ansible/traefik
ansible/traefik
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

feat: add coraza as optional waf

Browse source
This commit is contained in:
Simon Cornet 2026-04-14 17:30:30 +02:00
commit f629383a43
2 changed files with 51 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

1
defaults/main.yaml
View file

@ -12,3 +12,4 @@ traefik_routes:
host: "127.0.0.1" host: "127.0.0.1"
proto: "http" proto: "http"
port: "80" port: "80"
waf: false

56
templates/traefik/config.yml.j2
View file

@ -4,8 +4,8 @@ entryPoints:
http: http:
redirections: redirections:
entryPoint: entryPoint:
to: websecure to: "websecure"
scheme: https scheme: "https"
websecure: websecure:
address: ":443" address: ":443"
http: http:
@ -26,9 +26,17 @@ certificatesResolvers:
storage: "/acme.json" storage: "/acme.json"
caServer: "https://acme-v02.api.letsencrypt.org/directory" caServer: "https://acme-v02.api.letsencrypt.org/directory"
{% if traefik_routes | selectattr('waf', 'equalto', true) | list | length > 0 %}
experimental:
plugins:
coraza:
moduleName: "github.com/jcchavezs/coraza-http-wasm-traefik"
version: "v0.3.0"
{% endif %}
providers: providers:
file: file:
filename: /traefik.yml filename: "/traefik.yml"
watch: true watch: true
http: http:
@ -37,11 +45,47 @@ http:
{{ item.service }}: {{ item.service }}:
rule: "Host(`{{ item.name }}`)" rule: "Host(`{{ item.name }}`)"
entryPoints: entryPoints:
- websecure - "websecure"
service: {{ item.service }}-svc service: "{{ item.service }}-svc"
{% if item.waf | default(false) %}
middlewares:
- "waf"
{% endif %}
tls: tls:
certResolver: transip certResolver: "transip"
{% endfor %} {% endfor %}
{% if traefik_routes | selectattr('waf', 'defined') | selectattr('waf') | list | length > 0 %}
middlewares:
waf:
plugin:
coraza:
directives:
- "SecRuleEngine On"
- "SecRequestBodyAccess Off"
- "SecResponseBodyAccess Off"
- "SecDefaultAction \"phase:1,log,auditlog,deny,status:403\""
- "SecDefaultAction \"phase:2,log,auditlog,deny,status:403\""
- "SecAction \"id:900000,phase:1,pass,nolog,setvar:tx.paranoia_level=1\""
- "SecAction \"id:900110,phase:1,pass,nolog,setvar:tx.inbound_anomaly_score_threshold=5\""
- "SecAction \"id:900200,phase:1,pass,nolog,setvar:tx.allowed_methods=GET POST PUT PATCH DELETE HEAD OPTIONS\""
- "Include @owasp_crs/REQUEST-901-INITIALIZATION.conf"
- "Include @owasp_crs/REQUEST-905-COMMON-EXCEPTIONS.conf"
- "Include @owasp_crs/REQUEST-911-METHOD-ENFORCEMENT.conf"
- "Include @owasp_crs/REQUEST-913-SCANNER-DETECTION.conf"
- "Include @owasp_crs/REQUEST-920-PROTOCOL-ENFORCEMENT.conf"
- "Include @owasp_crs/REQUEST-921-PROTOCOL-ATTACK.conf"
- "Include @owasp_crs/REQUEST-930-APPLICATION-ATTACK-LFI.conf"
- "Include @owasp_crs/REQUEST-931-APPLICATION-ATTACK-RFI.conf"
- "Include @owasp_crs/REQUEST-932-APPLICATION-ATTACK-RCE.conf"
- "Include @owasp_crs/REQUEST-933-APPLICATION-ATTACK-PHP.conf"
- "Include @owasp_crs/REQUEST-941-APPLICATION-ATTACK-XSS.conf"
- "Include @owasp_crs/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
- "Include @owasp_crs/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf"
- "Include @owasp_crs/REQUEST-944-APPLICATION-ATTACK-JAVA.conf"
- "Include @owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"
{% endif %}
services: services:
{% for item in traefik_routes %} {% for item in traefik_routes %}
{{ item.service }}-svc: {{ item.service }}-svc: