docs: Fix script names, improve CONTRIBUTING, add WAF READMEs, fix workflow

Co-authored-by: fabriziosalmi <1569108+fabriziosalmi@users.noreply.github.com>

waf_patterns/apache/README.md

@@ -1 +1,117 @@
+# Apache ModSecurity WAF Configuration
 
+This directory contains Apache ModSecurity WAF configuration files generated from OWASP CRS rules.
+You can include these files in your existing Apache configuration to enhance security.
+
+## Prerequisites
+
+- Apache HTTP Server (2.4 or higher)
+- ModSecurity module installed and enabled
+- Core Rule Set (CRS) base configuration
+
+## Installation
+
+### Ubuntu/Debian
+```bash
+sudo apt-get update
+sudo apt-get install libapache2-mod-security2
+sudo a2enmod security2
+sudo systemctl restart apache2
+```
+
+### CentOS/RHEL
+```bash
+sudo yum install mod_security
+sudo systemctl restart httpd
+```
+
+## Usage
+
+1. Copy the generated configuration files to your Apache configuration directory:
+   ```bash
+   sudo cp waf_patterns/apache/*.conf /etc/apache2/modsecurity.d/
+   # or for CentOS/RHEL:
+   # sudo cp waf_patterns/apache/*.conf /etc/httpd/modsecurity.d/
+   ```
+
+2. Include the configuration files in your Apache configuration.
+   
+   Edit `/etc/apache2/mods-enabled/security2.conf` (Ubuntu/Debian) or `/etc/httpd/conf.d/mod_security.conf` (CentOS/RHEL):
+   ```apache
+   <IfModule security2_module>
+       Include /etc/apache2/modsecurity.d/*.conf
+   </IfModule>
+   ```
+
+3. Test the configuration:
+   ```bash
+   # Ubuntu/Debian
+   sudo apache2ctl configtest
+   
+   # CentOS/RHEL
+   sudo httpd -t
+   ```
+
+4. Reload Apache to apply the changes:
+   ```bash
+   # Ubuntu/Debian
+   sudo systemctl reload apache2
+   
+   # CentOS/RHEL
+   sudo systemctl reload httpd
+   ```
+
+## Configuration Details
+
+The generated rules include:
+- **SQL Injection (SQLi)** detection patterns
+- **Cross-Site Scripting (XSS)** prevention rules
+- **Remote Code Execution (RCE)** blocking
+- **Local File Inclusion (LFI)** protection
+- **Bad Bot/User-Agent** blocking
+
+## Customization
+
+You can adjust the severity and actions for each rule by modifying the configuration files.
+Common actions include:
+- `deny` - Block the request
+- `log` - Log the event
+- `status:403` - Return HTTP 403 Forbidden
+
+## Troubleshooting
+
+### Check ModSecurity is loaded
+```bash
+# Ubuntu/Debian
+apache2ctl -M | grep security
+
+# CentOS/RHEL
+httpd -M | grep security
+```
+
+### View ModSecurity logs
+```bash
+# Ubuntu/Debian
+sudo tail -f /var/log/apache2/modsec_audit.log
+
+# CentOS/RHEL
+sudo tail -f /var/log/httpd/modsec_audit.log
+```
+
+### Test with a sample attack
+```bash
+curl "http://yourserver.com/?id=1' OR '1'='1"
+# Should return 403 Forbidden if WAF is working
+```
+
+## Notes
+
+- Rules are updated daily via GitHub Actions
+- Blocked requests return a `403 Forbidden` response by default
+- Review the ModSecurity documentation for advanced configuration options
+
+## Resources
+
+- [ModSecurity Documentation](https://github.com/SpiderLabs/ModSecurity)
+- [OWASP CRS](https://coreruleset.org/)
+- [Apache ModSecurity Module](https://modsecurity.org/)

waf_patterns/haproxy/README.md

@@ -1 +1,183 @@
+# HAProxy WAF Configuration
 
+This directory contains HAProxy WAF configuration files generated from OWASP CRS rules.
+You can include these ACL (Access Control List) files in your HAProxy configuration to enhance security.
+
+## Prerequisites
+
+- HAProxy 2.0 or higher
+- Basic understanding of HAProxy ACLs and rules
+
+## Configuration Files
+
+The generated files include:
+- ACL files with pattern matching rules
+- Request filtering configurations
+- Bad bot/User-Agent blocking lists
+
+## Usage
+
+1. Copy the generated ACL files to your HAProxy configuration directory:
+   ```bash
+   sudo cp waf_patterns/haproxy/*.acl /etc/haproxy/
+   ```
+
+2. Include the ACL files in your HAProxy configuration.
+   
+   Edit `/etc/haproxy/haproxy.cfg`:
+   ```haproxy
+   frontend http-in
+       bind *:80
+       
+       # Load WAF ACL files
+       acl is_sql_injection path_reg -i -f /etc/haproxy/sqli_patterns.acl
+       acl is_xss_attack path_reg -i -f /etc/haproxy/xss_patterns.acl
+       acl is_bad_bot hdr_reg(User-Agent) -i -f /etc/haproxy/bad_bots.acl
+       
+       # Block malicious requests
+       http-request deny if is_sql_injection
+       http-request deny if is_xss_attack
+       http-request deny if is_bad_bot
+       
+       # Default backend
+       default_backend web_servers
+   
+   backend web_servers
+       balance roundrobin
+       server web1 10.0.0.1:80 check
+       server web2 10.0.0.2:80 check
+   ```
+
+3. Test the configuration:
+   ```bash
+   sudo haproxy -c -f /etc/haproxy/haproxy.cfg
+   ```
+
+4. Reload HAProxy to apply the changes:
+   ```bash
+   sudo systemctl reload haproxy
+   # or
+   sudo service haproxy reload
+   ```
+
+## Advanced Configuration
+
+### Logging Blocked Requests
+
+Add logging for better visibility:
+
+```haproxy
+frontend http-in
+    bind *:80
+    
+    # ... ACL definitions ...
+    
+    # Log blocked requests
+    http-request capture req.hdr(User-Agent) len 200
+    http-request deny deny_status 403 if is_sql_injection
+    log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+```
+
+### Custom Error Pages
+
+Return custom error pages for blocked requests:
+
+```haproxy
+frontend http-in
+    bind *:80
+    
+    # ... ACL definitions ...
+    
+    # Return custom error page
+    http-request deny deny_status 403 if is_sql_injection
+    errorfile 403 /etc/haproxy/errors/403.http
+```
+
+### Rate Limiting
+
+Combine with rate limiting for additional protection:
+
+```haproxy
+frontend http-in
+    bind *:80
+    
+    # Track request rate
+    stick-table type ip size 100k expire 30s store http_req_rate(10s)
+    http-request track-sc0 src
+    
+    # Deny if rate limit exceeded
+    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
+    
+    # ... WAF ACLs ...
+```
+
+## Testing
+
+### Test SQL Injection Protection
+```bash
+curl "http://yourserver.com/?id=1' OR '1'='1"
+# Should return 403 Forbidden
+```
+
+### Test XSS Protection
+```bash
+curl "http://yourserver.com/?q=<script>alert('xss')</script>"
+# Should return 403 Forbidden
+```
+
+### Test Bad Bot Blocking
+```bash
+curl -H "User-Agent: AhrefsBot" http://yourserver.com
+# Should return 403 Forbidden
+```
+
+## Monitoring
+
+### Check HAProxy Stats
+```bash
+# Enable stats in haproxy.cfg
+listen stats
+    bind *:8404
+    stats enable
+    stats uri /stats
+    stats refresh 10s
+```
+
+Visit `http://yourserver:8404/stats` to view statistics.
+
+### View Logs
+```bash
+sudo tail -f /var/log/haproxy.log
+```
+
+## Performance Considerations
+
+- ACL pattern matching is highly efficient in HAProxy
+- Use regular expressions sparingly for better performance
+- Consider using stick tables for rate limiting
+- Monitor CPU and memory usage under load
+- Test thoroughly before deploying to production
+
+## Configuration Details
+
+The ACL files protect against:
+- **SQL Injection (SQLi)** - Common SQL injection patterns
+- **Cross-Site Scripting (XSS)** - JavaScript injection attempts
+- **Remote Code Execution (RCE)** - Command injection patterns
+- **Local File Inclusion (LFI)** - Path traversal attempts
+- **Bad Bots** - Known malicious crawlers and scrapers
+
+## Notes
+
+- Rules are updated daily via GitHub Actions
+- Blocked requests return `403 Forbidden` by default
+- ACLs are case-insensitive (`-i` flag)
+- Regular expressions are used for pattern matching (`-f` for file-based ACLs)
+- Compatible with HAProxy 2.0 and higher
+
+## Resources
+
+- [HAProxy Documentation](https://www.haproxy.org/#docs)
+- [HAProxy ACL Guide](https://www.haproxy.com/documentation/hapee/latest/onepage/#7)
+- [OWASP CRS](https://coreruleset.org/)
+- [HAProxy Configuration Manual](http://cbonte.github.io/haproxy-dconv/)

waf_patterns/traefik/README.md

@@ -1 +1,136 @@
+# Traefik WAF Configuration
 
+This directory contains Traefik WAF configuration files generated from OWASP CRS rules.
+You can use these middleware configurations to enhance security in your Traefik setup.
+
+## Prerequisites
+
+- Traefik v2.x or higher
+- Basic understanding of Traefik middleware
+
+## Configuration Files
+
+The generated configuration includes:
+- Middleware definitions for request filtering
+- Regular expression patterns for attack detection
+- Bad bot/User-Agent blocking rules
+
+## Usage
+
+### Option 1: File Provider (Recommended)
+
+1. Copy the generated configuration files to your Traefik configuration directory:
+   ```bash
+   cp waf_patterns/traefik/*.toml /etc/traefik/dynamic/
+   # or to your custom config directory
+   ```
+
+2. Configure Traefik to load dynamic configuration from files.
+   
+   In your `traefik.yml` or `traefik.toml`:
+   ```yaml
+   providers:
+     file:
+       directory: "/etc/traefik/dynamic"
+       watch: true
+   ```
+
+3. Apply the middleware to your routes by referencing it in your service configuration:
+   ```yaml
+   http:
+     routers:
+       my-router:
+         rule: "Host(`example.com`)"
+         service: my-service
+         middlewares:
+           - waf-middleware
+   ```
+
+### Option 2: Docker Labels
+
+If you're using Docker, you can apply the middleware via labels:
+
+```yaml
+services:
+  my-service:
+    image: my-app:latest
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.my-router.rule=Host(`example.com`)"
+      - "traefik.http.routers.my-router.middlewares=waf-middleware@file"
+```
+
+### Option 3: Kubernetes IngressRoute
+
+For Kubernetes deployments:
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: waf-middleware
+spec:
+  plugin:
+    # Reference your WAF plugin configuration here
+```
+
+## Configuration Details
+
+The middleware includes protection against:
+- **SQL Injection (SQLi)** attacks
+- **Cross-Site Scripting (XSS)** attempts
+- **Remote Code Execution (RCE)** patterns
+- **Local File Inclusion (LFI)** attempts
+- **Malicious bots and crawlers**
+
+## Testing
+
+Test the WAF is working by sending a malicious request:
+
+```bash
+curl -H "User-Agent: AhrefsBot" http://yourserver.com
+# Should be blocked if bot protection is working
+
+curl "http://yourserver.com/?id=1' OR '1'='1"
+# Should be blocked if SQLi protection is working
+```
+
+## Monitoring
+
+Monitor blocked requests in Traefik logs:
+
+```bash
+# Docker
+docker logs traefik 2>&1 | grep -i "blocked\|forbidden"
+
+# Standard installation
+tail -f /var/log/traefik/access.log | grep -i "403"
+```
+
+## Customization
+
+You can customize the middleware behavior by:
+1. Editing the generated `.toml` files
+2. Adjusting regex patterns for your specific needs
+3. Modifying response codes and error pages
+4. Adding custom headers for blocked requests
+
+## Performance Considerations
+
+- Regular expression matching can impact performance under high load
+- Consider using caching middleware in combination with WAF
+- Monitor CPU usage and adjust rules if needed
+- Use Traefik's built-in rate limiting for additional protection
+
+## Notes
+
+- Rules are updated daily via GitHub Actions
+- Blocked requests typically return `403 Forbidden` or `400 Bad Request`
+- Middleware is applied at the router level
+- Compatible with other Traefik middlewares (chain them as needed)
+
+## Resources
+
+- [Traefik Documentation](https://doc.traefik.io/traefik/)
+- [Traefik Middleware](https://doc.traefik.io/traefik/middlewares/overview/)
+- [OWASP CRS](https://coreruleset.org/)