|
1 | | -# Coraza WASM filter |
| 1 | +# Coraza Proxy WASM |
| 2 | + |
| 3 | +Web Application Firewall WASM filter built on top of [Coraza](https://github.com/corazawaf/coraza) and implementing on proxy-wasm ABI. It can be loaded directly from Envoy or also used as an Istio plugin. |
| 4 | + |
| 5 | +## Getting started |
| 6 | +`go run mage.go -l` lists all the available commands: |
| 7 | +``` |
| 8 | +▶ go run mage.go -l |
| 9 | +Targets: |
| 10 | + build* builds the Coraza Wasm plugin. |
| 11 | + check runs lint and tests. |
| 12 | + checkBuildTools |
| 13 | + coverage runs tests with coverage and race detector enabled. |
| 14 | + doc runs godoc, access at http://localhost:6060 |
| 15 | + e2e runs e2e tests with a built plugin. |
| 16 | + format formats code in this repository. |
| 17 | + ftw runs ftw tests with a built plugin and Envoy. |
| 18 | + lint verifies code quality. |
| 19 | + precommit installs a git hook to run check when committing |
| 20 | + setup spins up the test environment. |
| 21 | + teardown tears down the test environment. |
| 22 | + test runs all tests. |
| 23 | + updateLibs |
| 24 | +
|
| 25 | +* default target |
| 26 | +``` |
| 27 | +### Building the filter |
| 28 | +>Note: The build of the Wasm filter currently relies on Go `1.18.*` |
| 29 | +``` |
| 30 | +PATH=/opt/homebrew/Cellar/go@1.18/1.18.6/bin:$PATH GOROOT=/opt/homebrew/Cellar/go@1.18/1.18.6/libexec go run mage.go build |
| 31 | +``` |
| 32 | +You will find the WASM plugin under `./build/main.wasm`. |
| 33 | + |
| 34 | +For performance purposes, some libs are built from they C++ implementation. The compiled polyglot wasm libs are already checked in under [./lib/](./lib/). It is possible to rely on the Dockerfiles under [./buildtools/](./buildtools/) if you wish to rebuild them from scratch. |
| 35 | + |
| 36 | +### Running the filter in an Envoy process |
| 37 | + |
| 38 | +In order to run the coraza-wasm-filter we need to spin up an envoy configuration including this as the filter config: |
| 39 | + |
| 40 | +```yaml |
| 41 | + ... |
| 42 | + |
| 43 | + filter_chains: |
| 44 | + - filters: |
| 45 | + - name: envoy.filters.network.http_connection_manager |
| 46 | + typed_config: |
| 47 | + "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager |
| 48 | + stat_prefix: ingress_http |
| 49 | + codec_type: auto |
| 50 | + route_config: |
| 51 | + ... |
| 52 | + http_filters: |
| 53 | + - name: envoy.filters.http.wasm |
| 54 | + typed_config: |
| 55 | + "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm |
| 56 | + config: |
| 57 | + name: "coraza-filter" |
| 58 | + root_id: "" |
| 59 | + configuration: |
| 60 | + "@type": "type.googleapis.com/google.protobuf.StringValue" |
| 61 | + value: | |
| 62 | + { |
| 63 | + "rules": "SecDebugLogLevel 5 \nSecRuleEngine On \nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\"" |
| 64 | + } |
| 65 | + vm_config: |
| 66 | + runtime: "envoy.wasm.runtime.v8" |
| 67 | + vm_id: "coraza-filter_vm_id" |
| 68 | + code: |
| 69 | + local: |
| 70 | + filename: "build/main.wasm" |
| 71 | +``` |
| 72 | +
|
| 73 | +### Using CRS |
| 74 | +
|
| 75 | +Coreruleset comes embeded in the extension, in order to use it in the config, you just need to include it directly in the rules: |
| 76 | +
|
| 77 | +Loading entire coreruleset: |
| 78 | +
|
| 79 | +```yaml |
| 80 | +configuration: |
| 81 | + "@type": "type.googleapis.com/google.protobuf.StringValue" |
| 82 | + value: | |
| 83 | + { |
| 84 | + "rules": "SecDebugLogLevel 5 \nSecRuleEngine On \n Include crs/*.conf" |
| 85 | + } |
| 86 | +``` |
| 87 | + |
| 88 | +Loading some pieces: |
| 89 | + |
| 90 | +```yaml |
| 91 | +configuration: |
| 92 | + "@type": "type.googleapis.com/google.protobuf.StringValue" |
| 93 | + value: | |
| 94 | + { |
| 95 | + "rules": "SecDebugLogLevel 5 \nSecRuleEngine On \n Include crs/REQUEST-901-INITIALIZATION.conf" |
| 96 | + } |
| 97 | +``` |
| 98 | + |
| 99 | +### Running go-ftw (CRS Regression tests) |
| 100 | + |
| 101 | +The following command runs the [go-ftw](https://github.com/fzipi/go-ftw) test suite against the filter with the CRS fully loaded. |
| 102 | +``` |
| 103 | +go run mage.go build |
| 104 | +``` |
| 105 | +Take a look at its config file [ftw.yml](./ftw/ftw.yml) for details about tests currently excluded. |
| 106 | + |
| 107 | +### Spinning up the coraza-wasm-filter for manual tests |
| 108 | +Via the commands `setup` and `teardown` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. |
| 109 | +In order to monitor envoy logs while performing requests run: |
| 110 | +``` |
| 111 | +docker-compose -f ./ftw/docker-compose.yml logs -f envoy-logs |
| 112 | +``` |
0 commit comments