search

corazawaf / coraza-proxy-wasm

proxy-wasm filter based on Coraza WAF
Apache License 2.0
86 stars 19 forks source link

Support APISIX #217

Open monkeyDluffy6017 opened 11 months ago

monkeyDluffy6017 commented 11 months ago

Hi, folks! Do you have any plan to support APISIX, it's an API gateway built on openresty, and it also follows the proxy-wasm ABI.

jcchavezs commented 11 months ago

Is it in-process? It would be worth to try but setup seems laborious, are you up for a PR like the Kong example?

Also worth to check the good work from @potats0 on coraza openresty

potats0 commented 11 months ago

I've done

monkeyDluffy6017 commented 11 months ago

@jcchavezs Where is the Kong example?

monkeyDluffy6017 commented 11 months ago

@potats0 Do these libraries have the same function?

  1. https://github.com/potats0/lua-resty-coraza
  2. https://github.com/corazawaf/coraza-proxy-wasm
jcchavezs commented 11 months ago

https://github.com/corazawaf/coraza-proxy-wasm/pull/144

jcchavezs commented 11 months ago

They aim the same functionality but different implementations. The first one is a bridge using the lua bindings whereas coraza-proxy-wasm is an implementation using the proxy-wasm hooks. In the basement they both use coraza library.

On Thu, 27 Jul 2023, 09:48 Liu Wei, @.***> wrote:

Do these libraries have the same function?

  1. https://github.com/potats0/lua-resty-coraza
  2. https://github.com/corazawaf/coraza-proxy-wasm @potats0 https://github.com/potats0

— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-proxy-wasm/issues/217#issuecomment-1653080819, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAXJD5PFGFE5SSI6FNDXSIMOVANCNFSM6AAAAAA2ZTX74A . You are receiving this because you were mentioned.Message ID: @.***>

potats0 commented 11 months ago

@potats0 Do these libraries have the same function?

  1. https://github.com/potats0/lua-resty-coraza
  2. https://github.com/corazawaf/coraza-proxy-wasm

lua-resty-coraza is a library that a connector to coraza shared library, and can be used to openresty, also can be used to apisix. Indeed, I've developed a apisix plugin based on lua-resty-coraza. Here is a sample code of apisix plugin

function _M.access(conf, ctx)
    coraza.do_create_transaction(waf)
    coraza.do_access_filter()
    return coraza.do_handle()
end

function _M.header_filter(conf, ctx)
    core.log.info("plugin header_filter phase, conf: ", core.json.delay_encode(conf))
    coraza.do_header_filter()
    local status_code, _ = coraza.do_handle()
    if status_code then
        ngx.status = status_code
        core.response.clear_header_as_body_modified()
    end
end
monkeyDluffy6017 commented 11 months ago

Goog job! @potats0 @jcchavezs

potats0 commented 11 months ago

Goog job! @potats0 @jcchavezs

Should I send the code to you for testing?

monkeyDluffy6017 commented 11 months ago

I've found the APISIX plugin repository: https://github.com/potats0/apisix-coraza, we'll test it later

potats0 commented 11 months ago

I've found the APISIX plugin repository: https://github.com/potats0/apisix-coraza, we'll test it later

waiting me for update the code

Sn0rt commented 11 months ago

Do you have a company email address? I would like to communicate with you further. The content of the communication is mainly the following topics:

  1. I am an employee of API7, and I want to integrate APISIX with your company's WAF products at the enterprise level.

@jcchavezs

jcchavezs commented 11 months ago

Sure you can find me in jc[at]tetrate.io replace [at] by @

jcchavezs commented 11 months ago

Also pinged on apisix slack

Sn0rt commented 10 months ago

/assign Sn0rt

Sn0rt commented 9 months ago

https://apisix.apache.org/blog/2023/09/08/APISIX-integrates-with-Coraza/

jcchavezs commented 9 months ago

Thanks a lot. How about adding it in the e2e here. You can follow this https://github.com/corazawaf/coraza-proxy-wasm/tree/main/e2e and also https://github.com/corazawaf/coraza-proxy-wasm/pull/144. Are you up to that?

Sn0rt commented 9 months ago

Thanks a lot. How about adding it in the e2e here. You can follow this https://github.com/corazawaf/coraza-proxy-wasm/tree/main/e2e and also #144. Are you up to that?

can you assgin this issue to me ? I will move this issue to my backlog and wait to progress.

jcchavezs commented 9 months ago

Sure!

meiko commented 3 months ago

The analysis of request and response bodies is not carried out because special APISIX properties are not set. The callbacks OnHttpRequestBody and OnHttpResponseBody are not called. Corresponding properties must be set in the previously called callbacks.

This is also mentioned in the APISIX documentation: "To run this callback, we need to set property wasm_process_req_body to non-empty value in" https://apisix.apache.org/docs/apisix/wasm/

I tried this in my branch of the plugin and it seems to work. proxywasm.SetProperty([]string{"wasm_process_req_body"}, []byte("true")) https://github.com/meiko/coraza-proxy-wasm/blob/2f7bcf1db525926a78a7b05b85ed6a2ddb23d238/wasmplugin/plugin.go#L285

and proxywasm.SetProperty([]string{"wasm_process_resp_body"}, []byte("true")) https://github.com/meiko/coraza-proxy-wasm/blob/2f7bcf1db525926a78a7b05b85ed6a2ddb23d238/wasmplugin/plugin.go#L526

What do you think? Can this be included in the code base of the plugin like this or something similar?