jiazhizhong/higress
1
0
Fork 0
mirror of https://github.com/alibaba/higress.git synced 2026-06-09 12:47:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Go WAF Plugin (#400)

Browse Source
This commit is contained in:
rinfx
2023-06-28 19:25:36 +08:00
committed by GitHub
parent fc05a3b256
commit c32e1ab69b
74 changed files with 22639 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
plugins/wasm-go/extensions/waf/local/Dockerfile Normal file
View File

@@ -0,0 +1,3 @@
FROM liuxr25/flask-helloworld:latest
COPY app.py /work/app.py

14
plugins/wasm-go/extensions/waf/local/app.py Normal file
View File

@@ -0,0 +1,14 @@
from flask import Flask, request
app = Flask(__name__)
@app.route("/flask/test1", methods=["GET", "POST"])
def test1():
return "body normal", 200, [("test-header", "hahaha")]
@app.route("/flask/test2", methods=["GET", "POST"])
def test2():
return "body attack", 200, []
if __name__ == "__main__":
app.run("0.0.0.0", 5000)

96
plugins/wasm-go/extensions/waf/local/docker-compose.yaml Normal file
View File

@@ -0,0 +1,96 @@
services:
httpbin:
image: kennethreitz/httpbin
environment:
- MAX_BODY_SIZE=15728640 # 15 MiB
ports:
- 8083:8080
command:
- "gunicorn"
- "-b"
- "0.0.0.0:8080"
- "httpbin:app"
- "-k"
- "gevent"
- --log-file
- /home/envoy/logs/httpbin.log
volumes:
- logs:/home/envoy/logs:rw
flask:
# image: liuxr25/flask-helloworld:latest
build: .
environment:
- MAX_BODY_SIZE=15728640 # 15 MiB
ports:
- 8084:5000
chown:
image: alpine:3.16
command:
- /bin/sh
- -c
- chown -R 101:101 /home/envoy/logs
volumes:
- logs:/home/envoy/logs:rw
envoy:
depends_on:
- chown
- httpbin
- flask
image: higress-registry.cn-hangzhou.cr.aliyuncs.com/higress/envoy:1.20
command:
- -c
- /conf/envoy-config.yaml
- --log-level
- info
- --component-log-level
- wasm:debug
- --log-format [%Y-%m-%d %T.%f][%t][%l][%n] [%g:%#] %v
- --log-path
- /home/envoy/logs/envoy.log
volumes:
- .:/build
- .:/conf
- logs:/home/envoy/logs:rw
ports:
- 8080:8080
- 8082:8082
# envoy-logs:
# depends_on:
# - envoy
# - wasm-logs
# image: debian:11-slim
# entrypoint: bash
# command:
# - -c
# - tail -c +0 -f /home/envoy/logs/envoy.log
# volumes:
# - logs:/home/envoy/logs:ro
wasm-logs:
depends_on:
- envoy
image: debian:11-slim
entrypoint: bash
command:
- -c
- tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "[critical][wasm]"
volumes:
- logs:/home/envoy/logs:ro
# debug-logs:
# depends_on:
# - envoy
# image: debian:11-slim
# entrypoint: bash
# command:
# - -c
# - tail -c +0 -f /home/envoy/logs/envoy.log | grep --line-buffered "unreachable"
# volumes:
# - logs:/home/envoy/logs:ro
volumes:
logs:

143
plugins/wasm-go/extensions/waf/local/envoy-config.yaml Normal file
View File

@@ -0,0 +1,143 @@
stats_config:
stats_tags:
# Envoy extracts the first matching group as a value.
# See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig.
- tag_name: phase
regex: "(_phase=([a-z_]+))"
- tag_name: rule_id
regex: "(_ruleid=([0-9]+))"
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: auto
route_config:
virtual_hosts:
- name: local_route
domains:
- "*"
routes:
- name: "route_1"
match:
path: "/headers"
route:
cluster: httpbin_server
- name: "route_2"
match:
path: "/user-agent"
route:
cluster: httpbin_server
- name: "route_flask"
match:
prefix: "/flask"
route:
cluster: flask_server
- name: "route_httpbin"
match:
prefix: "/"
route:
cluster: httpbin_server
# - name: "route_mock"
# match:
# prefix: "/"
# direct_response:
# status: 200
# body:
# inline_string: "mock response\n"
http_filters:
- name: envoy.filters.http.wasm
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
config:
name: "coraza-filter"
root_id: ""
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"useCRS": true,
"secRules": [
"SecDebugLogLevel 3",
"SecRuleEngine On",
"SecRule REQUEST_URI \"@streq /admin\" \"id:101,phase:1,t:lowercase,deny\"",
"SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"",
"SecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\"",
"SecRule RESPONSE_HEADERS:test-header \"@streq hahaha\" \"id:104,phase:3,t:lowercase,deny\"",
"SecRule RESPONSE_BODY \"@rx attack\" \"id:105,phase:4,t:lowercase,deny\""
],
"_rules_": [
{
"_match_route_": [
"route_1"
],
"secRules": [
"SecDebugLogLevel 3",
"SecRuleEngine On",
"SecAction \"id:102,phase:1,deny\""
]
},
{
"_match_route_": [
"route_2"
],
"secRules": [
"SecDebugLogLevel 3",
"SecRuleEngine On",
"SecAction \"id:102,phase:1,pass\""
]
}
]
}
vm_config:
runtime: "envoy.wasm.runtime.v8"
vm_id: "10086"
code:
local:
filename: "build/main.wasm"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: httpbin_server
connect_timeout: 6000s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: httpbin_server
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: httpbin
port_value: 8080
- name: flask_server
connect_timeout: 6000s
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: flask_server
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: flask
port_value: 5000
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 8082