Skip to content

WAF Traefik Hub API Gateway

Traefik Hub Feature

This middleware is available exclusively in Traefik Hub. Learn more about Traefik Hub's advanced features.

The Coraza WAF middleware in Traefik Hub API Gateway provides web application firewall capabilities.

The native middleware in Hub API Gateway provides at least 23 times more performance compared to the WASM-based Coraza plugin available with the open-source Traefik Proxy.

To learn how to write rules, please visit Coraza documentation and OWASP CRS documentation.

Warning

Starting with Traefik Hub v3.11.0, Coraza needs to have read/write permissions to /tmp. This is related to this upstream PR.


Configuration Examples

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: waf
spec:
  plugin:
    coraza:
      directives:
        - SecRuleEngine On
        - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: wafcrs
  namespace: apps
spec:
  plugin:
    coraza:
      crsEnabled: true
      directives:
        - SecDefaultAction "phase:1,log,auditlog,deny,status:403"
        - SecDefaultAction "phase:2,log,auditlog,deny,status:403"
        - SecAction "id:900110, phase:1, pass, t:none, nolog, setvar:tx.inbound_anomaly_score_threshold=5, setvar:tx.outbound_anomaly_score_threshold=4"
        - SecAction "id:900200, phase:1, pass, t:none, nolog, setvar:'tx.allowed_methods=GET'"
        - Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
        - Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf

Configuration Options

Field Description Default Required
directives List of WAF rules to enforce. Yes
crsEnabled Enable CRS rulesets.
Once the ruleset is enabled, it can be used in the middleware.
false False

Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.