Comments (12)
@jcchavezs I have one question regarding the directives
configuration, is there a reason you have decided to have a []string
?
I'm asking because if I'm a docker user and I want to use coraza traefik plugin I can't due to []string
.
In Traefik for what we call label
providers (docker, ecs, consulcatalog, etc...) having a []string
for directives can be a blocker due to the size limit and the parsing.
The following example with yaml can't be converted to labels due to ,
in the following SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
:
http:
middlewares:
waf:
plugin:
coraza-http-wasm-traefik:
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
Do you have an idea how we can handle that? What I have in mind is using traefik type FileOrContent instead of []string
from traefik.
http:
# ...
middlewares:
waf:
plugin:
coraza:
directives:
- Include /path/coreruleset/rules/*.conf
I think this is OK. So talking about labels it will be
http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives="Include ./rules.txt"
isn't?
from traefik.
I don't think we have identified any issue on this, but maybe @jcchavezs has some clue?
from traefik.
in general it would be nice to have FS access (even if limited to a special path) and (outgoing) network access. This currently limits the usefulness of the WASM integration to some really specific use cases.
from traefik.
from traefik.
Hi @mmatur the reason for accepting []string
is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:
{
"directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\""
}
Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.
from traefik.
I just opened this PR showing it is possible to mount a host file system and load the files from the coraza-http-wasm config jcchavezs/coraza-http-wasm#19.
What is missing to enable this in traefik is a way to pass the location of the mounting dir into traefik. For example
http:
# ...
middlewares:
waf:
plugin:
coraza:
fsRootDir: /etc/traefik
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
where fsRootDir
could be accepted for every wasm plugin. What do you think @emilevauge ?
Another option could be:
http:
# ...
middlewares:
waf:
plugin:
coraza:
runtime:
rootFS: /etc/traefik
env:
a: b
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
I guess it is too late to do:
http:
# ...
middlewares:
waf:
plugin:
coraza:
runtime:
rootFS: /etc/traefik
env:
a: b
config:
directives:
- SecRuleEngine On
- SecDebugLog /dev/stdout
- SecDebugLogLevel 9
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
from traefik.
Hi @mmatur the reason for accepting
[]string
is readability purposes. It is fine in YAML but if config could be defined in JSON then having everything in one line would be hard to read:{ "directives": "SecRuleEngine On\nSecDebugLog /dev/stdout\nSecDebugLogLevel 9\nSecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,log,deny,status:403\"" }Still you can define the config in a single line adding the next lines or put everything in a file and read that file but we need access to FS. Let me check if I can get that soon.
@jcchavezs with FileOrContent you can have yaml like that (readability is totally correct for yaml and toml):
http:
middlewares:
waf:
plugin:
coraza-http-wasm-traefik:
directives: |
SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
or
http:
middlewares:
waf:
plugin:
coraza-http-wasm-traefik:
directives: rules.txt
## rules.txt content
## SecRuleEngine On
## SecDebugLog /dev/stdout
## SecDebugLogLevel 9
## SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
For labels configuration it will also simplify (one config option for string or filepath)
http.middlewares.waf.plugin.coraza-http-wasm-traefik.directives=./rules.txt
The following directives cannot be defined has labels (due to ,
in SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
:
SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 9
SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,log,deny,status:403"
I saw your PR regarding files support for WASM plugin, will have a look next week.
Keeping directives
as []string
the best way to use a file to define my directives is to do something like that?
http:
# ...
middlewares:
waf:
plugin:
coraza:
directives:
- Include /path/coreruleset/rules/*.conf
from traefik.
Dear @jcchavezs
Thank you for reply. I've tried again after plugin update, but if the file is specified by name, ie.
http:
# ...
middlewares:
waf:
plugin:
coraza:
directives:
- Include /etc/traefik/crs4/coraza.conf
problem persists,
when using wildcard path
middlewares:
waf:
plugin:
coraza:
directives:
- Include /etc/traefik/crs4/*.conf
there's no error, but rules from file are not applied
I've checked the file under container using
$ podman exec -it traefik /bin/sh
container# cat /etc/traefik/crs4/coraza.conf
and the file can be read without problem
from traefik.
Hi @y4rr0,
The following PR should fix the issue. For now files are not mounted on the wasm plugin and this is why you have you issue.
The next Traefik version should fix that.
from traefik.
Hi,
I have the same problem as OP, trying to include the ruleset file, but it behaves like the file was not there, but the file is in the correct path.
http:
middlewares:
waf:
plugin:
coraza:
directives:
- Include /etc/coraza/rules/coraza.conf
Is there any way how to include crs4 files?
Thanks in advance
from traefik.
Hello @DanielKohl1991,
The issue should be fixed in Traefik v3.1, as it brings the required mechanism to the WASM plugins to load files.
Please find more information in the related PR.
I close this issue, but do not hesitate to left a comment if you are still facing the issue, we'll re-open it if needed.
from traefik.
Related Issues (20)
- Add RateLimit per URL path feature HOT 1
- K8s `IngressRoute` error when selecting a named port from a headless & selectorless `ClusterIP` Service HOT 1
- Kubernetes provider incorrectly warns about failing to list ingress classes HOT 4
- Azure DNS LE challenge using _FILE env. values HOT 5
- Shouldn't it be `if !hasValidPort` ? HOT 4
- There is an issue with the description of `safeQueryParams` in the v3.1 documentation HOT 1
- Compression Breaks BasicAuth on iOS Safari HOT 2
- Add docker tags for major versions HOT 1
- Traefik 2.11 file provider fails with ReadDirectoryChanges error HOT 2
- Run a modified plugin in local mode but failed HOT 1
- Ability to choose compression algorithms in k8s Middleware HOT 5
- Can not get Service Metrics HOT 4
- kernel TLS (kTLS) support HOT 2
- Documentation has mismatch between Encoded Certificate and Human Readable presentation HOT 2
- ability to disable http/3 on certain hosts HOT 3
- [K8s] Allow empty Services in Errors Middleware HOT 8
- Traefik not respecting file middleware
- Intermittent issues with URL redirection HOT 4
- Multiple IP Domain Name handling HOT 1
- IP format checking on `ingressendpoint.ip` HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from traefik.