Feature Request: WAF functionality leveraging OWASP CRS, implemented and enabled by default #8
Comments
|
I think WAF type functionality will be a great use of the wasm extensibility planned for River: Rule sets could be compiled into wasm to reject requests. |
|
This should basically alter the proposed design. Adding a new |
jamesmunns
added
the
F-RequestPathCtl
|
Hey @dune73, thanks for opening this issue! There was definitely interest in supporting WAF functionality in River during the initial planning discussions, and I agree it would be great to have. I think @mcpherrinm makes a reasonable point, this might be easier to iterate on once we have the WASM-based scripting environment setup working, though that will come a little later after we have basic operation working. @fzipi I'm not sure if I totally follow. I see this as falling under the Request Path Control stage, providing filtering and state tracking. I expect to come back to this later, but I believe we'd need to:
Thanks all for the feedback! |
|
Thank you @jamesmunns. I do not really have spare time to contribute here in my volunteer time capacity, but if you have any questions about CRS or especially input on how to provide a successful integration, then please get in touch. |
|
Will do, thanks! |
|
Got it now, I see that it is totally under that stage. Awesome. Ping me if you need anything. |
Creating this feature request was recommended by @drcaramelsyrup at
cloudflare/pingora#31 (comment)
OWASP CRS currently runs on the following WAF engines:
Commercial integrations are done via custom implementations of the rule language. This includes the Cloudflare setup.
If a new open source Reverse Proxy is created, then giving it WAF functionality based on the de facto standard rule set from the beginning would be useful.
The text was updated successfully, but these errors were encountered: