feat: add built-in coreruleset

.github/workflows/container-image.yaml

@@ -39,7 +39,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker metadata - Main
+      - name: Docker metadata
         id: meta-main
         uses: docker/metadata-action@v4
         with:
@@ -51,44 +51,14 @@ jobs:
             type=ref,event=branch
             type=ref,event=pr
 
-      - name: Image - Main
+      - name: Image
         uses: docker/build-push-action@v3
         with:
           context: .
           cache-from: type=gha
           cache-to: type=gha,mode=max
           platforms: linux/amd64
-          file: Dockerfile
+          file: example/Dockerfile
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta-main.outputs.tags }}
-          labels: ${{ steps.meta-main.outputs.labels }}
-
-
-      - name: Docker metadata - CRS4
-        id: meta-crs4
-        uses: docker/metadata-action@v4
-        with:
-          images: ghcr.io/${{ github.repository }}
-          flavor: |
-            suffix=-crs4,onlatest=true
-          tags: |
-            type=raw,value=snapshot,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=ref,event=branch
-            type=ref,event=pr
-
-      - name: Image - CRS4
-        uses: docker/build-push-action@v3
-        with:
-          context: .
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          platforms: linux/amd64
-          file: Dockerfile
-          push: ${{ github.event_name != 'pull_request' }}
-          target: coreruleset
-          build-args: |
-            CORERULESET_VERSION=v4.0.0-rc1
-          tags: ${{ steps.meta-crs4.outputs.tags }}
-          labels: ${{ steps.meta-crs4.outputs.labels }}
+          labels: ${{ steps.meta-main.outputs.labels }}

.github/workflows/package.yaml

@@ -44,11 +44,8 @@ jobs:
         run: |
           sudo apt update && sudo apt -y install make pkg-config rubygems && sudo gem install fpm
 
-          # Download corazawaf/coraza/coraza.conf for distribution
-          curl https://raw.githubusercontent.com/corazawaf/coraza/v3.0.0/coraza.conf-recommended > coraza.conf
-
       - name: Build binary
-        run: VERSION=${PACKAGE_VERSION} ARCH=${{ matrix.arch }} make
+        run: VERSION=${PACKAGE_VERSION} GOARCH=${{ matrix.arch }} go run mage.go build
 
       - name: Build package
         run: |
@@ -62,11 +59,9 @@ jobs:
            --deb-systemd ./contrib/coraza-spoa.service \
            --deb-systemd-enable \
            --config-files /etc/coraza-spoa/config.yaml \
-           ./coraza-spoa_${{matrix.arch}}=/usr/bin/coraza-spoa \
-           ./doc/config/=/usr/share/doc/coraza-spoa/haproxy-config \
+           ./coraza-spoa=/usr/bin/coraza-spoa \
            ./LICENSE=/usr/share/doc/coraza-spoa/ \
-           ./config.yaml.default=/etc/coraza-spoa/config.yaml \
-           ./coraza.conf=/etc/coraza-spoa/coraza.conf
+           ./example/coraza-spoa.yaml=/etc/coraza-spoa/config.yaml
 
       ## Publish to the "testing" repo
       - name: Cloudsmith Push:debian/coraza-spoa-snapshots

.gitignore

@@ -13,7 +13,5 @@
 *.out
 vendor/
 
-# local files
-config.yaml
-logs/
-rules/
+# Build output
+build/

example/Dockerfile

@@ -0,0 +1,26 @@
+# Copyright 2023 The OWASP Coraza contributors
+# SPDX-License-Identifier: Apache-2.0
+
+FROM golang:1.21 as build
+
+WORKDIR /go/src/app
+COPY . .
+
+RUN go mod download
+RUN go vet -v ./...
+
+RUN CGO_ENABLED=0 go build -o /go/bin/coraza-spoa
+
+FROM gcr.io/distroless/static-debian11
+
+LABEL org.opencontainers.image.authors="The OWASP Coraza contributors" \
+      org.opencontainers.image.description="OWASP Coraza WAF (Haproxy SPOA)" \
+      org.opencontainers.image.documentation="https://coraza.io/connectors/coraza-spoa/" \
+      org.opencontainers.image.licenses="Apache-2.0" \
+      org.opencontainers.image.source="https://github.com/corazawaf/coraza-spoa" \
+      org.opencontainers.image.title="coraza-spoa"
+
+COPY --from=build /go/bin/coraza-spoa /
+COPY ./example/coraza-spoa.yaml /config.yaml
+
+CMD ["/coraza-spoa", "--config", "/config.yaml"]

examples/coraza-spoa.yaml → example/coraza-spoa.yaml

@@ -11,27 +11,12 @@ log_format: console
 applications:
   # name is used as key to identify the directives
   - name: sample_app
-    # Get the coraza.conf from https://github.com/corazawaf/coraza
-    #
-    # Download the OWASP CRS from https://github.com/coreruleset/coreruleset/releases
-    # and copy crs-setup.conf & the rules, plugins directories to /etc/coraza-spoa
-    # Also the built-in OWASP CRS rules are available in @owasp_crs/
+    # Some example rules.
+    # The built-in OWASP CRS rules are available in @owasp_crs/
     directives: |
-      # Include @coraza.conf-recommended
-      # SecRuleEngine On
-      # SecAction \
-      #     "id:900990,\
-      #     phase:1,\
-      #     pass,\
-      #     t:none,\
-      #     nolog,\
-      #     setvar:tx.crs_setup_version=400"
-      # SecDefaultAction "phase:1,log,noauditlog,deny,status:403"
-      # Include @owasp_crs/*.conf
-      Include /etc/coraza-spoa/coraza.conf
-      Include /etc/coraza-spoa/crs-setup.conf
-      Include /etc/coraza-spoa/rules/*.conf
-
+      Include @coraza.conf-recommended
+      Include @crs-setup.conf.example
+      Include @owasp_crs/*.conf
 
     # HAProxy configured to send requests only, that means no cache required
     response_check: false

example/docker-compose.yaml

@@ -0,0 +1,34 @@
+version: "3.9"
+services:
+  httpbin:
+    image: mccutchen/go-httpbin:v2.13.4
+    environment:
+      - MAX_BODY_SIZE=15728640 # 15 MiB
+    command: [ "/bin/go-httpbin", "-port", "8081" ]
+    ports:
+      - "8081:8081"
+
+  coraza-spoa:
+    restart: unless-stopped
+    build:
+      context: ..
+      dockerfile: ./example/Dockerfile
+    ports:
+      - "9000:9000"
+
+  haproxy:
+    restart: unless-stopped
+    image: haproxy:2.7-alpine
+    ports: [ "8080:80", "8443:443", "8082:8082"]
+    depends_on:
+      - httpbin
+    links:
+      - "coraza-spoa:coraza-spoa"
+      - "httpbin:httpbin"
+    volumes:
+      - type: bind
+        source: ./haproxy/
+        target: /usr/local/etc/haproxy
+    environment:
+      - BACKEND_HOST=httpbin:8081
+      - CORAZA_SPOA_HOST=coraza-spoa

examples/coraza.cfg → example/haproxy/coraza.cfg

@@ -1,5 +1,5 @@
 # https://github.com/haproxy/haproxy/blob/master/doc/SPOE.txt
-# /etc/haproxy/coraza.cfg
+# /usr/local/etc/haproxy/coraza.cfg
 [coraza]
 spoe-agent coraza-agent
     # Process HTTP requests only (the responses are not evaluated)
@@ -15,10 +15,12 @@ spoe-agent coraza-agent
     log         global
 
 spoe-message coraza-req
+    # Arguments are required to be in this order
     args app=str(sample_app) src-ip=src src-port=src_port dst-ip=dst dst-port=dst_port method=method path=path query=query version=req.ver headers=req.hdrs body=req.body
     event on-frontend-http-request
 
 spoe-message coraza-res
+    # Arguments are required to be in this order
     args app=str(sample_app) id=var(txn.e2e.id) version=res.ver status=status headers=res.hdrs body=res.body
     event on-http-response