OWASP Coraza WAF - A Golang Modsecurity Compatible Web Application Firewall Library

Welcome to OWASP Coraza Web Application Firewall, OWASP Coraza is a golang enterprise-grade Web Application Firewall framework that supports Modsecurity’s seclang language and is 100% compatible with OWASP Core Ruleset.

Prerequisites

• Linux distribution (Debian and Centos are recommended, Windows is not supported yet)
• Golang compiler v1.16+

Migrate from v1

• Rollback SecAuditLog to the legacy syntax (serial/concurrent)
• Attach an error log handler using waf.SetErrorLogCb(cb) (optional)
• the function Transaction.Clean() must be used to clear transaction data, files and take them back to the sync pool.
• If you are using @rx with libpcre (CRS) install the plugin github.com/jptosso/coraza-pcre
• If you are using low level APIs check the complete changelog as most of them were removed.

Running the tests

Run the go tests:

go test ./...  
go test -race ./...

Using pre-commit

pip install pre-commit  
pre-commit run --all-files

You can also install the pre-commit git hook by running

pre-commit install

Coraza v2 differences with v1

• Full internal API refactor, public API has not changed
• Full audit engine refactor with plugins support
• New enhanced plugins interface for transformations, actions, body processors, and operators
• We are fully compliant with Seclang from modsecurity v2
• Many features removed and transformed into plugins: XML (Mostly), GeoIP and PCRE regex
• Better debug logging
• New error logging (like modsecurity)
• Better performance

Your first Coraza WAF project

package main  
import(  
	"fmt"  
	"github.com/corazawaf/coraza/v2"  
	"github.com/corazawaf/coraza/v2/seclang"  
)  
  
func main() {  
	// First we initialize our waf and our seclang parser  
	waf := coraza.NewWaf()  
	parser, _ := seclang.NewParser(waf)  
  
	// Now we parse our rules  
	if err := parser.FromString(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`); err != nil {  
		fmt.Println(err)  
	}  
  
	// Then we create a transaction and assign some variables  
	tx := waf.NewTransaction()  
	defer func(){  
		tx.ProcessLogging()  
		tx.Clean()  
	}()  
	tx.ProcessConnection("127.0.0.1", 8080, "127.0.0.1", 12345)  
  
	// Finally we process the request headers phase, which may return an interruption  
	if it := tx.ProcessRequestHeaders(); it != nil {  
		fmt.Printf("Transaction was interrupted with status %d\n", it.Status)  
	}  
}

Why Coraza WAF?

Philosophy

• Simplicity: Anyone should be able to understand and modify Coraza WAF’s source code
• Extensibility: It should be easy to extend Coraza WAF with new functionalities
• Innovation: Coraza WAF isn’t just a ModSecurity port. It must include awesome new functions (in the meantime, it’s just a port



)

• Community: Coraza WAF is a community project, and all ideas will be considered

Roadmap

• New rule language
• GraphQL body processor
• C exports
• WASM scripts support

Coraza WAF implementations

• Caddy Plugin (Reverse Proxy and Web Server) (Stable)
• Traefik Plugin (Reverse Proxy and Web Server) (preview)
• Gin Middleware (Web Framework) (Preview)
• Buffalo Plugin (Web Framework) (soon)
• Coraza Server (HAPROXY, REST and GRPC) (experimental)
• Apache httpd (experimental)
• Nginx (soon)
• Coraza C Exports (experimental)

Some useful tools

• Go FTW: rule testing engine
• Coraza Playground: rule testing sandbox with web interface
• OWASP Core Ruleset: Awesome rule set, compatible with Coraza

Troubleshooting

Dependency issues:

go get: github.com/jptosso/coraza-waf/[email protected]: parsing go.mod:  
	module declares its path as: github.com/corazawaf/coraza/v2  
	        but was required as: github.com/jptosso/coraza-waf/v2  

Coraza was migrated from github.com/jptosso/coraza-waf to github.com/corazawaf/coraza. Most dependencies has already been updated to use the new repo, but you must make sure they all use v2.0.0-rc.3+. You may use the following command to fix the error:

go get -u github.com/corazawaf/coraza/[email protected]

How to contribute

Contributions are welcome. There are many TODOs, functionalities, fixes, bug reports, and any help you can provide. Just send your PR.

cd /path/to/coraza  
egrep -Rin "TODO|FIXME" -R --exclude-dir=vendor *

Special thanks

• Modsecurity team for creating ModSecurity
• OWASP Coreruleset team for the CRS and their help

Companies using Coraza

• Babiel (supporter)

Author on Twitter

• @jptosso

Donations

For donations, see Donations site

Download Coraza