Cannot load rules / directives from config files about traefik HOT 9 OPEN

@jcchavezs I have one question regarding the directives configuration, is there a reason you have decided to have a []string?

I'm asking because if I'm a docker user and I want to use coraza traefik plugin I can't due to []string.

In Traefik for what we call label providers (docker, ecs, consulcatalog, etc...) having a []string for directives can be a blocker due to the size limit and the parsing.

The following example with yaml can't be converted to labels due to , in the following SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403":

http:
  middlewares:
     waf:
        plugin:
          coraza-http-wasm-traefik:
             directives:
               - SecRuleEngine On
	       - SecDebugLog /dev/stdout
	       - SecDebugLogLevel 9
	       - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

Do you have an idea how we can handle that? What I have in mind is using traefik type FileOrContent instead of []string

from traefik.

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /path/coreruleset/rules/*.conf

I think this is OK. So talking about labels it will be

http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives="Include ./rules.txt"

isn't?

from traefik.

I don't think we have identified any issue on this, but maybe @jcchavezs has some clue?

from traefik.

in general it would be nice to have FS access (even if limited to a special path) and (outgoing) network access. This currently limits the usefulness of the WASM integration to some really specific use cases.

from traefik.

from traefik.

Hi @mmatur the reason for accepting []string is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:

{
    "directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\""
}

Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.

from traefik.

I just opened this PR showing it is possible to mount a host file system and load the files from the coraza-http-wasm config jcchavezs/coraza-http-wasm#19.

What is missing to enable this in traefik is a way to pass the location of the mounting dir into traefik. For example

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          fsRootDir: /etc/traefik 
          directives:
            - SecRuleEngine On
            - SecDebugLog /dev/stdout
            - SecDebugLogLevel 9
            - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

where fsRootDir could be accepted for every wasm plugin. What do you think @emilevauge ?

Another option could be:

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          runtime: 
            rootFS: /etc/traefik 
            env:
              a: b
          directives:
            - SecRuleEngine On
            - SecDebugLog /dev/stdout
            - SecDebugLogLevel 9
            - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

I guess it is too late to do:

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          runtime: 
            rootFS: /etc/traefik 
            env:
              a: b
          config:
            directives:
              - SecRuleEngine On
              - SecDebugLog /dev/stdout
              - SecDebugLogLevel 9
              - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

from traefik.

Hi @mmatur the reason for accepting []string is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:

{
    "directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\""
}

Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.

@jcchavezs with FileOrContent you can have yaml like that (readability is totally correct for yaml and toml):

http:
  middlewares:
     waf:
        plugin:
          coraza-http-wasm-traefik:
             directives: |
               SecRuleEngine On
	       SecDebugLog /dev/stdout
	       SecDebugLogLevel 9
	       SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

or

http:
  middlewares:
     waf:
        plugin:
          coraza-http-wasm-traefik:
             directives: rules.txt 
             
## rules.txt content
##           SecRuleEngine On
##	       SecDebugLog /dev/stdout
##	       SecDebugLogLevel 9
##	       SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

For labels configuration it will also simplify (one config option for string or filepath)

http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives=./rules.txt

The following directives cannot be defined has labels (due to , in SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403":

SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

I saw your PR regarding files support for WASM plugin, will have a look next week.

Keeping directives as []string the best way to use a file to define my directives is to do something like that?

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /path/coreruleset/rules/*.conf

from traefik.

Dear jcchavezs

Thank you for reply. I've tried again after plugin update, but if the file is specified by name, ie.

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /etc/traefik/crs4/coraza.conf

problem persists,

when using wildcard path

  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /etc/traefik/crs4/*.conf

there's no error, but rules from file are not applied

I've checked the file under container using

$ podman exec -it traefik /bin/sh
container# cat /etc/traefik/crs4/coraza.conf

and the file can be read without problem

from traefik.