search

corazawaf / coraza-proxy-wasm

proxy-wasm filter based on Coraza WAF
Apache License 2.0
105 stars 23 forks source link

istio configures coraza wasm but does not see wasm log output #208

Closed ericinfra closed 1 year ago

ericinfra commented 1 year ago

I set the Wasm EnvoyFilter as follows, and the config_dump is also effective, but I used sqlmap zaproxy to simulate the attack, and I did not see the log output of wasm denial of the attack, even if SecDebugLogLevel is set to 9,

I checked http_filters and confirmed that the inbound configuration on port 15006 has loaded the type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm rule

Why can't I see the wasm denial attack log? Is it because envoy.filters.http.wasm has not taken effect? Because the system also has a default istio.metadata_exchange wasm configuration? But my customized envoy.filters.http.wasm is INSERT_BEFORE priority

istio version 1.17.2

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.wasm
        typed_config:
            '@type': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
            config:
              configuration:
                '@type': type.googleapis.com/google.protobuf.StringValue
                value: |
                  {
                            "directives_map": {
                                "default": [
                                    "SecDebugLogLevel 9",
                                    "SecRuleEngine On",
                                    "SecAuditEngine RelevantOnly",
                                    "SecAuditLogParts ABIJDEFHZ",
                                    "SecAuditLogType Concurrent", 
                                    "SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$",
                                    "Include @crs-setup-demo-conf",
                                    "Include @owasp_crs/*.conf"
                                ]
                            },
                            "default_directives": "default"
                          }
              root_id: my-wasm-root-id
              vm_config:
                code:
                  local:
                    filename: /data/coraza/main.wasm
                runtime: envoy.wasm.runtime.v8
                vm_id: my-wasm-vm-id
         {
           "name": "envoy.filters.network.http_connection_manager",
           "typed_config": {
            "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
            "stat_prefix": "InboundPassthroughClusterIpv4",
            "route_config": {
             "name": "InboundPassthroughClusterIpv4",
             "virtual_hosts": [
              {
               "name": "inbound|http|0",
               "domains": [
                "*"
               ],
               "routes": [
                {
                 "match": {
                  "prefix": "/"
                 },
                 "route": {
                  "cluster": "InboundPassthroughClusterIpv4",
                  "timeout": "0s",
                  "max_stream_duration": {
                   "max_stream_duration": "0s",
                   "grpc_timeout_header_max": "0s"
                  }
                 },
                 "decorator": {
                  "operation": ":0/*"
                 },
                 "name": "default"
                }
               ]
              }
             ],
             "validate_clusters": false
            },
            "http_filters": [
             {
              "name": "envoy.filters.http.wasm",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
               "config": {
                "root_id": "my-wasm-root-id",
                "vm_config": {
                 "vm_id": "my-wasm-vm-id",
                 "runtime": "envoy.wasm.runtime.v8",
                 "code": {
                  "local": {
                   "filename": "/data/coraza/main.wasm"
                  }
                 }
                },
                "configuration": {
                 "@type": "type.googleapis.com/google.protobuf.StringValue",
                 "value": "{\n          \"directives_map\": {\n              \"default\": [\n                  \"SecDebugLogLevel 9\",\n                  \"SecRuleEngine On\",\n                  \"SecAuditEngine RelevantOnly\",\n                  \"SecAuditLogParts ABIJDEFHZ\",\n                  \"SecAuditLogType Concurrent\", \n                  \"SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$\",\n                  \"Include @crs-setup-demo-conf\",\n                  \"Include @owasp_crs/*.conf\"\n              ]\n          },\n          \"default_directives\": \"default\"\n        }\n"
                }
               }
              }
             },
             {
              "name": "istio.metadata_exchange",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
               "config": {
                "vm_config": {
                 "runtime": "envoy.wasm.runtime.null",
                 "code": {
                  "local": {
                   "inline_string": "envoy.wasm.metadata_exchange"
                  }
                 }
                },
                "configuration": {
                 "@type": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange"
                }
               }
              }
             },
jcchavezs commented 1 year ago

What is the log you configured in envoy?

On Tue, 20 Jun 2023, 11:02 Erictang, @.***> wrote:

I set the Wasm EnvoyFilter as follows, and the config_dump is also effective, but I used sqlmap zaproxy to simulate the attack, and I did not see the log output of wasm denial of the attack, even if SecDebugLogLevel is set to 9,

I checked http_filters and confirmed that the inbound configuration on port 15006 has loaded the type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm rule

Why can't I see the wasm denial attack log? Is it because envoy.filters.http.wasm has not taken effect? Because the system also has a default istio.metadata_exchange wasm configuration? But my customized envoy.filters.http.wasm is INSERT_BEFORE priority

istio version 1.17.2

apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: httpconnectionmanager spec: configPatches:

  • applyTo: HTTP_FILTER match: listener: filterChain: filter: name: envoy.filters.network.http_connection_manager patch: operation: INSERT_BEFORE value: name: envoy.filters.http.wasm typed_config: @.': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm config: configuration: @.': type.googleapis.com/google.protobuf.StringValue value: | { "directives_map": { "default": [ "SecDebugLogLevel 9", "SecRuleEngine On", "SecAuditEngine RelevantOnly", "SecAuditLogParts ABIJDEFHZ", "SecAuditLogType Concurrent", "SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$", "Include @crs-setup-demo-conf", "Include @owasp_crs/*.conf" ] }, "default_directives": "default" } root_id: my-wasm-root-id vm_config: code: local: filename: /data/coraza/main.wasm runtime: envoy.wasm.runtime.v8 vm_id: my-wasm-vm-id

     {
   "name": "envoy.filters.network.http_connection_manager",
   "typed_config": {
    ***@***.***": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
    "stat_prefix": "InboundPassthroughClusterIpv4",
    "route_config": {
     "name": "InboundPassthroughClusterIpv4",
     "virtual_hosts": [
      {
       "name": "inbound|http|0",
       "domains": [
        "*"
       ],
       "routes": [
        {
         "match": {
          "prefix": "/"
         },
         "route": {
          "cluster": "InboundPassthroughClusterIpv4",
          "timeout": "0s",
          "max_stream_duration": {
           "max_stream_duration": "0s",
           "grpc_timeout_header_max": "0s"
          }
         },
         "decorator": {
          "operation": ":0/*"
         },
         "name": "default"
        }
       ]
      }
     ],
     "validate_clusters": false
    },
    "http_filters": [
     {
      "name": "envoy.filters.http.wasm",
      "typed_config": {
       ***@***.***": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
       "config": {
        "root_id": "my-wasm-root-id",
        "vm_config": {
         "vm_id": "my-wasm-vm-id",
         "runtime": "envoy.wasm.runtime.v8",
         "code": {
          "local": {
           "filename": "/data/coraza/main.wasm"
          }
         }
        },
        "configuration": {
         ***@***.***": "type.googleapis.com/google.protobuf.StringValue",
         "value": "{\n          \"directives_map\": {\n              \"default\": [\n                  \"SecDebugLogLevel 9\",\n                  \"SecRuleEngine On\",\n                  \"SecAuditEngine RelevantOnly\",\n                  \"SecAuditLogParts ABIJDEFHZ\",\n                  \"SecAuditLogType Concurrent\", \n                  \"SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$\",\n                  \"Include @crs-setup-demo-conf\",\n                  \"Include @owasp_crs/*.conf\"\n              ]\n          },\n          \"default_directives\": \"default\"\n        }\n"
        }
       }
      }
     },
     {
      "name": "istio.metadata_exchange",
      "typed_config": {
       ***@***.***": "type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm",
       "config": {
        "vm_config": {
         "runtime": "envoy.wasm.runtime.null",
         "code": {
          "local": {
           "inline_string": "envoy.wasm.metadata_exchange"
          }
         }
        },
        "configuration": {
         ***@***.***": "type.googleapis.com/envoy.tcp.metadataexchange.config.MetadataExchange"
        }
       }
      }
     },

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-proxy-wasm/issues/208, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAXRIAHYYJYCURG3ECTXMFRITANCNFSM6AAAAAAZM6UGSA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

ericinfra commented 1 year ago

istio configmap log configuration

# kubectl -n istio-system get cm istio -o yaml | more
apiVersion: v1
data:
  mesh: |-
    accessLogFile: /dev/stdout
    accessLogFormat: '{"start_time": "%START_TIME%","req_method": "%REQ(:METHOD)%","x_envoy_original_path": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%","protocol": "%PROTOCOL%","response_code": "%RESPONSE_CODE%
","response_flags": "%RESPONSE_FLAGS%","bytes_received": "%BYTES_RECEIVED%","bytes_send": "%BYTES_SENT%","duration": "%DURATION%","resp_x_envoy_upstream_service_time": "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIM
E)%","x_forwarded_for": "%REQ(X-FORWARDED-FOR)%","user_agent": "%REQ(USER-AGENT)%","x_request_id": "%REQ(X-REQUEST-ID)%","authority": "%REQ(:AUTHORITY)%","upstream_host": "%UPSTREAM_HOST%","upstream_clus
ter": "%UPSTREAM_CLUSTER%","upstream_local_address": "%UPSTREAM_LOCAL_ADDRESS%","downstream_local_address": "%DOWNSTREAM_LOCAL_ADDRESS%","downstream_remote_address": "%DOWNSTREAM_REMOTE_ADDRESS%","resp_x
_foo_fault_flag": "%RESP(X-FOO-FAULT-FLAG)%"}'
    defaultConfig:
      discoveryAddress: istiod.istio-system.svc:15012
      proxyMetadata: {}
      tracing:
        zipkin:
          address: zipkin.istio-system:9411
    enablePrometheusMerge: true

HttpConnectionManager MERGE policy configuration, but viewing envoy config_dump does not take effect

# cat http-merge.yaml 
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  configPatches:
  - applyTo: NETWORK_FILTER
    match:
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
    patch:
      operation: MERGE
      value:
        name: envoy.filters.network.http_connection_manager,
        typed_config: {
           '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager,
            "access_log": [
             {
              "name": "envoy.access_loggers.file",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
               "path": "/dev/stdout",
               "log_format": {
                "text_format_source": {
                 "inline_string": "{\"start_time\": \"%START_TIME%\",\"req_method\": \"%REQ(:METHOD)%\",\"x_envoy_original_path\": \"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\": \"%PROTOCOL%\",\"response_code\": \"%RESPONSE_CODE%\",\"response_flags\": \"%RESPONSE_FLAGS%\",\"bytes_received\": \"%BYTES_RECEIVED%\",\"bytes_send\": \"%BYTES_SENT%\",\"duration\": \"%DURATION%\",\"resp_x_envoy_upstream_service_time\": \"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\": \"%REQ(X-FORWARDED-FOR)%\",\"user_agent\": \"%REQ(USER-AGENT)%\",\"x_request_id\": \"%REQ(X-REQUEST-ID)%\",\"authority\": \"%REQ(:AUTHORITY)%\",\"upstream_host\": \"%UPSTREAM_HOST%\",\"upstream_cluster\": \"%UPSTREAM_CLUSTER%\",\"upstream_local_address\": \"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\",\"resp_x_foo_fault_flag\": \"%RESP(X-FOO-FAULT-FLAG)%\"}\n"
                }
               }
              }
             }
            ]
           }

envoy config_dump did not see HttpConnectionManager FileAccessLog related configuration

            "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
            "stat_prefix": "inbound_0.0.0.0_9080",
            "route_config": {
             "name": "inbound|9080||",
             "virtual_hosts": [
              {
               "name": "inbound|http|9080",
               "domains": [
                "*"
               ],
               "routes": [
                {
                 "match": {
                  "prefix": "/"
                 },
                 "route": {
                  "cluster": "inbound|9080||",
                  "timeout": "0s",
                  "max_stream_duration": {
                   "max_stream_duration": "0s",
                   "grpc_timeout_header_max": "0s"
                  }
                 },
                 "decorator": {
                  "operation": "productpage.default.svc.cluster.local:9080/*"
                 },
                 "name": "default"
                }
               ]
              }
             ],
             "validate_clusters": false
            },
ericinfra commented 1 year ago

The log configuration seen by envoy config_dump is in the following two areas, the type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager paragraph cannot see the FileAccessLog configuration

         {
           "name": "envoy.filters.network.tcp_proxy",
           "typed_config": {
            "@type": "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy",
            "stat_prefix": "InboundPassthroughClusterIpv4",
            "cluster": "InboundPassthroughClusterIpv4",
            "access_log": [
             {
              "name": "envoy.access_loggers.file",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
               "path": "/dev/stdout",
               "log_format": {
                "text_format_source": {
                 "inline_string": "{\"start_time\": \"%START_TIME%\",\"req_method\": \"%REQ(:METHOD)%\",\"x_envoy_original_path\": \"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\": \"%PROTOCOL%\",\"response_code\": \"%RESPONSE_CODE%\",\"response_flags\": \"%RESPONSE_FLAGS%\",\"bytes_received\": \"%BYTES_RECEIVED%\",\"bytes_send\": \"%BYTES_SENT%\",\"duration\": \"%DURATION%\",\"resp_x_envoy_upstream_service_time\": \"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\": \"%REQ(X-FORWARDED-FOR)%\",\"user_agent\": \"%REQ(USER-AGENT)%\",\"x_request_id\": \"%REQ(X-REQUEST-ID)%\",\"authority\": \"%REQ(:AUTHORITY)%\",\"upstream_host\": \"%UPSTREAM_HOST%\",\"upstream_cluster\": \"%UPSTREAM_CLUSTER%\",\"upstream_local_address\": \"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\",\"resp_x_foo_fault_flag\": \"%RESP(X-FOO-FAULT-FLAG)%\"}\n"
                }
               }
              }
             }
            ]
           }
          }
         ],
         "name": "virtualInbound"
        },
            "server_name": "istio-envoy",
            "access_log": [
             {
              "name": "envoy.access_loggers.file",
              "typed_config": {
               "@type": "type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog",
               "path": "/dev/stdout",
               "log_format": {
                "text_format_source": {
                 "inline_string": "{\"start_time\": \"%START_TIME%\",\"req_method\": \"%REQ(:METHOD)%\",\"x_envoy_original_path\": \"%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%\",\"protocol\": \"%PROTOCOL%\",\"response_code\": \"%RESPONSE_CODE%\",\"response_flags\": \"%RESPONSE_FLAGS%\",\"bytes_received\": \"%BYTES_RECEIVED%\",\"bytes_send\": \"%BYTES_SENT%\",\"duration\": \"%DURATION%\",\"resp_x_envoy_upstream_service_time\": \"%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%\",\"x_forwarded_for\": \"%REQ(X-FORWARDED-FOR)%\",\"user_agent\": \"%REQ(USER-AGENT)%\",\"x_request_id\": \"%REQ(X-REQUEST-ID)%\",\"authority\": \"%REQ(:AUTHORITY)%\",\"upstream_host\": \"%UPSTREAM_HOST%\",\"upstream_cluster\": \"%UPSTREAM_CLUSTER%\",\"upstream_local_address\": \"%UPSTREAM_LOCAL_ADDRESS%\",\"downstream_local_address\": \"%DOWNSTREAM_LOCAL_ADDRESS%\",\"downstream_remote_address\": \"%DOWNSTREAM_REMOTE_ADDRESS%\",\"resp_x_foo_fault_flag\": \"%RESP(X-FOO-FAULT-FLAG)%\"}\n"
                }
               }
              }
             },
ericinfra commented 1 year ago

@jcchavezs After upgrading to the latest coraza-proxy-wasm 3.0, the following wasm logs appeared. Are these logs related to SecDebugLogLevel? Is it normal for these logs to show up??

2023-06-21T10:01:48.560350Z warning envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1151 wasm log my-wasm-root-id my-wasm-vm-id: [client "10.110.32.80"] Coraza: Access denied (phase 1). Host header is a numeric IP address [file "@owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"] [line "2243"] [id "920350"] [rev ""] [msg "Host header is a numeric IP address"] [data "10.110.32.70:80"] [severity "warning"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-protocol"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/210/272"] [tag "PCI/6.5.10"] [hostname "10.110.32.70"] [uri "/metrics"] [unique_id "htZAHnJIMYAWIlwqbeu"]
    thread=26
2023-06-21T10:01:48.574701Z critical    envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1157 wasm log my-wasm-root-id my-wasm-vm-id: [client "10.110.32.80"] Coraza: Access denied (phase 5). Anomaly Scores: (Inbound Scores: blocking=3, detection=3, per_pl=3-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0,  [file "@owasp_crs/RESPONSE-980-CORRELATION.conf"] [line "12628"] [id "980170"] [rev ""] [msg "Anomaly Scores: (Inbound Scores: blocking=3, detection=3, per_pl=3-0-0-0, threshold=5) - (Outbound Scores: blocking=0, detection=0, per_pl=0-0-0-0, threshold=4) - (SQLI=0, XSS=0, RFI=0, LFI=0, RCE=0, "] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "reporting"] [hostname "10.110.32.70"] [uri "/metrics"] [unique_id "htZAHnJIMYAWIlwqbeu"]
    thread=26
2023-06-21T10:01:48.574794Z info    envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1148 wasm log my-wasm-root-id my-wasm-vm-id: Finished tx_id="htZAHnJIMYAWIlwqbeu" context_id=15  thread=26
{"start_time": "2023-06-21T10:01:48.557Z","req_method": "GET","x_envoy_original_path": "/metrics","protocol": "HTTP/1.1","response_code": "503","response_flags": "UF","bytes_received": "0","bytes_send": "145","duration": "16","resp_x_envoy_upstream_service_time": "-","x_forwarded_for": "-","user_agent": "Prometheus/2.38.0","x_request_id": "cc68b39b-17b0-97d0-ac24-582829f25ab3","authority": "10.110.32.70:80","upstream_host": "10.110.32.70:80","upstream_cluster": "InboundPassthroughClusterIpv4","upstream_local_address": "-","downstream_local_address": "10.110.32.70:80","downstream_remote_address": "10.110.32.80:51658","resp_x_foo_fault_flag": "-"}

envoy.yaml EnvoyFilter configuration file is as follows:


apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: httpconnectionmanager
spec:
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: SIDECAR_INBOUND
      listener:
        filterChain:
          filter:
            name: envoy.filters.network.http_connection_manager
    patch:
      operation: INSERT_BEFORE
      value:
        name: envoy.filters.http.wasm
        typed_config:
            '@type': type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
            config:
              configuration:
                '@type': type.googleapis.com/google.protobuf.StringValue
                value: |
                  {
                            "directives_map": {
                                "default": [
                                    "SecDebugLogLevel 9",
                                    "SecRuleEngine On",
                                    "SecAuditEngine RelevantOnly",
                                    "SecAuditLogParts ABIJDEFHZ",
                                    "SecAuditLogType Concurrent", 
                                    "SecDefaultAction \"phase:3,log,auditlog,pass\"",
                                    "SecDefaultAction \"phase:4,log,auditlog,pass\"",
                                    "SecDefaultAction \"phase:5,log,auditlog,pass\"",
                                    "SecAuditLog \"/dev/stdout\"",
                                    "SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$",
                                    "Include @crs-setup-demo-conf",
                                    "Include @owasp_crs/*.conf"
                                ]
                            },
                            "default_directives": "default"
                          }
              root_id: my-wasm-root-id
              vm_config:
                code:
                  local:
                    filename: /data/coraza/main.wasm
                runtime: envoy.wasm.runtime.v8
                vm_id: my-wasm-vm-id