From d4178ee39fafa249fe4c43dff97f1b4e8bc21e43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B5=D0=B9=20=D0=A1=D0=B0?=
 =?UTF-8?q?=D0=B1=D0=B8=D0=BB=D0=B8=D0=BD?= <aleksey@sabilin.com>
Date: Sat, 25 Apr 2026 12:51:25 +0300
Subject: [PATCH] =?UTF-8?q?=D0=9D=D0=B0=D1=81=D1=82=D1=80=D0=BE=D0=B9?=
 =?UTF-8?q?=D0=BA=D0=B0=20Coraza=20WAF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 docker/docker-compose.yml       |  3 +++
 docker/traefik/dynamic_conf.yml | 29 +++++++++++++++++++++--------
 2 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 38cffbc..86f9f40 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -16,6 +16,9 @@ services:
       - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
       - "--metrics.prometheus.addEntryPointsLabels=true"
       - "--metrics.prometheus.addServicesLabels=true"
+      # --- Coraza WAF ---
+      - "--experimental.plugins.coraza.modulename=github.com/jcchavezs/coraza-http-wasm-traefik"
+      - "--experimental.plugins.coraza.version=v0.2.0"
     ports:
       - "80:80"
       - "443:443"
diff --git a/docker/traefik/dynamic_conf.yml b/docker/traefik/dynamic_conf.yml
index eac73b6..49c2466 100644
--- a/docker/traefik/dynamic_conf.yml
+++ b/docker/traefik/dynamic_conf.yml
@@ -15,20 +15,32 @@ http:
         scheme: https
         permanent: true
 
+    waf:
+      plugin:
+        coraza:
+          directives:
+#            - "SecRuleEngine DetectionOnly"
+            - "SecRuleEngine On"
+            - "SecDebugLog /dev/stdout"
+            - "SecDebugLogLevel 2"
+#            - "SecRule REQUEST_URI \"@rx /admin\" \"id:101,phase:1,log,deny,status:403\""
+            - "SecRule ARGS \"@rx (union|select|insert|drop|alter)\" \"id:102,phase:2,log,deny,status:403\""
+
   routers:
-    # === REST API пользователей ===
+    # --- REST API пользователей ---
     api:
       rule: "Host(`api.eventhub.local`)"
       entryPoints: ["web"]
-      middlewares: ["redirect-to-https"]
+      middlewares: ["redirect-to-https", "waf"]
       service: "api"
     api-secure:
       rule: "Host(`api.eventhub.local`)"
       entryPoints: ["websecure"]
       tls: true
+      middlewares: ["waf"]
       service: "api"
 
-    # === WebSocket пользователей ===
+    # --- WebSocket пользователей ---
     ws:
       rule: "Host(`ws.eventhub.local`)"
       entryPoints: ["web"]
@@ -40,19 +52,20 @@ http:
       tls: true
       service: "ws"
 
-    # === Админский REST ===
+    # --- Админский REST ---
     admin-api:
       rule: "Host(`admin.eventhub.local`)"
       entryPoints: ["web"]
-      middlewares: ["redirect-to-https"]
+      middlewares: ["redirect-to-https", "waf"]
       service: "admin-api"
     admin-api-secure:
       rule: "Host(`admin.eventhub.local`)"
       entryPoints: ["websecure"]
       tls: true
+      middlewares: ["waf"]
       service: "admin-api"
 
-    # === Админский WebSocket ===
+    # --- Админский WebSocket ---
     admin-ws:
       rule: "Host(`admin-ws.eventhub.local`)"
       entryPoints: ["web"]
@@ -85,7 +98,7 @@ http:
         servers:
           - url: "http://fallback:80"
 
-    # === WebSocket пользователей (простой балансировщик) ===
+    # === WebSocket пользователей ===
     ws:
       loadbalancer:
         servers:
@@ -113,7 +126,7 @@ http:
         servers:
           - url: "http://fallback:80"
 
-    # === Админский WebSocket (простой балансировщик) ===
+    # === Админский WebSocket ===
     admin-ws:
       loadbalancer:
         servers: