Merge pull request #13 from madebymode/v2

v2 | CRSv4.3.0 Support

.github/workflows/build.yml

@@ -10,10 +10,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-      - name: Set up Go 1.17
+      - name: Set up Go 1.22
         uses: actions/setup-go@v5
         with:
-          go-version: ^1.17
+          go-version: ^1.22
 
       - name: Check out code into the Go module directory
         uses: actions/checkout@v4

.github/workflows/go.yml

@@ -19,7 +19,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.19
+          go-version: 1.22
 
       - name: Build
         run: go build -v ./...

.traefik.yml

@@ -6,21 +6,12 @@ import: github.com/madebymode/traefik-modsecurity-plugin
 summary: 'Traefik plugin to proxy requests through owasp/modsecurity-crs'
 
 testData:
-  ModsecurityUrl: http://waf:80
-  MaxBodySize: 10485760
+  ModsecurityUrl: http://waf:8080
   TimeoutMillis: 2000
-  CacheConditionsMethods:
-    - GET
-  CacheConditionsNoBody: true
-  CacheKeyIncludeMethod: true
-  CacheKeyIncludeRequestURI: true
-  CacheKeyIncludeHeaders: false
-  CacheKeyHeaders:
-    - User-Agent
-    - Cache-Control
-  CacheKeyMatchAllHeaders: false
-  CacheKeyIncludeHost: true
-  CacheKeyIncludeRemoteAddress: false
+  JailEnabled: false
+  JailTimeDurationSecs: 600
+  BadRequestsThresholdCount: 25
+  BadRequestsThresholdPeriodSecs: 600
 
 iconPath: ./img/icon.png
 bannerPath: ./img/banner.png

README.md

@@ -4,8 +4,7 @@
 
 this is a fork of the original: https://github.com/acouvreur/traefik-modsecurity-plugin
 
-This fork introduces alpine images, and a custom http.transport, and a caching layer once mod-security has processed a
-request
+This fork introduces alpine images, CRS 4.x suppport, a custom http.transport, and a 429 jail for repeat offenders
 
 see:  https://github.com/traefik/plugindemo#troubleshooting
 
@@ -65,30 +64,10 @@ This plugin supports these configuration:
 * `modSecurityUrl`: (**mandatory**) it's the URL for the owasp/modsecurity container.
 * `timeoutMillis`: (optional) timeout in milliseconds for the http client to talk with modsecurity container. (default 2
   seconds)
-* `maxBodySize`: (optional) it's the maximum limit for requests body size. Requests exceeding this value will be
-  rejected using `HTTP 413 Request Entity Too Large`.
-  The default value for this parameter is 10MB. Zero means "use default value".
-
-* `cacheConditionsMethods`: (optional) An array of HTTP methods for which caching is allowed. (default ["GET"])
-* `cacheConditionsNoBody`: (optional) Specifies if requests with no body (content-length of 0) should be cached. (
-  default true)
-
-* `cacheKeyIncludeHost`: (optional) Specifies if the host should be included in the cache key. (default true)
-* `cacheKeyIncludeRemoteAddress`: (optional) Speifics if the remote request address should be included in the cache
-  key (default true)
-* `cacheKeyIncludeHeaders`: (optional) Specifies if the headers should be included in the cache key. (default true)
-* `cacheKeyHeaders`: (optional) An array of specific headers to be included in the cache key when CacheKeyIncludeHeaders is true. (ie: the default ["User-Agent"]) 
-
-**Note**: some headers are ALWAYS blacklisted, and even if you list
-them here, they will still not be cached:
-```
-Authorization: *, Set-Cookie: *, Cache-Control: no-store, Pragma: no-cache, Expires: -1 (date in the past)
-```
-
-**Note**: body of every (non-cached) request will be buffered in memory while the request is in-flight (i.e.: during the
-security
-check and during the request processing by traefik and the backend), so you may want to tune `maxBodySize` depending on
-how much RAM you have.
+* `jailEnabled`:  (optional) 429 jail for repeat offenders (based on threshold settings)
+* `JailTimeDurationSecs`:  (optional) how long a client will be jailed for, in seconds
+* `badRequestsThresholdCount`: (optional) # of 403s a clientIP can trigger from OWASP before being adding to jail
+* `badRequestsThresholdPeriodSecs` (optional) # the period, in seconds, that the threshold must meet before a client is added to the 429 jail
 
 ## Local development (docker-compose.local.yml)
 

docker-compose.local.yml

@@ -2,11 +2,12 @@ version: "3.7"
 
 services:
   traefik:
-    image: traefik
+    image: "traefik:v2.11.4"
     ports:
       - "80:80"
       - "8080:8080"
     command:
+      - "--log.level=DEBUG"
       - "--accesslog=true"
       - --api.dashboard=true
       - --api.insecure=true
@@ -19,26 +20,30 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.services.traefik.loadbalancer.server.port=8080
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:80
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.maxBodySize=10485760
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheEnabled=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheConditionsMethods=["GET"]
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheConditionsNoBody=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeMethod=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeHost=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeRequestURI=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeHeaders=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyHeaders=["User-Agent]
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyMatchAllHeaders=false
+      # use traefiks built-in maxRequestBodyBytes middleware - there's no need for us to bake this ourselves
+      - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=1048576
+      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:8080
+      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.jailEnabled=true
+
 
 
   waf:
-    image: owasp/modsecurity-crs:3.3.5-apache-alpine-202402140602
+    image: owasp/modsecurity-crs:4.3.0-apache-alpine-202406090906
     environment:
       - PARANOIA=1
       - ANOMALY_INBOUND=10
       - ANOMALY_OUTBOUND=5
       - BACKEND=http://dummy
+      # New in CRS 4
+      - REPORTING_LEVEL=2
+
+      #######################################################
+      # ModSecurity ENV Variables
+      #######################################################
+
+      - MODSEC_AUDIT_LOG_FORMAT=JSON
+      - MODSEC_RULE_ENGINE=On
+
 
   dummy:
     image: traefik/whoami

docker-compose.yml

@@ -18,25 +18,27 @@ services:
     labels:
       - traefik.enable=true
       - traefik.http.services.traefik.loadbalancer.server.port=8080
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:80
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.maxBodySize=10485760
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheEnabled=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheConditionsMethods=["GET"]
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheConditionsNoBody=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeMethod=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeHost=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeRequestURI=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeHeaders=true
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyHeaders=["User-Agent]
-      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.cacheKeyIncludeRemoteAddress=true
+      # use traefiks built-in maxRequestBodyBytes middleware - there's no need for us to bake this ourselves
+      - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=1048576
+      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:8080
+      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.jailEnabled=true
 
   waf:
-    image: owasp/modsecurity-crs:3.3.5-apache-alpine-202402140602
+    image: owasp/modsecurity-crs:4.3.0-apache-alpine-202406090906
     environment:
       - PARANOIA=1
       - ANOMALY_INBOUND=10
       - ANOMALY_OUTBOUND=5
       - BACKEND=http://dummy
+      # New in CRS 4
+      - REPORTING_LEVEL=2
+
+      #######################################################
+      # ModSecurity ENV Variables
+      #######################################################
+
+      - MODSEC_AUDIT_LOG_FORMAT=JSON
+      - MODSEC_RULE_ENGINE=On
 
   dummy:
     image: traefik/whoami

go.mod

@@ -1,14 +1,11 @@
 module github.com/madebymode/traefik-modsecurity-plugin
 
-go 1.17
+go 1.22
 
-require (
-	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/stretchr/testify v1.7.0
-)
+require github.com/stretchr/testify v1.9.0
 
 require (
-	github.com/davecgh/go-spew v1.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,14 +1,10 @@
-github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaRUnok+kx1WdO15EQc=
-github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0 h1:hjy8E9ON/egN1tAYqKb61G10WtihqetD4sz2H+8nIeA=
-gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=