Cannot load rules / directives from config files about traefik HOT 12 CLOSED

@jcchavezs I have one question regarding the directives configuration, is there a reason you have decided to have a []string?

I'm asking because if I'm a docker user and I want to use coraza traefik plugin I can't due to []string.

In Traefik for what we call label providers (docker, ecs, consulcatalog, etc...) having a []string for directives can be a blocker due to the size limit and the parsing.

The following example with yaml can't be converted to labels due to , in the following SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403":

http:
  middlewares:
     waf:
        plugin:
          coraza-http-wasm-traefik:
             directives:
               - SecRuleEngine On
	       - SecDebugLog /dev/stdout
	       - SecDebugLogLevel 9
	       - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

Do you have an idea how we can handle that? What I have in mind is using traefik type FileOrContent instead of []string

from traefik.

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /path/coreruleset/rules/*.conf

I think this is OK. So talking about labels it will be

http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives="Include ./rules.txt"

isn't?

from traefik.

I don't think we have identified any issue on this, but maybe @jcchavezs has some clue?

from traefik.

in general it would be nice to have FS access (even if limited to a special path) and (outgoing) network access. This currently limits the usefulness of the WASM integration to some really specific use cases.

from traefik.

from traefik.

Hi @mmatur the reason for accepting []string is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:

{
    "directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\""
}

Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.

from traefik.

I just opened this PR showing it is possible to mount a host file system and load the files from the coraza-http-wasm config jcchavezs/coraza-http-wasm#19.

What is missing to enable this in traefik is a way to pass the location of the mounting dir into traefik. For example

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          fsRootDir: /etc/traefik 
          directives:
            - SecRuleEngine On
            - SecDebugLog /dev/stdout
            - SecDebugLogLevel 9
            - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

where fsRootDir could be accepted for every wasm plugin. What do you think @emilevauge ?

Another option could be:

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          runtime: 
            rootFS: /etc/traefik 
            env:
              a: b
          directives:
            - SecRuleEngine On
            - SecDebugLog /dev/stdout
            - SecDebugLogLevel 9
            - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

I guess it is too late to do:

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          runtime: 
            rootFS: /etc/traefik 
            env:
              a: b
          config:
            directives:
              - SecRuleEngine On
              - SecDebugLog /dev/stdout
              - SecDebugLogLevel 9
              - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

from traefik.

Hi @mmatur the reason for accepting []string is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:

{
    "directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\""
}

Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.

@jcchavezs with FileOrContent you can have yaml like that (readability is totally correct for yaml and toml):

http:
  middlewares:
     waf:
        plugin:
          coraza-http-wasm-traefik:
             directives: |
               SecRuleEngine On
	       SecDebugLog /dev/stdout
	       SecDebugLogLevel 9
	       SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

or

http:
  middlewares:
     waf:
        plugin:
          coraza-http-wasm-traefik:
             directives: rules.txt 
             
## rules.txt content
##           SecRuleEngine On
##	       SecDebugLog /dev/stdout
##	       SecDebugLogLevel 9
##	       SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

For labels configuration it will also simplify (one config option for string or filepath)

http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives=./rules.txt

The following directives cannot be defined has labels (due to , in SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403":

SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"

I saw your PR regarding files support for WASM plugin, will have a look next week.

Keeping directives as []string the best way to use a file to define my directives is to do something like that?

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /path/coreruleset/rules/*.conf

from traefik.

Dear @jcchavezs

Thank you for reply. I've tried again after plugin update, but if the file is specified by name, ie.

http:
# ...
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /etc/traefik/crs4/coraza.conf

problem persists,

when using wildcard path

  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /etc/traefik/crs4/*.conf

there's no error, but rules from file are not applied

I've checked the file under container using

$ podman exec -it traefik /bin/sh
container# cat /etc/traefik/crs4/coraza.conf

and the file can be read without problem

from traefik.

Hi @y4rr0,

The following PR should fix the issue. For now files are not mounted on the wasm plugin and this is why you have you issue.

The next Traefik version should fix that.

from traefik.

Hi, 

I have the same problem as OP, trying to include the ruleset file, but it behaves like the file was not there, but the file is in the correct path.

http:
  middlewares:
    waf:
      plugin:
        coraza:
          directives:
            - Include /etc/coraza/rules/coraza.conf

Is there any way how to include crs4 files?

Thanks in advance

from traefik.

Hello @DanielKohl1991,

The issue should be fixed in Traefik v3.1, as it brings the required mechanism to the WASM plugins to load files.
Please find more information in the related PR.

I close this issue, but do not hesitate to left a comment if you are still facing the issue, we'll re-open it if needed.

from traefik.