forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
10 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,9 @@ | ||
| # Coraza Proxy WASM | ||
|
|
||
| Web Application Firewall WASM filter built on top of [Coraza](https://github.com/corazawaf/coraza) and implementing on proxy-wasm ABI. It can be loaded directly from Envoy or also used as an Istio plugin. | ||
| Web Application Firewall WASM filter built on top of [Coraza](https://github.com/corazawaf/coraza) and implementing the [proxy-wasm ABI](https://github.com/proxy-wasm/spec). It can be loaded directly from Envoy or also used as an Istio plugin. | ||
|
|
||
| ## Getting started | ||
|
|
||
| `go run mage.go -l` lists all the available commands: | ||
| ``` | ||
| ▶ go run mage.go -l | ||
|
|
@@ -20,14 +21,17 @@ Targets: | |
| * default target | ||
| ``` | ||
|
|
||
| ### Building the filter | ||
| >Note: The build of the Wasm filter currently relies on Go `1.18.*` | ||
|
|
||
| >Note: The build of the Wasm filter currently relies on Go `1.18.*`. On MacOS, you can install it with `brew install [email protected]` and then use | ||
| ``` | ||
| PATH=/opt/homebrew/Cellar/[email protected]/1.18.6/bin:$PATH GOROOT=/opt/homebrew/Cellar/[email protected]/1.18.6/libexec go run mage.go build | ||
| ``` | ||
| You will find the WASM plugin under `./build/main.wasm`. | ||
|
|
||
| For performance purposes, some libs are built from they C++ implementation. The compiled polyglot wasm libs are already checked in under [./lib/](./lib/). It is possible to rely on the Dockerfiles under [./buildtools/](./buildtools/) if you wish to rebuild them from scratch. | ||
| For performance purposes, some libs are built from non-Go implementations. The compiled polyglot wasm libs are already checked in under [./lib/](./lib/). It is possible to rely on the Dockerfiles under [./buildtools/](./buildtools/) if you wish to rebuild them from scratch | ||
| using `go run mage.go updateLibs`. | ||
|
|
||
| ### Running the filter in an Envoy process | ||
|
|
||
|
|
@@ -68,7 +72,7 @@ In order to run the coraza-proxy-wasm we need to spin up an envoy configuration | |
| ### Using CRS | ||
| Coreruleset comes embedded in the extension, in order to use it in the config, you just need to include it directly in the rules: | ||
| [Core Rule Set](https://github.com/coreruleset/coreruleset) comes embedded in the extension, in order to use it in the config, you just need to include it directly in the rules: | ||
| Loading entire coreruleset: | ||
|
|
@@ -96,11 +100,12 @@ configuration: | |
|
|
||
| The following command runs the [go-ftw](https://github.com/fzipi/go-ftw) test suite against the filter with the CRS fully loaded. | ||
| ``` | ||
| go run mage.go build | ||
| go run mage.go ftw | ||
| ``` | ||
| Take a look at its config file [ftw.yml](./ftw/ftw.yml) for details about tests currently excluded. | ||
|
|
||
| ### Spinning up the coraza-proxy-wasm for manual tests | ||
|
|
||
| Via the commands `setup` and `teardown` you can spin up and tear down the test environment. Envoy with the coraza-wasm filter will be reachable at `localhost:8080`. | ||
| In order to monitor envoy logs while performing requests run: | ||
| ``` | ||
|
|
||