name: Validate WAF Patterns and Configurations with Docker on: push: branches: - main # Trigger on push to main branch pull_request: branches: - main # Trigger on pull request to main branch jobs: validate-waf-patterns: runs-on: ubuntu-latest env: NGINX_PORT: 8080 APACHE_PORT: 8081 HAPROXY_PORT: 8082 TRAEFIK_PORT: 8083 steps: - name: Checkout repository uses: actions/checkout@v3 - name: Cache Docker setup id: cache-docker uses: actions/cache@v3 with: path: /var/lib/docker key: docker-setup-${{ runner.os }} - name: Set up Docker run: | sudo apt-get update # Remove conflicting containerd package sudo apt-get remove -y containerd # Install Docker dependencies sudo apt-get install -y ca-certificates curl # Add Docker's official GPG key sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg # Add Docker's repository echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null # Install Docker sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin sudo docker --version - name: Pull Docker images run: | echo "Pulling Docker images..." sudo docker pull nginx:latest sudo docker pull httpd:latest sudo docker pull haproxy:latest sudo docker pull traefik:latest - name: Validate Nginx configuration run: | echo "Validating Nginx configuration..." for file in waf_patterns/nginx/*.conf; do echo "Validating $file..." sudo docker run --rm -v $(pwd)/waf_patterns/nginx:/etc/nginx/conf.d:ro nginx nginx -t if [ $? -ne 0 ]; then echo "Error: Validation failed for $file" exit 1 fi done - name: Start Nginx container with WAF rules run: | echo "Starting Nginx container..." sudo docker run -d \ --name nginx-waf \ -p ${{ env.NGINX_PORT }}:80 \ -v $(pwd)/waf_patterns/nginx:/etc/nginx/conf.d \ nginx:latest echo "Nginx is running on port ${{ env.NGINX_PORT }}." - name: Check Nginx container logs run: | echo "Checking Nginx container logs..." sudo docker logs nginx-waf - name: Validate Apache configuration run: | echo "Validating Apache configuration..." for file in waf_patterns/apache/*.conf; do echo "Validating $file..." sudo docker run --rm -v $(pwd)/waf_patterns/apache:/usr/local/apache2/conf/extra:ro httpd httpd -t if [ $? -ne 0 ]; then echo "Error: Validation failed for $file" exit 1 fi done - name: Start Apache container with WAF rules run: | echo "Starting Apache container..." sudo docker run -d \ --name apache-waf \ -p ${{ env.APACHE_PORT }}:80 \ -v $(pwd)/waf_patterns/apache:/usr/local/apache2/conf/extra \ httpd:latest echo "Apache is running on port ${{ env.APACHE_PORT }}." - name: Check Apache container logs run: | echo "Checking Apache container logs..." sudo docker logs apache-waf - name: Validate HAProxy configuration run: | echo "Validating HAProxy configuration..." for file in waf_patterns/haproxy/*.acl; do echo "Validating $file..." # Create a temporary haproxy.cfg file to include the ACL echo "global" > temp_haproxy.cfg echo " log stdout format raw local0" >> temp_haproxy.cfg echo "defaults" >> temp_haproxy.cfg echo " log global" >> temp_haproxy.cfg echo " timeout connect 10s" >> temp_haproxy.cfg echo " timeout client 30s" >> temp_haproxy.cfg echo " timeout server 30s" >> temp_haproxy.cfg echo "frontend test" >> temp_haproxy.cfg echo " bind *:${{ env.HAPROXY_PORT }}" >> temp_haproxy.cfg echo " default_backend test_backend" >> temp_haproxy.cfg echo " $(cat "$file")" >> temp_haproxy.cfg echo "backend test_backend" >> temp_haproxy.cfg echo " server s1 127.0.0.1:${{ env.NGINX_PORT }}" >> temp_haproxy.cfg # Validate the file using haproxy -c sudo docker run --rm -v $(pwd)/temp_haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro haproxy haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg if [ $? -ne 0 ]; then echo "Error: Validation failed for $file" exit 1 fi done - name: Start HAProxy container with WAF rules run: | echo "Starting HAProxy container..." sudo docker run -d \ --name haproxy-waf \ -p ${{ env.HAPROXY_PORT }}:80 \ -v $(pwd)/waf_patterns/haproxy:/usr/local/etc/haproxy \ haproxy:latest echo "HAProxy is running on port ${{ env.HAPROXY_PORT }}." - name: Check HAProxy container logs run: | echo "Checking HAProxy container logs..." sudo docker logs haproxy-waf - name: Validate Traefik configuration run: | echo "Validating Traefik configuration..." for file in waf_patterns/traefik/*.toml; do echo "Validating $file..." sudo docker run --rm -v $(pwd)/waf_patterns/traefik:/etc/traefik:ro traefik traefik validate --configFile=/etc/traefik/$(basename "$file") if [ $? -ne 0 ]; then echo "Error: Validation failed for $file" exit 1 fi done - name: Start Traefik container with WAF rules run: | echo "Starting Traefik container..." sudo docker run -d \ --name traefik-waf \ -p ${{ env.TRAEFIK_PORT }}:80 \ -v $(pwd)/waf_patterns/traefik:/etc/traefik \ traefik:latest echo "Traefik is running on port ${{ env.TRAEFIK_PORT }}." - name: Check Traefik container logs run: | echo "Checking Traefik container logs..." sudo docker logs traefik-waf - name: Validate services are running run: | echo "Validating services are running..." # Check if Nginx is running if ! curl -s http://localhost:${{ env.NGINX_PORT }} > /dev/null; then echo "Error: Nginx is not running!" sudo docker logs nginx-waf exit 1 fi echo "Nginx is running successfully." # Check if Apache is running if ! curl -s http://localhost:${{ env.APACHE_PORT }} > /dev/null; then echo "Error: Apache is not running!" sudo docker logs apache-waf exit 1 fi echo "Apache is running successfully." # Check if HAProxy is running if ! curl -s http://localhost:${{ env.HAPROXY_PORT }} > /dev/null; then echo "Error: HAProxy is not running!" sudo docker logs haproxy-waf exit 1 fi echo "HAProxy is running successfully." # Check if Traefik is running if ! curl -s http://localhost:${{ env.TRAEFIK_PORT }} > /dev/null; then echo "Error: Traefik is not running!" sudo docker logs traefik-waf exit 1 fi echo "Traefik is running successfully." - name: Test WAF rules run: | echo "Testing WAF rules..." # Test Nginx WAF rules echo "Testing Nginx rules..." curl -s http://localhost:${{ env.NGINX_PORT }}/attack curl -s http://localhost:${{ env.NGINX_PORT }}/bots # Test Apache WAF rules echo "Testing Apache rules..." curl -s http://localhost:${{ env.APACHE_PORT }}/attack curl -s http://localhost:${{ env.APACHE_PORT }}/bots # Test HAProxy WAF rules echo "Testing HAProxy rules..." curl -s http://localhost:${{ env.HAPROXY_PORT }}/attack curl -s http://localhost:${{ env.HAPROXY_PORT }}/bots # Test Traefik WAF rules echo "Testing Traefik rules..." curl -s http://localhost:${{ env.TRAEFIK_PORT }}/attack curl -s http://localhost:${{ env.TRAEFIK_PORT }}/bots - name: Clean up containers if: always() run: | echo "Stopping and removing containers..." sudo docker stop nginx-waf apache-waf haproxy-waf traefik-waf || true sudo docker rm nginx-waf apache-waf haproxy-waf traefik-waf || true echo "Containers stopped and removed."