search

nginx / unit

NGINX Unit - universal web app server - a lightweight and versatile open source server that simplifies the application stack by natively executing application code across eight different programming language runtimes.
https://unit.nginx.org
Apache License 2.0
5.27k stars 324 forks source link

Support for a Web Application Firewall (WAF) #972

Open RafaelKr opened 8 months ago

RafaelKr commented 8 months ago

Is there any support for a web application firewall like an integration with https://github.com/SpiderLabs/ModSecurity planned?

This also could be developed "externally" if there is something like extension/middleware support. Maybe related issues:

276

764 (the Roadmap classifies this as "Planned")

tippexs commented 8 months ago

Hi @RafaelKr Thanks for reaching out!

Currently there is no plan adding a WAF but as you pointed out correctly, as soon as "action chaining" is a THING this will be a cool implementation! Currently - we are busy with our WebAssembly integration. Wasm + Action-Chaining... almost ENDLESS possibilities!

RafaelKr commented 8 months ago

Awesome, thanks for that promising answer! We'll definitely will have a look into this, as soon as it's available.

Edit: Just found a WASM implementation of ModSecurity for Istio/Envoy: https://github.com/intel/modsecurity-wasm-filter Maybe this could be adapted in a more or less quick way.

tippexs commented 8 months ago

The current issue with this is, that we are unable to chain request / responses together in Unit natively. BUT we are able to Proxy with something like Node or Unit itself. This will not be as performand as sharing req / res via shared memory BUT it will work.

Saying the listener on Port 80 will execute the wrapper application (Node or Python. I would use Python). In Python we can use a Wasm runtime implementation or libmodsecurity directly. There are some interessting approaches like: https://github.com/pymodsecurity/django-pymodsecurity

Like: https://github.com/pymodsecurity/pymodsecurity/blob/master/examples/simple.py

Unfortunately, all of them are quite outdated (looking at the last updated at date).

That beeing said, it will be possible to write an Proxy-Chain Application host it on Unit and do some checks before proxying the request to another application hosted on the same Unit instance. So, the main difference is that this is L7 HTTP Proxy-Chaining and not Action-Chaining based on shared Memory BUT I think we can start with Proxy-Chains and make it better over time. Thoughts?

RafaelKr commented 8 months ago

Do I understand it correctly, that Action Chaining won't make it possible to directly intercept a request (for now)?

Of course it would be awesome if it would be possible to chain it through native WASM code which has access to the req/res via shared Memory, then you really have like endless filtering possibilities. Something similiar to the current Scripting capabilities: https://unit.nginx.org/scripting/ (I never used them, actually I didn't even use unit yet. But it looks like this could make something like that possible which would make Unit very interesting to us)

tippexs commented 8 months ago

Action-Chaining will make it possible to directly intercept request and responses. This is the idea. But this is not implemented yet. I will create a small example application making use of a Proxy-Chain. This will be great getting started point for a performance analysis once the real action chaining is in place.