http-request deny deny_status 403 hdr waf-block "request" if { var(txn.coraza.action) -m str deny }
	http-request silent-drop if { var(txn.coraza.action) -m str drop }
	http-request deny deny_status 500 if { var(txn.coraza.error) -m int gt 0 }

HAProxy version 3.3-dev3-d4d72e2 2025/07/11 - https://haproxy.org/
Status: development branch - not safe for use in production.
Known bugs: https://github.com/haproxy/haproxy/issues?q=is:issue+is:open
Running on: Linux 6.8.12-13-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-13 (2025-07-22T10:00Z) x86_64
Build options :
  TARGET  = linux-musl
  CC      = cc
  CFLAGS  = -O2 -g -fwrapv
  OPTIONS = USE_THREAD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_OPENSSL_AWSLC=1 USE_LUA=1 USE_ACCEPT4=1 USE_SLZ=1 USE_TFO=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1
  DEBUG   =

Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL +OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC -QUIC_OPENSSL_COMPAT +RT +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=32, MAX_THREADS=1024, default=40).
Built with SSL library version : OpenSSL 1.1.1 (compatible; AWS-LC 1.56.0)
Running on SSL library version : AWS-LC 1.56.0
SSL library supports TLS extensions : yes
SSL library supports SNI : yes
SSL library FIPS mode : no
SSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
QUIC: connection socket-owner mode support : yes
QUIC: GSO emission support : yes
Built with Lua version : Lua 5.4.8
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.43 2024-02-16
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 15.1.1 20250719

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE|BE  mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
       spop : mode=SPOP  side=BE     mux=SPOP  flags=HOL_RISK|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace
2

Even adding the local-ips.txt to coraza doesn’t help.

{"level":"error","time":"2025-08-01T22:10:20+03:00","message":"[client \"192.168.1.50\"] Coraza: Warning. Request content type is not allowed by policy [file \"/etc/haproxy-coraza/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"2815\"] [id \"920420\"] [rev \"\"] [msg \"Request content type is not allowed by policy\"] [data \"|application/dns-message|\"] [severity \"critical\"] [ver \"OWASP_CRS/4.18.0-dev\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"paranoia-level/1\"] [tag \"OWASP_CRS\"] [tag \"OWASP_CRS/PROTOCOL-ENFORCEMENT\"] [tag \"capec/1000/255/153\"] [hostname \"192.168.40.3\"] [uri \"/dns-query\"] [unique_id \"JLVKBCUKTPWSODWK\"]"}

# bind: 127.0.0.1:9000 
bind: unix:/var/run/coraza.sock
log_level: info
log_file: /var/log/coraza.log
log_format: json
applications:
  - name: haproxy_waf
    directives: |
      Include /etc/haproxy-coraza/coraza.conf
      Include /etc/haproxy-coraza/crs-setup.conf
      Include /etc/haproxy-coraza/plugins/*-config.conf
      Include /etc/haproxy-coraza/plugins/*-before.conf
      SecRuleEngine On
      
      #Bypass for private ranges
      SecRule REMOTE_ADDR "@ipMatchFromFile /etc/haproxy/local-ips.txt" \
      "id:1000,\
      phase:1,\
      pass,\
      nolog,\
      ctl:ruleEngine=Off"
      
      Include /etc/haproxy-coraza/rules/*.conf
      Include /etc/haproxy-coraza/plugins/*-after.conf
    response_check: false
    transaction_ttl_ms: 60000
    log_level: info
    log_file: /var/log/coraza.log
    log_format: json