WAF 
Traefik Hub Feature
This middleware is available exclusively in Traefik Hub. Learn more about Traefik Hub's advanced features.
The Coraza WAF middleware in Traefik Hub API Gateway provides web application firewall capabilities.
The native middleware in Hub API Gateway provides at least 23 times more performance compared to the WASM-based Coraza plugin available with the open-source Traefik Proxy.
To learn how to write rules, please visit Coraza documentation and OWASP CRS documentation.
Warning
Starting with Traefik Hub v3.11.0, Coraza needs to have read/write permissions to /tmp. This is related to this upstream PR.
Configuration Examples¶
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: waf
spec:
plugin:
coraza:
directives:
- SecRuleEngine On
- SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: wafcrs
namespace: apps
spec:
plugin:
coraza:
crsEnabled: true
directives:
- SecDefaultAction "phase:1,log,auditlog,deny,status:403"
- SecDefaultAction "phase:2,log,auditlog,deny,status:403"
- SecAction "id:900110, phase:1, pass, t:none, nolog, setvar:tx.inbound_anomaly_score_threshold=5, setvar:tx.outbound_anomaly_score_threshold=4"
- SecAction "id:900200, phase:1, pass, t:none, nolog, setvar:'tx.allowed_methods=GET'"
- Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
- Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.confConfiguration Options¶
| Field | Description | Default | Required |
|---|---|---|---|
directives |
List of WAF rules to enforce. | Yes | |
crsEnabled |
Enable CRS rulesets. Once the ruleset is enabled, it can be used in the middleware. |
false | False |
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There's no rip and replace and all configurations remain intact. See it in action via this short video.