From bfbee645de6f88e6b75fc26e83f134fc81d774b1 Mon Sep 17 00:00:00 2001 From: Juan Pablo Tosso Date: Tue, 26 Jul 2022 12:30:40 -0400 Subject: [PATCH 1/3] unexport non-required functions --- caddy/main.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/caddy/main.go b/caddy/main.go index 8f7cdba..5f49cb4 100644 --- a/caddy/main.go +++ b/caddy/main.go @@ -19,9 +19,6 @@ import ( _ "github.com/caddyserver/caddy/v2/modules/standard" _ "github.com/corazawaf/coraza-caddy" - - // You may uncomment the following lines to enable pcre plugins (if you need use crs rules) - // _ "github.com/jptosso/coraza-pcre" ) func main() { From 4455b5b9c16d8644bcea543347c8f4593d8921a0 Mon Sep 17 00:00:00 2001 From: Juan Pablo Tosso Date: Tue, 26 Jul 2022 12:32:41 -0400 Subject: [PATCH 2/3] unexport non-required functions --- README.md | 18 ++++-------------- coraza.go | 31 ++++++++++++++++--------------- coraza_test.go | 2 +- stream.go | 21 ++++++++++----------- 4 files changed, 31 insertions(+), 41 deletions(-) diff --git a/README.md b/README.md index a44e94d..3b02077 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,11 @@ [![Tests](https://github.com/corazawaf/coraza-caddy/actions/workflows/tests.yml/badge.svg)](https://github.com/corazawaf/coraza-caddy/actions/workflows/tests.yml) -[![Project Status: WIP – Initial development is in progress, but there has not yet been a stable, usable release suitable for the public.](https://www.repostatus.org/badges/latest/wip.svg)](https://www.repostatus.org/#wip) +[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) -Coraza Caddy Module a WAF for your applications using FastCGI or reverse proxy. - -## Prerequisites - -* [Xcaddy](https://github.com/caddyserver/xcaddy#install) -* [Golang 1.16+](https://golang.org/doc/install) -* Linux Operating system (Coraza does not support Windows) +OWASP Coraza Caddy Module provides Web Application Firewall capabilities for Caddy. +OWASP Coraza WAF is 100% compatible with OWASP Coreruleset and Modsecurity syntax. ## Plugin syntax Important: `order coraza_waf first` must be always included in your Caddyfile for Coraza module to work @@ -28,7 +23,6 @@ Sample usage: ``` { - auto_https off order coraza_waf first } @@ -65,13 +59,9 @@ $ cd coraza-caddy $ go test ./...` ``` -## Compiling with CRS support - -Uncomment the plugin github.com/coraza-pcre from caddy/main.go and then compile. - ## Using OWASP Core Ruleset -Once you have enabled your plugin, you will have to clone coreruleset and download the default coraza configurations from [Coraza repository](https://raw.githubusercontent.com/corazawaf/coraza/v2/master/coraza.conf-recommended), then add the following to you coraza_waf directive: +Clone the coreruleset repository and download the default coraza configurations from [Coraza repository](https://raw.githubusercontent.com/corazawaf/coraza/v2/master/coraza.conf-recommended), then add the following to you coraza_waf directive: ``` include caddypath/coraza.conf-recommended diff --git a/coraza.go b/coraza.go index 3ee7657..fa4096e 100644 --- a/coraza.go +++ b/coraza.go @@ -1,4 +1,4 @@ -// Copyright 2022 The Corazawaf Authors. +// Copyright 2022 Juan Pablo Tosso and the OWASP Coraza contributors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -32,11 +32,12 @@ import ( ) func init() { - caddy.RegisterModule(Middleware{}) + caddy.RegisterModule(Coraza{}) httpcaddyfile.RegisterHandlerDirective("coraza_waf", parseCaddyfile) } -type Middleware struct { +// Coraza is a Web Application Firewall implementation for Caddy. +type Coraza struct { Include []string `json:"include"` Directives string `json:"directives"` @@ -45,15 +46,15 @@ type Middleware struct { } // CaddyModule returns the Caddy module information. -func (Middleware) CaddyModule() caddy.ModuleInfo { +func (Coraza) CaddyModule() caddy.ModuleInfo { return caddy.ModuleInfo{ ID: "http.handlers.waf", - New: func() caddy.Module { return new(Middleware) }, + New: func() caddy.Module { return new(Coraza) }, } } // Provision implements caddy.Provisioner. -func (m *Middleware) Provision(ctx caddy.Context) error { +func (m *Coraza) Provision(ctx caddy.Context) error { var err error m.logger = ctx.Logger(m) m.waf = coraza.NewWaf() @@ -92,12 +93,12 @@ func (m *Middleware) Provision(ctx caddy.Context) error { } // Validate implements caddy.Validator. -func (m *Middleware) Validate() error { +func (m *Coraza) Validate() error { return nil } // ServeHTTP implements caddyhttp.MiddlewareHandler. -func (m Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error { +func (m Coraza) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error { var err error tx := m.waf.NewTransaction() defer tx.ProcessLogging() @@ -118,7 +119,7 @@ func (m Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddy return err } r.Body = io.NopCloser(re) - rec := NewStreamRecorder(w, tx) + rec := newStreamRecorder(w, tx) err = next.ServeHTTP(rec, r) if err != nil { return err @@ -145,7 +146,7 @@ func (m Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddy } // Unmarshal Caddyfile implements caddyfile.Unmarshaler. -func (m *Middleware) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { +func (m *Coraza) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { if !d.Next() { return d.Err("expected token following filter") } @@ -171,7 +172,7 @@ func (m *Middleware) UnmarshalCaddyfile(d *caddyfile.Dispenser) error { // parseCaddyfile unmarshals tokens from h into a new Middleware. func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error) { - var m Middleware + var m Coraza err := m.UnmarshalCaddyfile(h.Dispenser) return m, err } @@ -221,8 +222,8 @@ func interrupt(err error, tx *coraza.Transaction) error { // Interface guards var ( - _ caddy.Provisioner = (*Middleware)(nil) - _ caddy.Validator = (*Middleware)(nil) - _ caddyhttp.MiddlewareHandler = (*Middleware)(nil) - _ caddyfile.Unmarshaler = (*Middleware)(nil) + _ caddy.Provisioner = (*Coraza)(nil) + _ caddy.Validator = (*Coraza)(nil) + _ caddyhttp.MiddlewareHandler = (*Coraza)(nil) + _ caddyfile.Unmarshaler = (*Coraza)(nil) ) diff --git a/coraza_test.go b/coraza_test.go index 8ccabb7..06a3120 100644 --- a/coraza_test.go +++ b/coraza_test.go @@ -1,4 +1,4 @@ -// Copyright 2022 The Corazawaf Authors. +// Copyright 2022 Juan Pablo Tosso and the OWASP Coraza contributors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/stream.go b/stream.go index 4cf164d..ba7a754 100644 --- a/stream.go +++ b/stream.go @@ -1,4 +1,4 @@ -// Copyright 2022 The Corazawaf Authors. +// Copyright 2022 Juan Pablo Tosso and the OWASP Coraza contributors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -22,7 +22,7 @@ import ( "github.com/corazawaf/coraza/v2" ) -type StreamRecorder struct { +type streamRecorder struct { *caddyhttp.ResponseWriterWrapper transaction *coraza.Transaction statusCode int @@ -31,7 +31,7 @@ type StreamRecorder struct { stream bool } -func (sr *StreamRecorder) WriteHeader(statusCode int) { +func (sr *streamRecorder) WriteHeader(statusCode int) { if sr.wroteHeader { return } @@ -56,7 +56,7 @@ func (sr *StreamRecorder) WriteHeader(statusCode int) { } } -func (sr *StreamRecorder) Write(data []byte) (int, error) { +func (sr *streamRecorder) Write(data []byte) (int, error) { sr.WriteHeader(http.StatusOK) if sr.transaction.Interruption != nil { // We won't process the response body if the transaction was interrupted @@ -67,12 +67,11 @@ func (sr *StreamRecorder) Write(data []byte) (int, error) { return sr.ResponseWriterWrapper.Write(data) } - sr.transaction.ResponseBodyBuffer.Write(data) - return len(data), nil + return sr.transaction.ResponseBodyBuffer.Write(data) } // Reader provides access to the buffered/inmemory response object -func (sr *StreamRecorder) Reader() (io.Reader, error) { +func (sr *streamRecorder) Reader() (io.Reader, error) { if sr.stream { return nil, nil } @@ -81,16 +80,16 @@ func (sr *StreamRecorder) Reader() (io.Reader, error) { // Buffered returns true if the response is stored inside the transaction // IF false the response was already sent to the client -func (sr *StreamRecorder) Buffered() bool { +func (sr *streamRecorder) Buffered() bool { return !sr.stream } -func (sr *StreamRecorder) Status() int { +func (sr *streamRecorder) Status() int { return sr.statusCode } -func NewStreamRecorder(w http.ResponseWriter, tx *coraza.Transaction) *StreamRecorder { - return &StreamRecorder{ +func newStreamRecorder(w http.ResponseWriter, tx *coraza.Transaction) *streamRecorder { + return &streamRecorder{ ResponseWriterWrapper: &caddyhttp.ResponseWriterWrapper{ResponseWriter: w}, transaction: tx, } From 275baf22babc24e5ea879f84042d740a823335ed Mon Sep 17 00:00:00 2001 From: Juan Pablo Tosso Date: Tue, 26 Jul 2022 12:37:18 -0400 Subject: [PATCH 3/3] link coraza to readme --- .github/workflows/tests.yml | 6 ++++++ README.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 66211ef..0fdc945 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,8 +4,14 @@ on: push: branches: - '*' + paths-ignore: + - "**/*.md" + - "LICENSE" pull_request: branches: [ master ] + paths-ignore: + - "**/*.md" + - "LICENSE" jobs: test: diff --git a/README.md b/README.md index 3b02077..7c8b6cd 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active) -OWASP Coraza Caddy Module provides Web Application Firewall capabilities for Caddy. +[OWASP Coraza](https://github.com/corazawaf/coraza) Caddy Module provides Web Application Firewall capabilities for Caddy. OWASP Coraza WAF is 100% compatible with OWASP Coreruleset and Modsecurity syntax. ## Plugin syntax