Coraza Web Application Firewall

The Coraza WAF middleware in Traefik Hub API Gateway provides web application firewall capabilities.

The native middleware in Hub API Gateway provides at least 23 times more performance compared to the WASM-based Coraza plugin available with the open-source Traefik Proxy.

To learn how to write rules, please visit Coraza documentation and OWASP CRS documentation.

warning

Starting with Traefik Hub v3.11.0, Coraza needs to have read/write permissions to /tmp. This is related to this upstream PR.

Configuration Examples

Deny the /admin path
Allow only `GET` method

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: waf
spec:
  plugin:
    coraza:
      directives:
        - SecRuleEngine On
        - SecRule REQUEST_URI "@streq /admin" "id:101,phase:1,t:lowercase,log,deny"

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: wafcrs
  namespace: apps
spec:
  plugin:
    coraza:
      crsEnabled: true
      directives:
        - SecDefaultAction "phase:1,log,auditlog,deny,status:403"
        - SecDefaultAction "phase:2,log,auditlog,deny,status:403"
        - SecAction "id:900110, phase:1, pass, t:none, nolog, setvar:tx.inbound_anomaly_score_threshold=5, setvar:tx.outbound_anomaly_score_threshold=4"
        - SecAction "id:900200, phase:1, pass, t:none, nolog, setvar:'tx.allowed_methods=GET'"
        - Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf
        - Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf

Configuration Options

Field	Description	Default	Required
`directives`	List of WAF rules to enforce.		Yes
`crsEnabled`	Enable CRS rulesets. Once the ruleset is enabled, it can be used in the middleware.	false	False

Configuration Examples​

Configuration Options​

Configuration Examples

Configuration Options