feat: remove coraza waf

2026-04-14 17:46:15 +02:00 · 2026-04-14 17:46:15 +02:00 · f9250743b5
commit f9250743b5
parent fe05ea5364
1 changed files with 6 additions and 61 deletions
--- a/templates/traefik/config.yml.j2
+++ b/templates/traefik/config.yml.j2
@ -4,8 +4,8 @@ entryPoints:
    http:
      redirections:
        entryPoint:
-          to: "websecure"
-          scheme: "https"
+          to: websecure
+          scheme: https
  websecure:
    address: ":443"
    http:
@ -26,17 +26,9 @@ certificatesResolvers:
      storage: "/acme.json"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"

-{% if traefik_routes | selectattr('waf', 'equalto', true) | list | length > 0 %}
-experimental:
-  plugins:
-    coraza:
-      moduleName: "github.com/jcchavezs/coraza-http-wasm-traefik"
-      version: "v0.3.0"
-{% endif %}
-
 providers:
  file:
-    filename: "/traefik.yml"
+    filename: /traefik.yml
    watch: true

 http:
@ -45,58 +37,11 @@ http:
    {{ item.service }}:
      rule: "Host(`{{ item.name }}`)"
      entryPoints:
-        - "websecure"
-      service: "{{ item.service }}-svc"
-{% if item.waf | default(false) %}
-      middlewares:
-        - "waf"
-{% endif %}
+        - websecure
+      service: {{ item.service }}-svc
      tls:
-        certResolver: "transip"
+        certResolver: transip
 {% endfor %}
-
-{% if traefik_routes | selectattr('waf', 'defined') | selectattr('waf') | list | length > 0 %}
-  middlewares:
-    waf:
-      plugin:
-        coraza:
-          directives:
-
-            # enable coraza
-            - "SecRuleEngine On"
-            - "SecRequestBodyAccess Off"
-            - "SecResponseBodyAccess Off"
-            - "SecDefaultAction \"phase:1,log,auditlog,deny,status:403\""
-            - "SecDefaultAction \"phase:2,log,auditlog,deny,status:403\""
-
-            # method enforcement
-            - "SecRule REQUEST_METHOD \"!@within GET POST PUT PATCH DELETE HEAD OPTIONS\" \"id:1001,phase:1,block,msg:'Method not allowed'\""
-
-            # scanner detection
-            - "SecRule REQUEST_HEADERS:User-Agent \"@pmFromFile /dev/null\" \"id:1002,phase:1,pass,nolog\""
-            - "SecRule REQUEST_HEADERS:User-Agent \"@rx (?i)(nikto|nmap|sqlmap|nessus|burpsuite|masscan|zgrab|nuclei|dirbuster|gobuster|wfuzz|hydra|metasploit)\" \"id:1003,phase:1,block,msg:'Scanner detected'\""
-
-            # path traversal / LFI
-            - "SecRule REQUEST_URI \"@rx (?i)(\\.\\./|\\.\\.\\\\|%2e%2e%2f|%2e%2e/)\" \"id:1010,phase:1,block,msg:'Path traversal'\""
-
-            # RFI
-            - "SecRule ARGS \"@rx (?i)(https?|ftp|php|data)://\" \"id:1020,phase:2,block,msg:'Remote file inclusion'\""
-
-            # RCE
-            - "SecRule ARGS \"@rx (?i)(;|\\||`|\\$\\(|&&|\\|\\|)\\s*(ls|cat|wget|curl|bash|sh|python|perl|ruby|nc|ncat)\" \"id:1030,phase:2,block,msg:'Command injection'\""
-            # XSS
-            - "SecRule ARGS|REQUEST_URI \"@rx (?i)(<script[^>]*>|</script>|javascript:|on\\w+\\s*=|<iframe|<object|<embed)\" \"id:1040,phase:2,block,msg:'XSS attack'\""
-            # SQLi
-            - "SecRule ARGS \"@detectSQLi\" \"id:1050,phase:2,block,msg:'SQL injection'\""
-
-            # session fixation
-            - "SecRule ARGS \"@rx (?i)(document\\.cookie|set-cookie|jsessionid=|phpsessid=)\" \"id:1060,phase:2,block,msg:'Session fixation'\""
-
-            # protocol enforcement
-            - "SecRule REQUEST_PROTOCOL \"!@rx ^HTTP/[12]\" \"id:1070,phase:1,block,msg:'Invalid HTTP protocol'\""
-            - "SecRule REQUEST_HEADERS:Content-Length \"@rx [^0-9]\" \"id:1071,phase:1,block,msg:'Non-numeric Content-Length'\""
-
-{% endif %}
  services:
 {% for item in traefik_routes %}
    {{ item.service }}-svc: