During a search for an HAProxy WAF, I came across the HAProxy bouncer. From what I understand:

• The bouncer talks to the Security Engine
• The Security Engine can optionally be extended with AppSec component
• AppSec is short for 'Application Security', which is what CrowdSec calls its WAF
• When the Security Engine can is extended with the AppSec component, the bouncer must support it

As far as I can see, the HAProxy bouncer does not support AppSec, effectively not providing a WAF. This hunch is confirmed by:

• HAProxy is not mentioned as a supported web server in the AppSec documentation.
• The HAProxy bouncer documentation talks only about 'checking IPs', not full-fledged WAF functionality. E.g.: "This component leverages haproxy lua's API to check e IP address against the local API."
• The blog doesn't mention 'WAF' nor 'AppSec'

I did however come across this experimental SPOA repository, which says it provides 'WAF protection'.

Is it safe to assume that this project will replace the Lua-based bouncer (as SPOA is native to HAProxy)? If so, is there a timeline? The roadmap does not mention it.