river icon indicating copy to clipboard operation
river copied to clipboard
verified publisher icon memorysafety

Feature Request: WAF functionality leveraging OWASP CRS, implemented and enabled by default

Open dune73 opened this issue 1 year ago • 9 comments

Creating this feature request was recommended by @drcaramelsyrup at

https://github.com/cloudflare/pingora/issues/31#issuecomment-2000798482

OWASP CRS currently runs on the following WAF engines:

  • OWASP ModSecurity v2
  • OWASP ModSecurity v3
  • OWASP Coraza

Commercial integrations are done via custom implementations of the rule language. This includes the Cloudflare setup.

If a new open source Reverse Proxy is created, then giving it WAF functionality based on the de facto standard rule set from the beginning would be useful.

dune73 avatar Mar 18 '24 09:03 dune73

I think WAF type functionality will be a great use of the wasm extensibility planned for River: Rule sets could be compiled into wasm to reject requests.

mcpherrinm avatar Mar 18 '24 16:03 mcpherrinm

This should basically alter the proposed design. Adding a new Filters between Listeners and Connectors should do the trick. Then a WAF is just another filter in the chain.

fzipi avatar Mar 18 '24 19:03 fzipi

Hey @dune73, thanks for opening this issue! There was definitely interest in supporting WAF functionality in River during the initial planning discussions, and I agree it would be great to have.

I think @mcpherrinm makes a reasonable point, this might be easier to iterate on once we have the WASM-based scripting environment setup working, though that will come a little later after we have basic operation working.

@fzipi I'm not sure if I totally follow. I see this as falling under the Request Path Control stage, providing filtering and state tracking.

I expect to come back to this later, but I believe we'd need to:

  • Look at the CRS to ensure that we have the ability to check the criteria on the ruleset
  • Ensure that we have suitable "hooks" at appropriate stages to provide filtering
  • If we want to add this BEFORE WASM is available: add configuration options for this, implemented as an optional compiled-in feature
  • If we want to add this AFTER WASM is available: ensure that the WASM interface has access to all necessary observation and filtering features identified above

Thanks all for the feedback!

jamesmunns avatar Mar 25 '24 09:03 jamesmunns

Thank you @jamesmunns. I do not really have spare time to contribute here in my volunteer time capacity, but if you have any questions about CRS or especially input on how to provide a successful integration, then please get in touch.

dune73 avatar Mar 25 '24 09:03 dune73

Will do, thanks!

jamesmunns avatar Mar 25 '24 09:03 jamesmunns

Got it now, I see that it is totally under that stage. Awesome. Ping me if you need anything.

fzipi avatar Mar 25 '24 12:03 fzipi