Open RafaelKr opened 8 months ago
Hi @RafaelKr Thanks for reaching out!
Currently there is no plan adding a WAF but as you pointed out correctly, as soon as "action chaining" is a THING this will be a cool implementation! Currently - we are busy with our WebAssembly integration. Wasm + Action-Chaining... almost ENDLESS possibilities!
Awesome, thanks for that promising answer! We'll definitely will have a look into this, as soon as it's available.
Edit: Just found a WASM implementation of ModSecurity for Istio/Envoy: https://github.com/intel/modsecurity-wasm-filter Maybe this could be adapted in a more or less quick way.
The current issue with this is, that we are unable to chain request / responses together in Unit natively. BUT we are able to Proxy with something like Node or Unit itself. This will not be as performand as sharing req / res via shared memory BUT it will work.
Saying the listener on Port 80
will execute the wrapper application (Node or Python. I would use Python). In Python we can use a Wasm runtime implementation or libmodsecurity directly. There are some interessting approaches like: https://github.com/pymodsecurity/django-pymodsecurity
Like: https://github.com/pymodsecurity/pymodsecurity/blob/master/examples/simple.py
Unfortunately, all of them are quite outdated (looking at the last updated at date).
That beeing said, it will be possible to write an Proxy-Chain Application host it on Unit and do some checks before proxying the request to another application hosted on the same Unit instance. So, the main difference is that this is L7 HTTP Proxy-Chaining and not Action-Chaining based on shared Memory BUT I think we can start with Proxy-Chains and make it better over time. Thoughts?
Do I understand it correctly, that Action Chaining won't make it possible to directly intercept a request (for now)?
Of course it would be awesome if it would be possible to chain it through native WASM code which has access to the req/res via shared Memory, then you really have like endless filtering possibilities. Something similiar to the current Scripting capabilities: https://unit.nginx.org/scripting/ (I never used them, actually I didn't even use unit yet. But it looks like this could make something like that possible which would make Unit very interesting to us)
Action-Chaining will make it possible to directly intercept request and responses. This is the idea. But this is not implemented yet. I will create a small example application making use of a Proxy-Chain. This will be great getting started point for a performance analysis once the real action chaining is in place.
Is there any support for a web application firewall like an integration with https://github.com/SpiderLabs/ModSecurity planned?
This also could be developed "externally" if there is something like extension/middleware support. Maybe related issues:
276
764 (the Roadmap classifies this as "Planned")