Comments (9)
@jcchavezs I have one question regarding the directives
configuration, is there a reason you have decided to have a []string
?
I'm asking because if I'm a docker user and I want to use coraza traefik plugin I can't due to []string
.
In Traefik for what we call label
providers (docker, ecs, consulcatalog, etc...) having a []string
for directives can be a blocker due to the size limit and the parsing.
The following example with yaml can't be converted to labels due to ,
in the following SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
:
http:
middlewares:
waf:
plugin:
coraza-http-wasm-traefik:
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
Do you have an idea how we can handle that? What I have in mind is using traefik type FileOrContent instead of []string
from traefik.
http:
# ...
middlewares:
waf:
plugin:
coraza:
directives:
- Include /path/coreruleset/rules/*.conf
I think this is OK. So talking about labels it will be
http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives="Include ./rules.txt"
isn't?
from traefik.
I don't think we have identified any issue on this, but maybe @jcchavezs has some clue?
from traefik.
in general it would be nice to have FS access (even if limited to a special path) and (outgoing) network access. This currently limits the usefulness of the WASM integration to some really specific use cases.
from traefik.
from traefik.
Hi @mmatur the reason for accepting []string
is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:
{
"directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\""
}
Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.
from traefik.
I just opened this PR showing it is possible to mount a host file system and load the files from the coraza-http-wasm config jcchavezs/coraza-http-wasm#19.
What is missing to enable this in traefik is a way to pass the location of the mounting dir into traefik. For example
http:
# ...
middlewares:
waf:
plugin:
coraza:
fsRootDir: /etc/traefik
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
where fsRootDir
could be accepted for every wasm plugin. What do you think @emilevauge ?
Another option could be:
http:
# ...
middlewares:
waf:
plugin:
coraza:
runtime:
rootFS: /etc/traefik
env:
a: b
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
I guess it is too late to do:
http:
# ...
middlewares:
waf:
plugin:
coraza:
runtime:
rootFS: /etc/traefik
env:
a: b
config:
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
from traefik.
Hi @mmatur the reason for accepting
[]string
is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:{ "directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\"" }Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.
@jcchavezs with FileOrContent you can have yaml like that (readability is totally correct for yaml and toml):
http:
middlewares:
waf:
plugin:
coraza-http-wasm-traefik:
directives: |
SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
or
http:
middlewares:
waf:
plugin:
coraza-http-wasm-traefik:
directives: rules.txt
## rules.txt content
## SecRuleEngine On
## SecDebugLog /dev/stdout
## SecDebugLogLevel 9
## SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
For labels configuration it will also simplify (one config option for string or filepath)
http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives=./rules.txt
The following directives cannot be defined has labels (due to ,
in SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
:
SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
I saw your PR regarding files support for WASM plugin, will have a look next week.
Keeping directives
as []string
the best way to use a file to define my directives is to do something like that?
http:
# ...
middlewares:
waf:
plugin:
coraza:
directives:
- Include /path/coreruleset/rules/*.conf
from traefik.
Dear jcchavezs
Thank you for reply. I've tried again after plugin update, but if the file is specified by name, ie.
http:
# ...
middlewares:
waf:
plugin:
coraza:
directives:
- Include /etc/traefik/crs4/coraza.conf
problem persists,
when using wildcard path
middlewares:
waf:
plugin:
coraza:
directives:
- Include /etc/traefik/crs4/*.conf
there's no error, but rules from file are not applied
I've checked the file under container using
$ podman exec -it traefik /bin/sh
container# cat /etc/traefik/crs4/coraza.conf
and the file can be read without problem
from traefik.
Related Issues (20)
- Body truncation issue in traffic plugin under certain conditions HOT 1
- A Router rule that exactly match all same-name header values. HOT 3
- Extend `headerLabels` Support to All Prometheus Metrics HOT 1
- TCP weighted service not respecting weights HOT 1
- Sectigo Certresolver does not populate cert field in JSON file HOT 1
- Unable to obtain ACME certificate for domains HOT 1
- Order cannot contain more than 100 DNS names
- container image on ghcr HOT 1
- Traefik provides default TLS certificate instead of one from a secret HOT 7
- Add TCP Health Check using SYN, SYN-ACK, and RST packets HOT 2
- Traefik 3.x can not download customized plugin HOT 2
- Support for HTTP Calls in Existing WASM Plugins System
- Traefik Configuration Checks HOT 2
- Can't upload docker images larger than 400MB or 2GB via traefik 3.0 3.0.1 3.0.2 proxy HOT 5
- Traefik sends 400 Bad Request if any header has some special char and also request not even get logged in access log
- DownstreamStatus is 0 in v3 when server-sent event response is aborted from client HOT 7
- Support BackendTLSPolicy from Gateway API
- Support AWS IRSA with EKS Fargate?
- bug: `TLSStore` with Wildcard Certificate and `sniStrict: true` does not work
- Traefik Routing: Protocol and Port Mismatch Not Captured
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik.