OWASP Coraza WAF – A Golang Modsecurity Compatible Web Application Firewall Library
Welcome to OWASP Coraza Web Application Firewall, OWASP Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity’s seclang language and is 100% compatible with OWASP Core Ruleset.
Prerequisites
- Linux distribution (Debian and Centos are recommended, Windows is not supported yet)
- Golang compiler v1.16+
Migrate from v1
- Rollback SecAuditLog to the legacy syntax (serial/concurrent)
- Attach an error log handler using
waf.SetErrorLogCb(cb)
(optional) - the function Transaction.Clean() must be used to clear transaction data, files and take them back to the sync pool.
- If you are using @rx with libpcre (CRS) install the plugin github.com/jptosso/coraza-pcre
- If you are using low level APIs check the complete changelog as most of them were removed.
Running the tests
Run the go tests:
go test ./...
go test -race ./...
Using pre-commit
pip install pre-commit
pre-commit run --all-files
You can also install the pre-commit git hook by running
pre-commit install
Coraza v2 differences with v1
- Full internal API refactor, public API has not changed
- Full audit engine refactor with plugins support
- New enhanced plugins interface for transformations, actions, body processors, and operators
- We are fully compliant with Seclang from modsecurity v2
- Many features removed and transformed into plugins: XML (Mostly), GeoIP and PCRE regex
- Better debug logging
- New error logging (like modsecurity)
- Better performance
Your first Coraza WAF project
package main
import(
"fmt"
"github.com/corazawaf/coraza/v2"
"github.com/corazawaf/coraza/v2/seclang"
)
func main() {
// First we initialize our waf and our seclang parser
waf := coraza.NewWaf()
parser, _ := seclang.NewParser(waf)
// Now we parse our rules
if err := parser.FromString(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`); err != nil {
fmt.Println(err)
}
// Then we create a transaction and assign some variables
tx := waf.NewTransaction()
defer func(){
tx.ProcessLogging()
tx.Clean()
}()
tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)
// Finally we process the request headers phase, which may return an interruption
if it := tx.ProcessRequestHeaders(); it != nil {
fmt.Printf("Transaction was interrupted with status %dn", it.Status)
}
}
Why Coraza WAF?
Philosophy
- Simplicity: Anyone should be able to understand and modify Coraza WAF’s source code
- Extensibility: It should be easy to extend Coraza WAF with new functionalities
- Innovation: Coraza WAF isn’t just a ModSecurity port. It must include awesome new functions (in the meantime, it’s just a port
)
- Community: Coraza WAF is a community project, and all ideas will be considered
Roadmap
- New rule language
- GraphQL body processor
- C exports
- WASM scripts support
Coraza WAF implementations
- Caddy Plugin (Reverse Proxy and Web Server) (Stable)
- Traefik Plugin (Reverse Proxy and Web Server) (preview)
- Gin Middleware (Web Framework) (Preview)
- Buffalo Plugin (Web Framework) (soon)
- Coraza Server (HAPROXY, REST and GRPC) (experimental)
- Apache httpd (experimental)
- Nginx (soon)
- Coraza C Exports (experimental)
Some useful tools
- Go FTW: rule testing engine
- Coraza Playground: rule testing sandbox with web interface
- OWASP Core Ruleset: Awesome rule set, compatible with Coraza
Troubleshooting
Dependency issues:
go get: github.com/jptosso/coraza-waf/[email protected]: parsing go.mod:
module declares its path as: github.com/corazawaf/coraza/v2
but was required as: github.com/jptosso/coraza-waf/v2
Coraza was migrated from github.com/jptosso/coraza-waf to github.com/corazawaf/coraza. Most dependencies has already been updated to use the new repo, but you must make sure they all use v2.0.0-rc.3+. You may use the following command to fix the error:
go get -u github.com/corazawaf/coraza/[email protected]
How to contribute
Contributions are welcome. There are many TODOs, functionalities, fixes, bug reports, and any help you can provide. Just send your PR.
cd /path/to/coraza
egrep -Rin "TODO|FIXME" -R --exclude-dir=vendor *
Special thanks
- Modsecurity team for creating ModSecurity
- OWASP Coreruleset team for the CRS and their help
Companies using Coraza
- Babiel (supporter)
Author on Twitter
- @jptosso
Donations
For donations, see Donations site
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.