External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 17:55:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/waf_patterns/traefik
History
copilot-swe-agent[bot] 1fe6802ffe docs: Fix script names, improve CONTRIBUTING, add WAF READMEs, fix workflow 
Co-authored-by: fabriziosalmi <1569108+fabriziosalmi@users.noreply.github.com>
2025-11-15 19:33:13 +00:00
..
bots.toml
Update: [Thu Feb 27 01:41:26 UTC 2025]
2025-02-27 01:41:26 +00:00
middleware.toml
Update: [Fri Feb 28 10:03:59 UTC 2025]
2025-02-28 10:03:59 +00:00
README.md
docs: Fix script names, improve CONTRIBUTING, add WAF READMEs, fix workflow
2025-11-15 19:33:13 +00:00

README.md

Traefik WAF Configuration

This directory contains Traefik WAF configuration files generated from OWASP CRS rules. You can use these middleware configurations to enhance security in your Traefik setup.

Prerequisites

  • Traefik v2.x or higher
  • Basic understanding of Traefik middleware

Configuration Files

The generated configuration includes:

  • Middleware definitions for request filtering
  • Regular expression patterns for attack detection
  • Bad bot/User-Agent blocking rules

Usage

Option 1: File Provider (Recommended)

  1. Copy the generated configuration files to your Traefik configuration directory:

    cp waf_patterns/traefik/*.toml /etc/traefik/dynamic/
# or to your custom config directory

  2. Configure Traefik to load dynamic configuration from files.

    In your traefik.yml or traefik.toml:

    providers:
  file:
    directory: "/etc/traefik/dynamic"
    watch: true

  3. Apply the middleware to your routes by referencing it in your service configuration:

    http:
  routers:
    my-router:
      rule: "Host(`example.com`)"
      service: my-service
      middlewares:
        - waf-middleware

Option 2: Docker Labels

If you're using Docker, you can apply the middleware via labels:

services:
  my-service:
    image: my-app:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.my-router.rule=Host(`example.com`)"
      - "traefik.http.routers.my-router.middlewares=waf-middleware@file"

Option 3: Kubernetes IngressRoute

For Kubernetes deployments:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: waf-middleware
spec:
  plugin:
    # Reference your WAF plugin configuration here

Configuration Details

The middleware includes protection against:

  • SQL Injection (SQLi) attacks
  • Cross-Site Scripting (XSS) attempts
  • Remote Code Execution (RCE) patterns
  • Local File Inclusion (LFI) attempts
  • Malicious bots and crawlers

Testing

Test the WAF is working by sending a malicious request:

curl -H "User-Agent: AhrefsBot" http://yourserver.com
# Should be blocked if bot protection is working

curl "http://yourserver.com/?id=1' OR '1'='1"
# Should be blocked if SQLi protection is working

Monitoring

Monitor blocked requests in Traefik logs:

# Docker
docker logs traefik 2>&1 | grep -i "blocked\|forbidden"

# Standard installation
tail -f /var/log/traefik/access.log | grep -i "403"

Customization

You can customize the middleware behavior by:

  1. Editing the generated .toml files
  2. Adjusting regex patterns for your specific needs
  3. Modifying response codes and error pages
  4. Adding custom headers for blocked requests

Performance Considerations

  • Regular expression matching can impact performance under high load
  • Consider using caching middleware in combination with WAF
  • Monitor CPU usage and adjust rules if needed
  • Use Traefik's built-in rate limiting for additional protection

Notes

  • Rules are updated daily via GitHub Actions
  • Blocked requests typically return 403 Forbidden or 400 Bad Request
  • Middleware is applied at the router level
  • Compatible with other Traefik middlewares (chain them as needed)

Resources