Настройка Coraza WAF

2026-04-25 12:51:25 +03:00
parent 23ccc9aacc
commit d4178ee39f
2 changed files with 24 additions and 8 deletions
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -16,6 +16,9 @@ services:
      - "--metrics.prometheus.buckets=0.1,0.3,1.2,5.0"
      - "--metrics.prometheus.addEntryPointsLabels=true"
      - "--metrics.prometheus.addServicesLabels=true"
+      # --- Coraza WAF ---
+      - "--experimental.plugins.coraza.modulename=github.com/jcchavezs/coraza-http-wasm-traefik"
+      - "--experimental.plugins.coraza.version=v0.2.0"
    ports:
      - "80:80"
      - "443:443"
--- a/docker/traefik/dynamic_conf.yml
+++ b/docker/traefik/dynamic_conf.yml
@@ -15,20 +15,32 @@ http:
        scheme: https
        permanent: true

+    waf:
+      plugin:
+        coraza:
+          directives:
+#            - "SecRuleEngine DetectionOnly"
+            - "SecRuleEngine On"
+            - "SecDebugLog /dev/stdout"
+            - "SecDebugLogLevel 2"
+#            - "SecRule REQUEST_URI \"@rx /admin\" \"id:101,phase:1,log,deny,status:403\""
+            - "SecRule ARGS \"@rx (union|select|insert|drop|alter)\" \"id:102,phase:2,log,deny,status:403\""
+
  routers:
-    # === REST API пользователей ===
+    # --- REST API пользователей ---
    api:
      rule: "Host(`api.eventhub.local`)"
      entryPoints: ["web"]
-      middlewares: ["redirect-to-https"]
+      middlewares: ["redirect-to-https", "waf"]
      service: "api"
    api-secure:
      rule: "Host(`api.eventhub.local`)"
      entryPoints: ["websecure"]
      tls: true
+      middlewares: ["waf"]
      service: "api"

-    # === WebSocket пользователей ===
+    # --- WebSocket пользователей ---
    ws:
      rule: "Host(`ws.eventhub.local`)"
      entryPoints: ["web"]
@@ -40,19 +52,20 @@ http:
      tls: true
      service: "ws"

-    # === Админский REST ===
+    # --- Админский REST ---
    admin-api:
      rule: "Host(`admin.eventhub.local`)"
      entryPoints: ["web"]
-      middlewares: ["redirect-to-https"]
+      middlewares: ["redirect-to-https", "waf"]
      service: "admin-api"
    admin-api-secure:
      rule: "Host(`admin.eventhub.local`)"
      entryPoints: ["websecure"]
      tls: true
+      middlewares: ["waf"]
      service: "admin-api"

-    # === Админский WebSocket ===
+    # --- Админский WebSocket ---
    admin-ws:
      rule: "Host(`admin-ws.eventhub.local`)"
      entryPoints: ["web"]
@@ -85,7 +98,7 @@ http:
        servers:
          - url: "http://fallback:80"

-    # === WebSocket пользователей (простой балансировщик) ===
+    # === WebSocket пользователей ===
    ws:
      loadbalancer:
        servers:
@@ -113,7 +126,7 @@ http:
        servers:
          - url: "http://fallback:80"

-    # === Админский WebSocket (простой балансировщик) ===
+    # === Админский WebSocket ===
    admin-ws:
      loadbalancer:
        servers: