Skip to content
This repository has been archived by the owner on Jan 14, 2024. It is now read-only.

Latest commit

 

History

History
183 lines (133 loc) · 6 KB

README.md

File metadata and controls

183 lines (133 loc) · 6 KB

WAF Proxy

Test and release

Notice: This container is still a WORK IN PROGRESS

Simple WAF reverse-proxy using Caddy and CORAZA WAF, contains few predefined but customizable rulesets

Features:

  • Configurable mapping of backends to domains
  • Contains embedded rulesets e.g. OWASP Core Ruleset, Wordpress-specific
  • Kubernetes and cloud native
  • Perfectly integrates with Wordpress and not only
  • Non-root container (running as uid=65161)
  • Real distroless image based on scratch with only 2 binaries and few config files inside
  • Image is scanned for vulnerabilities on each release using Trivy Scanner
  • Developed purely in Golang, even entrypoint script was written in Golang instead of Bash
  • Autonomous image, actively maintained by Dependabot ;-)
  • Limiting requests rate to protect against DoS
  • (todo) Helm Chart for Kubernetes
  • (todo) Strict Pod Security Policy that should run on OpenShift

Check our WordPress deployment which uses this waf-proxy on Kubernetes.

Configuration reference

Picking a version

We recommend you to pick a versioned release, snapshot version is only for testing for contributors.

List of versions you can find always there: https://github.com/riotkit-org/waf-proxy/pkgs/container/waf-proxy

docker pull ghcr.io/riotkit-org/waf-proxy:{select-your-version}

Exposed ports

  • 8081: Health check at / endpoint
  • 8090: Proxied upstreams through WAF, HTTP port
  • 2019: Metrics

Directory structure

  • /etc/caddy/rules/coraza-recommended
  • /etc/caddy/rules/riotit-org-basic
  • /etc/caddy/rules/wordpress
  • /etc/caddy/rules/owasp-crs
  • /etc/caddy/rules/custom.conf (extra configuration inside coraza_waf block)
  • /etc/caddy/custom-upstream.conf (extra configuration outside coraza_waf block, but inside host block, before reverse_proxy, requires ENABLE_CUSTOM_UPSTREAM_CONF=true)

To add specific rules mount a docker volume or Kubernetes ConfigMap at /etc/caddy/rules/custom/rules.conf

Environment variables

#
# Upstreams
#
UPSTREAM_1: '{"pass_to": "http://my-service.default.svc.cluster.local", "hostname": "wordpress.org"}'
UPSTREAM_2: '...'
UPSTREAM_...: '...'

# to disable generation of Caddyfile you can set this variable to 'true' and mount Caddyfile under "/etc/caddy/Caddyfile"
# you can also still use it with 'false' with a custom template mounted under "/etc/caddy/Caddyfile.j2"
OWN_CADDYFILE: false
DEBUG: false  # enable extra verbosity, configuration printing to stdout
ENABLE_CUSTOM_UPSTREAM_CONF: false

# rate limiting - how many events are allowed in given time window?
# docs: https://github.com/mholt/caddy-ratelimit
ENABLE_RATE_LIMITER: false
RATE_LIMIT_EVENTS: 30
RATE_LIMIT_WINDOW: 5s

# allows to disable CORAZA WAF at all together with all rules
# helpful if wanting to use only other Caddy plugins
ENABLE_CORAZA_WAF: true

#
# Wordpress specific rules
#
# Sources:
#   - https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/02-INITIALIZATION.conf
#   - https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/03-BRUTEFORCE.conf
#   - https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/04-EVENTS.conf
#   - https://raw.githubusercontent.com/SEC642/modsec/master/rules/slr_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf
#

ENABLE_RULE_WORDPRESS: false
WP_CLIENT_IP: "remote-addr"  # x-forwarded-for, remote-addr or cf-connecting-ip
WP_ENABLE_BRUTEFORCE_MITIGATION: true
WP_BRUTEFORCE_TIMESPAN: 600
WP_BRUTEFORCE_THRESHOLD: 5
WP_BRUTEFORCE_BAN_PERIOD: 300
WP_ENABLE_XMLRPC: false
WP_ENABLE_USER_ENUMERATION: false
WP_ENABLE_DOS_PROTECTION: true
WP_HARDENED: true # enables a extra ruleset: https://raw.githubusercontent.com/Rev3rseSecurity/wordpress-modsecurity-ruleset/master/05-HARDENING.conf

#
# CORAZA-recommended preset
#
ENABLE_RULE_CORAZA_RECOMMENDED: false

#
# RiotKit Basic preset
#
ENABLE_RULE_RIOTKIT_ORG_BASIC: false


#
# OWASP Core Ruleset (CRS)
#
ENABLE_CRS: false

Rulesets

ENABLE_RULE_WORDPRESS

Enables Wordpress-specific rules to protect against:

  • Brute force
  • Access to files that should not be published
  • Known vulnerabilities

Sources:

ENABLE_RULE_CORAZA_RECOMMENDED

Basic rules provided by CORAZA WAF in dry-run only mode.

https://github.com/corazawaf/coraza/blob/v2/master/coraza.conf-recommended

ENABLE_RULE_RIOTKIT_ORG_BASIC

The same rules as provided by CORAZA WAF, but not in dry-run mode and with increased upload filesize to 1GB.

ENABLE_CRS

OWASP Core Ruleset - https://github.com/coreruleset/coreruleset/

The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use 
with ModSecurity or compatible web application firewalls. The CRS aims to protect web 
applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.

Versioning

Docker image tag contains a chained version information.

Example:

waf-proxy:2.5.1-coraza-v1.2.0-bv1.0.0

Explanation of this example:

  • 2.5.1: Caddy server version
  • v1.2.0: CORAZA Caddy plugin version
  • v1.0.0: This repositry tag

Autonomous image

This image is rebuilt automatically, when new version of Caddy, Coraza WAF or Golang version is released.

Dependabot is bumping:

  • Caddy version in Dockerfile
  • XCaddy version in Dockerfile
  • Coraza WAF in container-files/opt/build/caddy/go.sum - created a dummy entry for Dependabot
  • Golang builder in Dockerfile

Each Dependabot PR is automatically merged, when tests are passing.