Draft: WAF

[ennetech]

Closes !911

• i have not updated the vendor to keep the PR light (go mod tidy && go mod vendor)
• there is a setup.sh script in waf folder to download the CRS (one rule is disabled) (cd waf && bash setup.sh)
• to enable the WAF edit coraza.conf line 7 from SecRuleEngine DetectionOnly to SecRuleEngine On

at the moment v2 version of coraza is being used as v3 is still in alpha

curl http://localhost:9999/?a=<script>alert(1)</script> will trigger the waf

[CLAassistant]

All committers have signed the CLA.

[nathanejohnson]

I'm halfway tempted to remove the vendor directory and just rely on go modules anyway. It will probably be later in the week before I'm able to look at this in earnest, but thanks again for this!