From f9250743b52ae6202d73ee55a3a16a0281f615c2 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Tue, 14 Apr 2026 17:46:15 +0200
Subject: [PATCH] feat: remove coraza waf

---
 templates/traefik/config.yml.j2 | 67 +++------------------------------
 1 file changed, 6 insertions(+), 61 deletions(-)

diff --git a/templates/traefik/config.yml.j2 b/templates/traefik/config.yml.j2
index e641aac..80a12e1 100644
--- a/templates/traefik/config.yml.j2
+++ b/templates/traefik/config.yml.j2
@@ -4,8 +4,8 @@ entryPoints:
     http:
       redirections:
         entryPoint:
-          to: "websecure"
-          scheme: "https"
+          to: websecure
+          scheme: https
   websecure:
     address: ":443"
     http:
@@ -26,17 +26,9 @@ certificatesResolvers:
       storage: "/acme.json"
       caServer: "https://acme-v02.api.letsencrypt.org/directory"
 
-{% if traefik_routes | selectattr('waf', 'equalto', true) | list | length > 0 %}
-experimental:
-  plugins:
-    coraza:
-      moduleName: "github.com/jcchavezs/coraza-http-wasm-traefik"
-      version: "v0.3.0"
-{% endif %}
-
 providers:
   file:
-    filename: "/traefik.yml"
+    filename: /traefik.yml
     watch: true
 
 http:
@@ -45,58 +37,11 @@ http:
     {{ item.service }}:
       rule: "Host(`{{ item.name }}`)"
       entryPoints:
-        - "websecure"
-      service: "{{ item.service }}-svc"
-{% if item.waf | default(false) %}
-      middlewares:
-        - "waf"
-{% endif %}
+        - websecure
+      service: {{ item.service }}-svc
       tls:
-        certResolver: "transip"
+        certResolver: transip
 {% endfor %}
-
-{% if traefik_routes | selectattr('waf', 'defined') | selectattr('waf') | list | length > 0 %}
-  middlewares:
-    waf:
-      plugin:
-        coraza:
-          directives:
-
-            # enable coraza
-            - "SecRuleEngine On"
-            - "SecRequestBodyAccess Off"
-            - "SecResponseBodyAccess Off"
-            - "SecDefaultAction \"phase:1,log,auditlog,deny,status:403\""
-            - "SecDefaultAction \"phase:2,log,auditlog,deny,status:403\""
-
-            # method enforcement
-            - "SecRule REQUEST_METHOD \"!@within GET POST PUT PATCH DELETE HEAD OPTIONS\" \"id:1001,phase:1,block,msg:'Method not allowed'\""
-
-            # scanner detection
-            - "SecRule REQUEST_HEADERS:User-Agent \"@pmFromFile /dev/null\" \"id:1002,phase:1,pass,nolog\""
-            - "SecRule REQUEST_HEADERS:User-Agent \"@rx (?i)(nikto|nmap|sqlmap|nessus|burpsuite|masscan|zgrab|nuclei|dirbuster|gobuster|wfuzz|hydra|metasploit)\" \"id:1003,phase:1,block,msg:'Scanner detected'\""
-
-            # path traversal / LFI
-            - "SecRule REQUEST_URI \"@rx (?i)(\\.\\./|\\.\\.\\\\|%2e%2e%2f|%2e%2e/)\" \"id:1010,phase:1,block,msg:'Path traversal'\""
-
-            # RFI
-            - "SecRule ARGS \"@rx (?i)(https?|ftp|php|data)://\" \"id:1020,phase:2,block,msg:'Remote file inclusion'\""
-
-            # RCE
-            - "SecRule ARGS \"@rx (?i)(;|\\||`|\\$\\(|&&|\\|\\|)\\s*(ls|cat|wget|curl|bash|sh|python|perl|ruby|nc|ncat)\" \"id:1030,phase:2,block,msg:'Command injection'\""
-            # XSS
-            - "SecRule ARGS|REQUEST_URI \"@rx (?i)(<script[^>]*>|</script>|javascript:|on\\w+\\s*=|<iframe|<object|<embed)\" \"id:1040,phase:2,block,msg:'XSS attack'\""
-            # SQLi
-            - "SecRule ARGS \"@detectSQLi\" \"id:1050,phase:2,block,msg:'SQL injection'\""
-
-            # session fixation
-            - "SecRule ARGS \"@rx (?i)(document\\.cookie|set-cookie|jsessionid=|phpsessid=)\" \"id:1060,phase:2,block,msg:'Session fixation'\""
-
-            # protocol enforcement
-            - "SecRule REQUEST_PROTOCOL \"!@rx ^HTTP/[12]\" \"id:1070,phase:1,block,msg:'Invalid HTTP protocol'\""
-            - "SecRule REQUEST_HEADERS:Content-Length \"@rx [^0-9]\" \"id:1071,phase:1,block,msg:'Non-numeric Content-Length'\""
-
-{% endif %}
   services:
 {% for item in traefik_routes %}
     {{ item.service }}-svc: