Created
March 14, 2023 21:12
-
-
Save hishamhm/8101ced022abba73ed83bab62245aa70 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git example/kong/config/kong.yaml example/kong/config/kong.yaml | |
index c96cf73..4853d19 100644 | |
--- example/kong/config/kong.yaml | |
+++ example/kong/config/kong.yaml | |
@@ -1,3 +1,34 @@ | |
-# a very minimal declarative config file | |
-_format_version: "2.1" | |
+_format_version: "1.1" | |
_transform: true | |
+ | |
+services: | |
+- name: httpbin | |
+ host: "httpbin" | |
+ path: "/" | |
+ port: 8080 | |
+ protocol: http | |
+ routes: | |
+ - name: httpbin | |
+ methods: | |
+ - GET | |
+ paths: | |
+ - / | |
+ - /anything | |
+ - /uuid | |
+ plugins: | |
+ - name: proxy-wasm | |
+ config: | |
+ filters: | |
+ - name: main | |
+ config: '{ | |
+ "rules": [ | |
+ "Include @demo-conf", | |
+ "Include @crs-setup-demo-conf", | |
+ "SecDebugLogLevel 3", | |
+ "Include @owasp_crs/*.conf", | |
+ "SecRule REQUEST_URI \"@streq /uuid\" \"id:101,phase:1,t:lowercase,deny\"", | |
+ "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"", | |
+ "SecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\"", | |
+ "SecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\"" | |
+ ] | |
+ }' | |
diff --git example/kong/docker-compose.yaml example/kong/docker-compose.yaml | |
index 17d1def..ca7a29d 100644 | |
--- example/kong/docker-compose.yaml | |
+++ example/kong/docker-compose.yaml | |
@@ -1,14 +1,6 @@ | |
# Inspired in https://github.com/Kong/docker-kong | |
version: '3.9' | |
-x-kong-config: | |
- &kong-env | |
- KONG_DATABASE: postgres | |
- KONG_PG_DATABASE: ${KONG_PG_DATABASE:-kong} | |
- KONG_PG_HOST: db | |
- KONG_PG_USER: ${KONG_PG_USER:-kong} | |
- KONG_PG_PASSWORD_FILE: /run/secrets/kong_postgres_password | |
- | |
volumes: | |
kong_data: {} | |
kong_prefix_vol: | |
@@ -25,38 +17,11 @@ networks: | |
external: false | |
services: | |
- kong-migrations: | |
- image: "kong/incubator:gateway-wasmer-3.0.0.0" | |
- command: kong migrations bootstrap | |
- depends_on: | |
- - db | |
- environment: | |
- <<: *kong-env | |
- secrets: | |
- - kong_postgres_password | |
- networks: | |
- - kong-net | |
- restart: on-failure | |
- | |
- kong-migrations-up: | |
- image: "kong/incubator:gateway-wasmer-3.0.0.0" | |
- command: kong migrations up && kong migrations finish | |
- depends_on: | |
- - db | |
- - kong-migrations | |
- environment: | |
- <<: *kong-env | |
- secrets: | |
- - kong_postgres_password | |
- networks: | |
- - kong-net | |
- restart: on-failure | |
- | |
kong: | |
image: "kong/incubator:gateway-wasmer-3.0.0.0" | |
user: "${KONG_USER:-kong}" | |
environment: | |
- <<: *kong-env | |
+ KONG_DATABASE: "off" | |
KONG_ADMIN_ACCESS_LOG: /dev/stdout | |
KONG_ADMIN_ERROR_LOG: /dev/stderr | |
KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}" | |
@@ -67,8 +32,6 @@ services: | |
KONG_DECLARATIVE_CONFIG: "/opt/kong/kong.yaml" | |
KONG_WASM: "on" | |
KONG_WASM_MODULES: "/wasm/main.wasm" | |
- secrets: | |
- - kong_postgres_password | |
networks: | |
- kong-net | |
ports: | |
@@ -100,33 +63,12 @@ services: | |
depends_on: | |
- httpbin | |
- db: | |
- image: postgres:9.5 | |
- environment: | |
- POSTGRES_DB: ${KONG_PG_DATABASE:-kong} | |
- POSTGRES_USER: ${KONG_PG_USER:-kong} | |
- POSTGRES_PASSWORD_FILE: /run/secrets/kong_postgres_password | |
- secrets: | |
- - kong_postgres_password | |
- healthcheck: | |
- test: [ "CMD", "pg_isready", "-U", "${KONG_PG_USER:-kong}" ] | |
- interval: 30s | |
- timeout: 30s | |
- retries: 3 | |
- restart: on-failure | |
- stdin_open: true | |
- tty: true | |
- networks: | |
- - kong-net | |
- volumes: | |
- - kong_data:/var/lib/postgresql/data | |
- | |
httpbin: | |
image: mccutchen/go-httpbin:v2.5.0 | |
environment: | |
- MAX_BODY_SIZE=15728640 # 15 MiB | |
ports: | |
- - 10080:8080 | |
+ - 8080:8080 | |
networks: | |
- kong-net | |
@@ -140,7 +82,3 @@ services: | |
- kong | |
networks: | |
- kong-net | |
- | |
-secrets: | |
- kong_postgres_password: | |
- file: ./POSTGRES_PASSWORD | |
diff --git example/kong/service-provisioner.sh example/kong/service-provisioner.sh | |
index ef6a411..e89c3b9 100755 | |
--- example/kong/service-provisioner.sh | |
+++ example/kong/service-provisioner.sh | |
@@ -6,19 +6,13 @@ KONG_HOSTPORT=${KONG_HOST}:8001 | |
numRetries=0 | |
for numRetries in {1..5}; do | |
- sleep 10 | |
- http ${KONG_HOSTPORT} && break | |
+ sleep 2 | |
+ http GET ${KONG_HOSTPORT}/ &>/dev/null && break | |
echo "Retrying..."; | |
done | |
-if [ numRetries == 5 ] exit 1; fi | |
- | |
-http --ignore-stdin POST ${KONG_HOSTPORT}/services name="httpbin" host="${UPSTREAM_HOST}" path="/" port:=10080 protocol="http" | |
- | |
-http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/routes name="httpbin" "paths[]=/" "paths[]=/anything" "paths[]=/uuid" | |
- | |
-http --ignore-stdin POST ${KONG_HOSTPORT}/services/httpbin/plugins name="proxy-wasm" \ | |
- "config[filters][0][name]=main" \ | |
- "config[filters][0][config]={\"rules\":[\"Include @demo-conf\",\"Include @crs-setup-demo-conf\",\"SecDebugLogLevel 3\",\"Include @owasp_crs/*.conf\",\"SecRule REQUEST_URI \\\"@streq /uuid\\\" \\\"id:101,phase:1,t:lowercase,deny\\\" \\\nSecRule REQUEST_BODY \\\"@rx maliciouspayload\\\" \\\"id:102,phase:2,t:lowercase,deny\\\" \\\nSecRule RESPONSE_HEADERS::status \\\"@rx 406\\\" \\\"id:103,phase:3,t:lowercase,deny\\\" \\\nSecRule RESPONSE_BODY \\\"@contains responsebodycode\\\" \\\"id:104,phase:4,t:lowercase,deny\\\"\"]}" | |
+if [ numRetries == 5 ]; then | |
+ exit 1 | |
+fi | |
http --ignore-stdin GET ${KONG_HOST}:8000/ | |
\ No newline at end of file | |
diff --git wasmplugin/metrics.go wasmplugin/metrics.go | |
index f56fb5a..93bcaf8 100644 | |
--- wasmplugin/metrics.go | |
+++ wasmplugin/metrics.go | |
@@ -3,44 +3,16 @@ | |
//go:build !disable_metrics | |
-package wasmplugin | |
- | |
-import ( | |
- "fmt" | |
+// How do I set Go build flags using Mage?... | |
- "github.com/tetratelabs/proxy-wasm-go-sdk/proxywasm" | |
-) | |
+package wasmplugin | |
-type wafMetrics struct { | |
- counters map[string]proxywasm.MetricCounter | |
-} | |
+type wafMetrics struct{} | |
func NewWAFMetrics() *wafMetrics { | |
- return &wafMetrics{ | |
- counters: make(map[string]proxywasm.MetricCounter), | |
- } | |
+ return &wafMetrics{} | |
} | |
-func (m *wafMetrics) incrementCounter(fqn string) { | |
- // TODO(jcchavezs): figure out if we are OK with dynamic creation of metrics | |
- // or we generate the metrics on before hand. | |
- counter, ok := m.counters[fqn] | |
- if !ok { | |
- counter = proxywasm.DefineCounterMetric(fqn) | |
- m.counters[fqn] = counter | |
- } | |
- counter.Increment(1) | |
-} | |
- | |
-func (m *wafMetrics) CountTX() { | |
- // This metric is processed as: waf_filter_tx_total | |
- m.incrementCounter("waf_filter.tx.total") | |
-} | |
+func (*wafMetrics) CountTX() {} | |
-func (m *wafMetrics) CountTXInterruption(phase string, ruleID int) { | |
- // This metric is processed as: waf_filter_tx_interruption{phase="http_request_body",rule_id="100"}. | |
- // The extraction rule is defined in envoy.yaml as a bootstrap configuration. | |
- // See https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/metrics/v3/stats.proto#config-metrics-v3-statsconfig. | |
- fqn := fmt.Sprintf("waf_filter.tx.interruptions_ruleid=%d_phase=%s", ruleID, phase) | |
- m.incrementCounter(fqn) | |
-} | |
+func (*wafMetrics) CountTXInterruption(_ string, _ int) {} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment