From 0667cef7fd81f94cc6cb07c6007ac2a01f6065c5 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 26 Mar 2024 00:04:59 +0100 Subject: [PATCH 01/10] implements auditlogs as info logs --- internal/auditlog/serial_writer.go | 54 ++++++++++++++++++++++++++++++ main.go | 2 ++ 2 files changed, 56 insertions(+) create mode 100644 internal/auditlog/serial_writer.go diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go new file mode 100644 index 0000000..3d8b4de --- /dev/null +++ b/internal/auditlog/serial_writer.go @@ -0,0 +1,54 @@ +// Copyright The OWASP Coraza contributors +// SPDX-License-Identifier: Apache-2.0 + +//go:build tinygo + +package auditlog + +import ( + "io" + + "github.com/corazawaf/coraza/v3/experimental/plugins" + "github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes" + "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm" +) + +// Coraza does not come with a built-in audit log writer for Wasm +// See https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go +// This function registers a new audit log writer for Wasm named "wasmserial" that prints +// audit logs to the proxy-wasm log as info messages. +func RegisterWasmSerialWriter() { + plugins.RegisterAuditLogWriter("wasmserial", func() plugintypes.AuditLogWriter { + return &wasmSerial{} + }) +} + +type wasmSerial struct { + io.Closer + formatter plugintypes.AuditLogFormatter +} + +func (s *wasmSerial) Init(cfg plugintypes.AuditLogConfig) error { + s.formatter = cfg.Formatter + return nil +} + +func (s *wasmSerial) Write(al plugintypes.AuditLog) error { + if s.formatter == nil { + return nil + } + + bts, err := s.formatter.Format(al) + if err != nil { + return err + } + + if len(bts) == 0 { + return nil + } + + proxywasm.LogInfo(string(bts)) + return nil +} + +func (s *wasmSerial) Close() error { return nil } diff --git a/main.go b/main.go index 1cf0369..3aa3433 100644 --- a/main.go +++ b/main.go @@ -6,11 +6,13 @@ package main import ( "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm" + "github.com/corazawaf/coraza-proxy-wasm/internal/auditlog" "github.com/corazawaf/coraza-proxy-wasm/internal/operators" "github.com/corazawaf/coraza-proxy-wasm/wasmplugin" ) func main() { operators.Register() + auditlog.RegisterWasmSerialWriter() proxywasm.SetVMContext(wasmplugin.NewVMContext()) } From a385e9752ed8ddff4e53edee1ab790fb0b8582f0 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 26 Mar 2024 00:21:20 +0100 Subject: [PATCH 02/10] TINYGO_VERSION and recommended/demo --- wasmplugin/rules/coraza-demo.conf | 4 ++-- wasmplugin/rules/coraza.conf-recommended.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf index 903027c..e4f6309 100644 --- a/wasmplugin/rules/coraza-demo.conf +++ b/wasmplugin/rules/coraza-demo.conf @@ -221,7 +221,7 @@ SecDebugLogLevel 3 # trigger a server error (determined by a 5xx or 4xx, excluding 404, # level response status codes). # -SecAuditEngine On +SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$" # Log everything we know about a transaction. @@ -230,7 +230,7 @@ SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only occasionally. # -SecAuditLogType Serial +SecAuditLogType WasmSerial # -- Miscellaneous ----------------------------------------------------------- diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf index a1c5f96..60a76e1 100644 --- a/wasmplugin/rules/coraza.conf-recommended.conf +++ b/wasmplugin/rules/coraza.conf-recommended.conf @@ -220,7 +220,7 @@ SecResponseBodyLimitAction ProcessPartial # trigger a server error (determined by a 5xx or 4xx, excluding 404, # level response status codes). # -SecAuditEngine RelevantOnly +SecAuditEngine Off SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$" # Log everything we know about a transaction. @@ -229,7 +229,7 @@ SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only occasionally. # -SecAuditLogType Serial +SecAuditLogType WasmSerial # -- Miscellaneous ----------------------------------------------------------- From a620f322875d7938792f5f394a03264e03abc37d Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 26 Mar 2024 00:37:54 +0100 Subject: [PATCH 03/10] adds serial_writer_go --- internal/auditlog/serial_writer_go.go | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 internal/auditlog/serial_writer_go.go diff --git a/internal/auditlog/serial_writer_go.go b/internal/auditlog/serial_writer_go.go new file mode 100644 index 0000000..edb7cb5 --- /dev/null +++ b/internal/auditlog/serial_writer_go.go @@ -0,0 +1,8 @@ +// Copyright The OWASP Coraza contributors +// SPDX-License-Identifier: Apache-2.0 + +//go:build !tinygo + +package auditlog + +func RegisterWasmSerialWriter() {} From 42923fdb341e8764f5c32d15ed6854fe032a52a6 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 26 Mar 2024 01:03:38 +0100 Subject: [PATCH 04/10] fix test registering serial writer --- internal/auditlog/serial_writer.go | 2 -- internal/auditlog/serial_writer_go.go | 8 -------- main_test.go | 2 ++ 3 files changed, 2 insertions(+), 10 deletions(-) delete mode 100644 internal/auditlog/serial_writer_go.go diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go index 3d8b4de..eef14c5 100644 --- a/internal/auditlog/serial_writer.go +++ b/internal/auditlog/serial_writer.go @@ -1,8 +1,6 @@ // Copyright The OWASP Coraza contributors // SPDX-License-Identifier: Apache-2.0 -//go:build tinygo - package auditlog import ( diff --git a/internal/auditlog/serial_writer_go.go b/internal/auditlog/serial_writer_go.go deleted file mode 100644 index edb7cb5..0000000 --- a/internal/auditlog/serial_writer_go.go +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright The OWASP Coraza contributors -// SPDX-License-Identifier: Apache-2.0 - -//go:build !tinygo - -package auditlog - -func RegisterWasmSerialWriter() {} diff --git a/main_test.go b/main_test.go index 5c8ecc9..49b42d8 100644 --- a/main_test.go +++ b/main_test.go @@ -18,6 +18,7 @@ import ( "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/proxytest" "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm/types" + "github.com/corazawaf/coraza-proxy-wasm/internal/auditlog" "github.com/corazawaf/coraza-proxy-wasm/wasmplugin" ) @@ -1412,6 +1413,7 @@ func vmTest(t *testing.T, f func(*testing.T, types.VMContext)) { t.Helper() t.Run("go", func(t *testing.T) { + auditlog.RegisterWasmSerialWriter() f(t, wasmplugin.NewVMContext()) }) From 9cb6fd07be8bdf0cd6986700563135bd672f4275 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Thu, 28 Mar 2024 18:48:49 +0100 Subject: [PATCH 05/10] JSON added to recommended, SecAuditLog for default Serial writer --- example/envoy/envoy-config.yaml | 2 ++ internal/auditlog/serial_writer.go | 6 +++--- wasmplugin/rules/coraza-demo.conf | 4 +++- wasmplugin/rules/coraza.conf-recommended.conf | 5 +++-- 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/example/envoy/envoy-config.yaml b/example/envoy/envoy-config.yaml index 7156691..874fbb0 100644 --- a/example/envoy/envoy-config.yaml +++ b/example/envoy/envoy-config.yaml @@ -60,6 +60,8 @@ static_resources: "SecDefaultAction \"phase:3,log,auditlog,pass\"", "SecDefaultAction \"phase:4,log,auditlog,pass\"", "SecDefaultAction \"phase:5,log,auditlog,pass\"", + "SecAuditLog /dev/stdout", + "SecAuditLogFormat JSON", "SecDebugLogLevel 3", "Include @owasp_crs/*.conf", "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\"" diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go index eef14c5..4e5b4a0 100644 --- a/internal/auditlog/serial_writer.go +++ b/internal/auditlog/serial_writer.go @@ -13,10 +13,10 @@ import ( // Coraza does not come with a built-in audit log writer for Wasm // See https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go -// This function registers a new audit log writer for Wasm named "wasmserial" that prints -// audit logs to the proxy-wasm log as info messages. +// This function overrides the default "Serial" audit log writer in order to print audit logs +// to the proxy-wasm log as info messages. func RegisterWasmSerialWriter() { - plugins.RegisterAuditLogWriter("wasmserial", func() plugintypes.AuditLogWriter { + plugins.RegisterAuditLogWriter("serialNotUsed", func() plugintypes.AuditLogWriter { return &wasmSerial{} }) } diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf index e4f6309..31e83e1 100644 --- a/wasmplugin/rules/coraza-demo.conf +++ b/wasmplugin/rules/coraza-demo.conf @@ -230,7 +230,9 @@ SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only occasionally. # -SecAuditLogType WasmSerial +SecAuditLogType Serial +SecAuditLog /dev/stdout +SecAuditLogFormat JSON # -- Miscellaneous ----------------------------------------------------------- diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf index 60a76e1..9b053f1 100644 --- a/wasmplugin/rules/coraza.conf-recommended.conf +++ b/wasmplugin/rules/coraza.conf-recommended.conf @@ -229,8 +229,9 @@ SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only occasionally. # -SecAuditLogType WasmSerial - +SecAuditLogType Serial +SecAuditLog /dev/stdout +SecAuditLogFormat JSON # -- Miscellaneous ----------------------------------------------------------- From ec56bc59d07f06a55b0c18924b45afcd476267b6 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Mon, 1 Apr 2024 23:26:42 +0200 Subject: [PATCH 06/10] enforces prefix, comments in recommended confs --- example/envoy/envoy-config.yaml | 3 +-- internal/auditlog/serial_writer.go | 12 +++++------- wasmplugin/rules/coraza-demo.conf | 3 ++- wasmplugin/rules/coraza.conf-recommended.conf | 2 ++ 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/example/envoy/envoy-config.yaml b/example/envoy/envoy-config.yaml index 874fbb0..6e8f0e0 100644 --- a/example/envoy/envoy-config.yaml +++ b/example/envoy/envoy-config.yaml @@ -60,8 +60,7 @@ static_resources: "SecDefaultAction \"phase:3,log,auditlog,pass\"", "SecDefaultAction \"phase:4,log,auditlog,pass\"", "SecDefaultAction \"phase:5,log,auditlog,pass\"", - "SecAuditLog /dev/stdout", - "SecAuditLogFormat JSON", + "SecAuditEngine On", "SecDebugLogLevel 3", "Include @owasp_crs/*.conf", "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\"" diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go index 4e5b4a0..799848c 100644 --- a/internal/auditlog/serial_writer.go +++ b/internal/auditlog/serial_writer.go @@ -11,12 +11,10 @@ import ( "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm" ) -// Coraza does not come with a built-in audit log writer for Wasm -// See https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go -// This function overrides the default "Serial" audit log writer in order to print audit logs -// to the proxy-wasm log as info messages. +// This function overrides the default "Serial" audit log writer (see https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go) +// in order to print audit logs to the proxy-wasm log as info messages with a prefix to differentiate them from other logs. func RegisterWasmSerialWriter() { - plugins.RegisterAuditLogWriter("serialNotUsed", func() plugintypes.AuditLogWriter { + plugins.RegisterAuditLogWriter("serial", func() plugintypes.AuditLogWriter { return &wasmSerial{} }) } @@ -44,8 +42,8 @@ func (s *wasmSerial) Write(al plugintypes.AuditLog) error { if len(bts) == 0 { return nil } - - proxywasm.LogInfo(string(bts)) + // Print the audit log to the proxy-wasm log as an info message adding an "AuditLog:" prefix. + proxywasm.LogInfo("AuditLog:" + string(bts)) return nil } diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf index 31e83e1..dd810b3 100644 --- a/wasmplugin/rules/coraza-demo.conf +++ b/wasmplugin/rules/coraza-demo.conf @@ -230,11 +230,12 @@ SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only occasionally. # +# Because of proxy-wasm limitations, audit logs can only be written to stdout +# which end up in the proxy logs. SecAuditLogType Serial SecAuditLog /dev/stdout SecAuditLogFormat JSON - # -- Miscellaneous ----------------------------------------------------------- # Use the most commonly used application/x-www-form-urlencoded parameter diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf index 9b053f1..c8bcd0d 100644 --- a/wasmplugin/rules/coraza.conf-recommended.conf +++ b/wasmplugin/rules/coraza.conf-recommended.conf @@ -229,6 +229,8 @@ SecAuditLogParts ABIJDEFHZ # Use a single file for logging. This is much easier to look at, but # assumes that you will use the audit log only occasionally. # +# Because of proxy-wasm limitations, audit logs can only be written to stdout +# which end up in the proxy logs. SecAuditLogType Serial SecAuditLog /dev/stdout SecAuditLogFormat JSON From cf8f47b9f7db2b2f333b3a496abfbbd3610fc256 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 2 Apr 2024 22:30:25 +0200 Subject: [PATCH 07/10] nit: naming --- internal/auditlog/serial_writer.go | 4 ++-- main.go | 2 +- main_test.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/auditlog/serial_writer.go b/internal/auditlog/serial_writer.go index 799848c..54dd7a2 100644 --- a/internal/auditlog/serial_writer.go +++ b/internal/auditlog/serial_writer.go @@ -11,9 +11,9 @@ import ( "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm" ) -// This function overrides the default "Serial" audit log writer (see https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go) +// RegisterProxyWasmSerialWriter overrides the default "Serial" audit log writer (see https://github.com/corazawaf/coraza/blob/main/internal/auditlog/init_tinygo.go) // in order to print audit logs to the proxy-wasm log as info messages with a prefix to differentiate them from other logs. -func RegisterWasmSerialWriter() { +func RegisterProxyWasmSerialWriter() { plugins.RegisterAuditLogWriter("serial", func() plugintypes.AuditLogWriter { return &wasmSerial{} }) diff --git a/main.go b/main.go index 3aa3433..9e1fd49 100644 --- a/main.go +++ b/main.go @@ -13,6 +13,6 @@ import ( func main() { operators.Register() - auditlog.RegisterWasmSerialWriter() + auditlog.RegisterProxyWasmSerialWriter() proxywasm.SetVMContext(wasmplugin.NewVMContext()) } diff --git a/main_test.go b/main_test.go index 49b42d8..975a3fc 100644 --- a/main_test.go +++ b/main_test.go @@ -1413,7 +1413,7 @@ func vmTest(t *testing.T, f func(*testing.T, types.VMContext)) { t.Helper() t.Run("go", func(t *testing.T) { - auditlog.RegisterWasmSerialWriter() + auditlog.RegisterProxyWasmSerialWriter() f(t, wasmplugin.NewVMContext()) }) From ebd88d74ecd5c5c963d6cbc3961811382255d0f2 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Tue, 16 Jul 2024 23:48:51 +0200 Subject: [PATCH 08/10] fix: adds workaround for SecAuditLogRelevantStatus and default deny action --- wasmplugin/rules/coraza-demo.conf | 3 ++- wasmplugin/rules/coraza.conf-recommended.conf | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf index dd810b3..d818c41 100644 --- a/wasmplugin/rules/coraza-demo.conf +++ b/wasmplugin/rules/coraza-demo.conf @@ -222,7 +222,8 @@ SecDebugLogLevel 3 # level response status codes). # SecAuditEngine RelevantOnly -SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$" +# SecAuditLogRelevantStatus includes status 0 as a workaround for https://github.com/corazawaf/coraza/pull/1097 +SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9]|0)$" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf index c8bcd0d..5bb35e9 100644 --- a/wasmplugin/rules/coraza.conf-recommended.conf +++ b/wasmplugin/rules/coraza.conf-recommended.conf @@ -221,7 +221,8 @@ SecResponseBodyLimitAction ProcessPartial # level response status codes). # SecAuditEngine Off -SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$" +# SecAuditLogRelevantStatus includes status 0 as a workaround for https://github.com/corazawaf/coraza/pull/1097 +SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9]|0)$" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ From 07d99b142c7d1a5dd47c756d6467acdadd3f38a7 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Thu, 18 Jul 2024 17:27:22 +0200 Subject: [PATCH 09/10] revert workaround, points to Coraza master with fix --- go.mod | 2 +- go.sum | 4 ++-- wasmplugin/rules/coraza-demo.conf | 3 +-- wasmplugin/rules/coraza.conf-recommended.conf | 3 +-- 4 files changed, 5 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 741f01b..046187f 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.20 require ( github.com/corazawaf/coraza-wasilibs v0.2.0 - github.com/corazawaf/coraza/v3 v3.2.1 + github.com/corazawaf/coraza/v3 v3.2.2-0.20240718151026-8ebb4a82ce41 github.com/stretchr/testify v1.9.0 github.com/tetratelabs/proxy-wasm-go-sdk v0.23.0 github.com/tidwall/gjson v1.17.1 diff --git a/go.sum b/go.sum index d9289c7..d85467a 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/corazawaf/coraza-wasilibs v0.2.0 h1:BT8x2pks6Xk7Oi1cUS9BPO+hi3QWQyQAtBkC3IR3Mt8= github.com/corazawaf/coraza-wasilibs v0.2.0/go.mod h1:jmUPQdndtPfMzKPn0a8BqdikXjuT3wY+6zDx5NvKshI= -github.com/corazawaf/coraza/v3 v3.2.1 h1:zBIji4ut9FtFe8lXdqFwXMAkUoDJZ7HsOlEUYWERLI8= -github.com/corazawaf/coraza/v3 v3.2.1/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg= +github.com/corazawaf/coraza/v3 v3.2.2-0.20240718151026-8ebb4a82ce41 h1:BVk6PUP8RsYtSAGlpGH3w0Bnjyjd2nADCy7ZkjXC0MQ= +github.com/corazawaf/coraza/v3 v3.2.2-0.20240718151026-8ebb4a82ce41/go.mod h1:fVndCGdUHJWl9c26VZPcORQRzUYwMPnRkC6TyTkhbUg= github.com/corazawaf/libinjection-go v0.2.1 h1:vNJ7L6c4xkhRgYU6sIO0Tl54TmeCQv/yfxBma30Dy/Y= github.com/corazawaf/libinjection-go v0.2.1/go.mod h1:OP4TM7xdJ2skyXqNX1AN1wN5nNZEmJNuWbNPOItn7aw= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= diff --git a/wasmplugin/rules/coraza-demo.conf b/wasmplugin/rules/coraza-demo.conf index d818c41..dd810b3 100644 --- a/wasmplugin/rules/coraza-demo.conf +++ b/wasmplugin/rules/coraza-demo.conf @@ -222,8 +222,7 @@ SecDebugLogLevel 3 # level response status codes). # SecAuditEngine RelevantOnly -# SecAuditLogRelevantStatus includes status 0 as a workaround for https://github.com/corazawaf/coraza/pull/1097 -SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9]|0)$" +SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ diff --git a/wasmplugin/rules/coraza.conf-recommended.conf b/wasmplugin/rules/coraza.conf-recommended.conf index 5bb35e9..c8bcd0d 100644 --- a/wasmplugin/rules/coraza.conf-recommended.conf +++ b/wasmplugin/rules/coraza.conf-recommended.conf @@ -221,8 +221,7 @@ SecResponseBodyLimitAction ProcessPartial # level response status codes). # SecAuditEngine Off -# SecAuditLogRelevantStatus includes status 0 as a workaround for https://github.com/corazawaf/coraza/pull/1097 -SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9]|0)$" +SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$" # Log everything we know about a transaction. SecAuditLogParts ABIJDEFHZ From 776444bdcf38f267457439f46f978850527f5426 Mon Sep 17 00:00:00 2001 From: Matteo Pace Date: Thu, 18 Jul 2024 18:33:12 +0200 Subject: [PATCH 10/10] nit: removes leftover --- example/envoy/envoy-config.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/example/envoy/envoy-config.yaml b/example/envoy/envoy-config.yaml index 6e8f0e0..7156691 100644 --- a/example/envoy/envoy-config.yaml +++ b/example/envoy/envoy-config.yaml @@ -60,7 +60,6 @@ static_resources: "SecDefaultAction \"phase:3,log,auditlog,pass\"", "SecDefaultAction \"phase:4,log,auditlog,pass\"", "SecDefaultAction \"phase:5,log,auditlog,pass\"", - "SecAuditEngine On", "SecDebugLogLevel 3", "Include @owasp_crs/*.conf", "SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\" \nSecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\" \nSecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\" \nSecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""