search

jcchavezs / coraza-http-wasm-traefik

Apache License 2.0
39 stars 4 forks source link

Unable to configure WAF for all paths #10

Open rk9qn3j opened 6 months ago

rk9qn3j commented 6 months ago

Hi,

I'm currently trying to configure the WAF to apply to all paths (/*) for an app, but always seems to end up in faulty configuration, only protecting a specific path (SecRule) or the below error message.

Configuration:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-mw-waf
  namespace: traefik
spec:
  plugin:
    coraza:
      directives:
      - SecRuleEngine On
      - SecDebugLog /dev/stdout
      - SecDebugLogLevel 9
      - Include @owasp_crs/**.conf
      - Include @crs-setup.conf.example

Results in:

traefik-87ff6ff56-cfh7k traefik 2024-06-04T19:38:09Z ERR [client "xxx.xx.xx.xxx"] Coraza: Access denied (phase 1). ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before includi [file "@owasp_crs/REQUEST-901-INITIALIZATION.conf"] [line "24"] [id "901001"] [rev ""] [msg "ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before includi"] [data ""] [severity "critical"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/"] [unique_id "DgmnusgEbZkJtnAjpKl"] entryPointName=websecure middlewareName=traefik-traefik-mw-waf@kubernetescrd middlewareType=wasm routerName=websecure-xxxxxx-xxxx-ingress-xxxx-xxxx-xxxxxxxx-xxx@kubernetes

I would be grateful for some guidance with this! 🙏

jcchavezs commented 6 months ago

Try - Include @crs-setup.conf.example before the - Include @owasp_crs/**.conf

José Carlos Chávez

tir. 4. juni 2024 kl. 22:03 skrev Johan Björnehäll @.***

:

Hi,

I'm currently trying to configure the WAF to apply to all paths (/*) for an app, but always seems to end up in faulty configuration, only protecting a specific path (SecRule) or the below error message.

Configuration:

apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: traefik-mw-waf namespace: traefik spec: plugin: coraza: directives:

  • SecRuleEngine On
  • SecDebugLog /dev/stdout
  • SecDebugLogLevel 9
  • Include @owasp_crs/**.conf
  • Include @crs-setup.conf.example

Results in:

traefik-87ff6ff56-cfh7k traefik 2024-06-04T19:38:09Z ERR [client "xxx.xx.xx.xxx"] Coraza: Access denied (phase 1). ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before includi [file @._crs/REQUEST-901-INITIALIZATION.conf"] [line "24"] [id "901001"] [rev ""] [msg "ModSecurity CRS is deployed without configuration! Please copy the crs-setup.conf.example template to crs-setup.conf, and include the crs-setup.conf file in your webserver configuration before includi"] [data ""] [severity "critical"] [ver "OWASP_CRS/4.0.0"] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/"] [unique_id "DgmnusgEbZkJtnAjpKl"] entryPointName=websecure @. middlewareType=wasm @.***

I would be grateful for some guidance with this! 🙏

— Reply to this email directly, view it on GitHub https://github.com/jcchavezs/coraza-http-wasm-traefik/issues/10, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAXLQ3IBBSVWZQ3RPQLZFYMRXAVCNFSM6AAAAABIZGSHCWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGMZTIMRXHA4TENY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

rk9qn3j commented 5 months ago

Changing places on - Include @owasp_crs/**.conf and - Include @crs-setup.conf.example removes the error message but doesn't seem to process any of the incoming requests at all (no logs generated by the plugin), but if I add - SecRule REQUEST_URI "@streq /test" "id:101,phase:1,log,deny,status:403" and try to access that path, I can clearly see that it's being denied by the plugin:

traefik-87ff6ff56-cfh7k traefik 2024-06-05T18:52:44Z ERR [client "xxx.xx.xx.xxx"] Coraza: Access denied (phase 1). [file ""] [line "8075"] [id "101"] [rev ""] [msg ""] [data ""] [severity "emergency"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/test"] [unique_id "JRxEVOUVWMVlEpEGjGs"] entryPointName=websecure middlewareName=traefik-traefik-mw-waf@kubernetescrd middlewareType=wasm routerName=websecure-xxxxxx-xxxx-ingress-xxxx-xxxx-xxxxxxxx-xxx@kubernetes

jcchavezs commented 5 months ago

@rk9qn3j try this:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: traefik-mw-waf
  namespace: traefik
spec:
  plugin:
    coraza:
      directives:
      - SecRuleEngine On
      - SecDebugLog /dev/stdout
      - SecDebugLogLevel 9
      - Include @crs-setup.conf.example
      - Include @owasp_crs/**.conf

When you load - Include @crs-setup.conf.example after - SecRuleEngine On you are overriding the value to DetectionOnly.

rk9qn3j commented 5 months ago

I have tried that, tried to place - SecRuleEngine On after - Include @crs-setup.conf.example and as the last entry, but unfortunately, it doesn't make any difference.. 😐