-
Notifications
You must be signed in to change notification settings - Fork 470
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
74 changed files
with
22,639 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
FROM scratch | ||
|
||
COPY local/main.wasm /plugin.wasm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
# 功能说明 | ||
waf插件实现了基于ModSecurity的规则防护引擎,可以根据用户配置的规则屏蔽可疑请求,并支持OWASP CRS,为站点提供基础的防护功能。 | ||
|
||
# 配置字段 | ||
| 名称 | 数据类型 | 填写要求 | 默认值 | 描述 | | ||
| -------- | -------- | -------- | -------- | -------- | | ||
| useCRS | bool | 选填 | false | 是否开启OWASP CRS,详情可参考[coreruleset](https://github.com/coreruleset/coreruleset/tree/v3.3.2) | | ||
| secRules | array of string | 选填 | - | 用户自定义的waf防护规则,语法规则可参考[ModSecurity中文手册](http://www.modsecurity.cn/chm/) | | ||
|
||
# 配置示例 | ||
```yaml | ||
useCRS: true | ||
secRules: | ||
- "SecDebugLogLevel 3" | ||
- "SecRuleEngine On" | ||
- "SecAction \"id:100,phase:1,pass\"" | ||
- "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\"" | ||
- "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"" | ||
``` | ||
根据该配置,以下请求将被禁止访问: | ||
```bash | ||
curl http://example.com/admin | ||
curl http://example.com -d "maliciouspayload" | ||
``` | ||
|
||
# 对特定路由或域名开启 | ||
```yaml | ||
useCRS: true | ||
secRules: | ||
- "SecDebugLogLevel 3" | ||
- "SecRuleEngine On" | ||
- "SecAction \"id:100,phase:1,pass\"" | ||
- "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\"" | ||
- "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"" | ||
_rules_: | ||
- _match_route_: | ||
- "route-1" | ||
secRules: | ||
- "SecDebugLogLevel 3" | ||
- "SecRuleEngine On" | ||
- "SecAction \"id:102,phase:1,deny\"" | ||
- _match_domain_: | ||
- "*.example.com" | ||
- test.com | ||
secRules: | ||
- "SecDebugLogLevel 3" | ||
- "SecRuleEngine On" | ||
- "SecAction \"id:102,phase:1,pass\"" | ||
``` | ||
此例 `_match_route_` 中指定的 `route-1` 即在创建网关路由时填写的路由名称,当匹配到这两个路由时,将使用此段配置; 此例 `_match_domain_` 中指定的 `*.example.com` 和 `test.com` 用于匹配请求的域名,当发现域名匹配时,将使用此段配置; 配置的匹配生效顺序,将按照 `_rules_` 下规则的排列顺序,匹配第一个规则后生效对应配置,后续规则将被忽略。 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
module github.com/corazawaf/coraza-proxy-wasm | ||
|
||
go 1.19 | ||
|
||
require ( | ||
github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230504075705-7e358eb1db7c | ||
github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503 | ||
github.com/corazawaf/coraza/v3 v3.0.0-rc.1.0.20230407165813-a18681b1ec28 | ||
github.com/stretchr/testify v1.8.0 | ||
github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 | ||
github.com/tidwall/gjson v1.14.4 | ||
github.com/wasilibs/nottinygc v0.2.0 | ||
) | ||
|
||
require ( | ||
github.com/corazawaf/libinjection-go v0.1.2 // indirect | ||
github.com/davecgh/go-spew v1.1.1 // indirect | ||
github.com/google/uuid v1.3.0 // indirect | ||
github.com/kr/pretty v0.1.0 // indirect | ||
github.com/magefile/mage v1.14.0 // indirect | ||
github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect | ||
github.com/pmezard/go-difflib v1.0.0 // indirect | ||
github.com/tetratelabs/wazero v1.0.1 // indirect | ||
github.com/tidwall/match v1.1.1 // indirect | ||
github.com/tidwall/pretty v1.2.1 // indirect | ||
github.com/wasilibs/go-aho-corasick v0.3.0 // indirect | ||
github.com/wasilibs/go-libinjection v0.2.1 // indirect | ||
github.com/wasilibs/go-re2 v1.0.0 // indirect | ||
golang.org/x/net v0.9.0 // indirect | ||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect | ||
gopkg.in/yaml.v3 v3.0.1 // indirect | ||
rsc.io/binaryregexp v0.2.0 // indirect | ||
) | ||
|
||
replace ( | ||
github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230504075705-7e358eb1db7c => github.com/rinfx/higress/plugins/wasm-go v0.0.0-20230508112120-f2d89b0606ee | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,65 @@ | ||
github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230504075705-7e358eb1db7c h1:RKZJGYAkczZVqvJ/CuNJSY6YI5oyJjzm12MVzf3Z7/U= | ||
github.com/alibaba/higress/plugins/wasm-go v0.0.0-20230504075705-7e358eb1db7c/go.mod h1:AzSnkuon5c26nIePTiJQIAFsKdhkNdncLcTuahpGtQs= | ||
github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503 h1:hGXspDwUBHQUne1NT2D6PmkR9wFCXsibjaJpz7xhf+g= | ||
github.com/corazawaf/coraza-wasilibs v0.0.0-20230408002644-e2e3af21f503/go.mod h1:bTc+NV7T2wQevFQHDDWhD/+IAA5bvKbbK4CxzfvJx/o= | ||
github.com/corazawaf/coraza/v3 v3.0.0-rc.1.0.20230407165813-a18681b1ec28 h1:Jrlvhe4YCR/PMCazDEBeun/XTYhlzczBN0WN4/ejORo= | ||
github.com/corazawaf/coraza/v3 v3.0.0-rc.1.0.20230407165813-a18681b1ec28/go.mod h1:TKREBLh55w3SiBbLsQpH9EFzjBAmEUH4KRaZ/kFYz20= | ||
github.com/corazawaf/libinjection-go v0.1.2 h1:oeiV9pc5rvJ+2oqOqXEAMJousPpGiup6f7Y3nZj5GoM= | ||
github.com/corazawaf/libinjection-go v0.1.2/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw= | ||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= | ||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | ||
github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= | ||
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= | ||
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= | ||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= | ||
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= | ||
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= | ||
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= | ||
github.com/magefile/mage v1.14.0 h1:6QDX3g6z1YvJ4olPhT1wksUcSa/V0a1B+pJb73fBjyo= | ||
github.com/magefile/mage v1.14.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A= | ||
github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA= | ||
github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 h1:lL+y4Xv20pVlCGyLzNHRC0I0rIHhIL1lTvHizoS/dU8= | ||
github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9/go.mod h1:EHPiTAKtiFmrMldLUNswFwfZ2eJIYBHktdaUTZxYWRw= | ||
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | ||
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | ||
github.com/rinfx/higress/plugins/wasm-go v0.0.0-20230508112120-f2d89b0606ee h1:5qHbEcei04hDcUTzvoFNtYtZiewnTgVv6wR9co8Ih6c= | ||
github.com/rinfx/higress/plugins/wasm-go v0.0.0-20230508112120-f2d89b0606ee/go.mod h1:AzSnkuon5c26nIePTiJQIAFsKdhkNdncLcTuahpGtQs= | ||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | ||
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= | ||
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= | ||
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= | ||
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= | ||
github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0 h1:kS7BvMKN+FiptV4pfwiNX8e3q14evxAWkhYbxt8EI1M= | ||
github.com/tetratelabs/proxy-wasm-go-sdk v0.22.0/go.mod h1:qkW5MBz2jch2u8bS59wws65WC+Gtx3x0aPUX5JL7CXI= | ||
github.com/tetratelabs/wazero v1.0.1 h1:xyWBoGyMjYekG3mEQ/W7xm9E05S89kJ/at696d/9yuc= | ||
github.com/tetratelabs/wazero v1.0.1/go.mod h1:wYx2gNRg8/WihJfSDxA1TIL8H+GkfLYm+bIfbblu9VQ= | ||
github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM= | ||
github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk= | ||
github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA= | ||
github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM= | ||
github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= | ||
github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4= | ||
github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU= | ||
github.com/wasilibs/go-aho-corasick v0.3.0 h1:ScfPQhAwop/ELIkwY0dfMTFb/bwOdYI/MB3mkX2WOZI= | ||
github.com/wasilibs/go-aho-corasick v0.3.0/go.mod h1:LKW6EW9NWuWYE8PII+sFpRbbY3UcrMUgfUTkGaoWyMY= | ||
github.com/wasilibs/go-libinjection v0.2.1 h1:1aSwyE4oNpPGpFw3i3hoM15sF3qn1s4P0jC2jgFM2Qk= | ||
github.com/wasilibs/go-libinjection v0.2.1/go.mod h1:ZUoVe+HLQYq+QPBNTSgg3fxGvZsvXiDbi0UomBlsGzo= | ||
github.com/wasilibs/go-re2 v1.0.0 h1:pvrqtMzZgTMHVPfXJrk4YZwiqIXOKdfo5aed6CzUAW4= | ||
github.com/wasilibs/go-re2 v1.0.0/go.mod h1:8g69JapfgjSCx49dKOQij1dqA3sOvoH5NteaUy1X0SA= | ||
github.com/wasilibs/nottinygc v0.2.0 h1:cXz2Ac9bVMLkpuOlUlPQMWowjw0K2cOErXZOFdAj7yE= | ||
github.com/wasilibs/nottinygc v0.2.0/go.mod h1:oDcIotskuYNMpqMF23l7Z8uzD4TC0WXHK8jetlB3HIo= | ||
golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8= | ||
golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= | ||
golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= | ||
golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= | ||
golang.org/x/tools v0.6.0 h1:BOw41kyTf3PuCW1pVQf8+Cyg8pMlkYB1oo9iJ6D/lKM= | ||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= | ||
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | ||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= | ||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= | ||
rsc.io/binaryregexp v0.2.0 h1:HfqmD5MEmC0zvwBuF187nq9mdnXjXsSivRiXN7SmRkE= | ||
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
//go:build tinygo | ||
|
||
package main | ||
|
||
import _ "github.com/wasilibs/nottinygc" | ||
|
||
// Compiled by nottinygc for delayed free but Envoy doesn't stub it yet, | ||
// luckily nottinygc doesn't actually call the function, so it's fine to | ||
// stub it out. | ||
|
||
//export sched_yield | ||
func sched_yield() int32 { | ||
return 0 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
FROM liuxr25/flask-helloworld:latest | ||
|
||
COPY app.py /work/app.py |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
from flask import Flask, request | ||
|
||
app = Flask(__name__) | ||
|
||
@app.route("/flask/test1", methods=["GET", "POST"]) | ||
def test1(): | ||
return "body normal", 200, [("test-header", "hahaha")] | ||
|
||
@app.route("/flask/test2", methods=["GET", "POST"]) | ||
def test2(): | ||
return "body attack", 200, [] | ||
|
||
if __name__ == "__main__": | ||
app.run("0.0.0.0", 5000) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
services: | ||
httpbin: | ||
image: kennethreitz/httpbin | ||
environment: | ||
- MAX_BODY_SIZE=15728640 # 15 MiB | ||
ports: | ||
- 8083:8080 | ||
command: | ||
- "gunicorn" | ||
- "-b" | ||
- "0.0.0.0:8080" | ||
- "httpbin:app" | ||
- "-k" | ||
- "gevent" | ||
- --log-file | ||
- /home/envoy/logs/httpbin.log | ||
volumes: | ||
- logs:/home/envoy/logs:rw | ||
|
||
flask: | ||
# image: liuxr25/flask-helloworld:latest | ||
build: . | ||
environment: | ||
- MAX_BODY_SIZE=15728640 # 15 MiB | ||
ports: | ||
- 8084:5000 | ||
|
||
chown: | ||
image: alpine:3.16 | ||
command: | ||
- /bin/sh | ||
- -c | ||
- chown -R 101:101 /home/envoy/logs | ||
volumes: | ||
- logs:/home/envoy/logs:rw | ||
|
||
envoy: | ||
depends_on: | ||
- chown | ||
- httpbin | ||
- flask | ||
image: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/envoy:1.20 | ||
command: | ||
- -c | ||
- /conf/envoy-config.yaml | ||
- --log-level | ||
- info | ||
- --component-log-level | ||
- wasm:debug | ||
- --log-format [%Y-%m-%d %T.%f][%t][%l][%n] [%g:%#] %v | ||
- --log-path | ||
- /home/envoy/logs/envoy.log | ||
volumes: | ||
- .:/build | ||
- .:/conf | ||
- logs:/home/envoy/logs:rw | ||
ports: | ||
- 8080:8080 | ||
- 8082:8082 | ||
|
||
# envoy-logs: | ||
# depends_on: | ||
# - envoy | ||
# - wasm-logs | ||
# image: debian:11-slim | ||
# entrypoint: bash | ||
# command: | ||
# - -c | ||
# - tail -c +0 -f /home/envoy/logs/envoy.log | ||
# volumes: | ||
# - logs:/home/envoy/logs:ro | ||
|
||
wasm-logs: | ||
depends_on: | ||
- envoy | ||
image: debian:11-slim | ||
entrypoint: bash | ||
command: | ||
- -c | ||
- tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]" | ||
volumes: | ||
- logs:/home/envoy/logs:ro | ||
|
||
# debug-logs: | ||
# depends_on: | ||
# - envoy | ||
# image: debian:11-slim | ||
# entrypoint: bash | ||
# command: | ||
# - -c | ||
# - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "unreachable" | ||
# volumes: | ||
# - logs:/home/envoy/logs:ro | ||
|
||
volumes: | ||
logs: |
Oops, something went wrong.