corazawaf / coraza

OWASP Coraza WAF is a golang modsecurity compatible web application firewall library
https://www.coraza.io
Apache License 2.0
2.26k stars 224 forks source link
coraza coraza-waf coreruleset go golang hacktoberfest http modsecurity owasp owasp-crs waf web-application-firewall

  Coraza - Web Application Firewall

Regression Tests Coreruleset Compatibility CodeQL codecov Project Status: Active – The project has reached a stable, usable state and is being actively developed. OWASP Production Project GoDoc

Coraza is an open source, enterprise-grade, high performance Web Application Firewall (WAF) ready to protect your beloved applications. It is written in Go, supports ModSecurity SecLang rulesets and is 100% compatible with the OWASP Core Rule Set v4.


Key Features:


Integrations

The Coraza Project maintains implementations and plugins for the following servers:

Prerequisites

Coraza Core Usage

Coraza can be used as a library for your Go program to implement a security middleware or integrate it with existing application & webservers.

package main

import (
    "fmt"

    "github.com/corazawaf/coraza/v3"
)

func main() {
    // First we initialize our waf and our seclang parser
    waf, err := coraza.NewWAF(coraza.NewWAFConfig().
        WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
    // Now we parse our rules
    if err != nil {
        fmt.Println(err)
    }

    // Then we create a transaction and assign some variables
    tx := waf.NewTransaction()
    defer func() {
        tx.ProcessLogging()
        tx.Close()
    }()
    tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)

    // Finally we process the request headers phase, which may return an interruption
    if it := tx.ProcessRequestHeaders(); it != nil {
        fmt.Printf("Transaction was interrupted with status %d\n", it.Status)
    }
}

Examples/http-server provides an example to practice with Coraza.

Build tags

Go build tags can tweak certain functionality at compile-time. These are for advanced use cases only and do not have compatibility guarantees across minor versions - use with care.

E2E Testing

http/e2e/ provides an utility to run e2e tests. It can be used standalone against your own waf deployment:

go run github.com/corazawaf/coraza/v3/http/e2e/cmd/httpe2e@main --proxy-hostport localhost:8080 --httpbin-hostport localhost:8081

or as a library by importing:

"github.com/corazawaf/coraza/v3/http/e2e"

As a reference for library usage, see testing/e2e/e2e_test.go. Expected directives that have to be loaded and available flags can be found in http/e2e/cmd/httpe2e/main.go.

Tools

Development

Coraza only requires Go for development. You can run mage.go to issue development commands.

See the list of commands

$ go run mage.go -l
Targets:
  check        runs lint and tests.
  coverage     runs tests with coverage and race detector enabled.
  doc          runs godoc, access at http://localhost:6060
  format       formats code in this repository.
  fuzz         runs fuzz tests
  lint         verifies code quality.
  precommit    installs a git hook to run check when committing
  test         runs all tests.

For example, to format your code before submission, run

go run mage.go format

Contribute

Contributions are welcome! Please refer to CONTRIBUTING.md for guidance.

Security

To report a security issue, please follow this link and add a description of the issue, the steps you took to create the issue, affected versions, and, if known, mitigations for the issue.

Our vulnerability management team will respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.

Thanks

Coraza on X/Twitter

Donations

For donations, see Donations site

Thanks to all the people who have contributed

First and foremost, huge thanks to Juan Pablo Tosso for starting this project, and building an amazing community around Coraza!

Today we have lots of amazing contributors, we could not have done this without you!

Made with contrib.rocks.