first commit

t/coraza.conf

@@ -0,0 +1,249 @@
+# -- Rule engine initialization ----------------------------------------------
+
+# Enable Coraza, attaching it to every transaction. Use detection
+# only to start with, because that minimises the chances of post-installation
+# disruption.
+#
+SecRuleEngine On
+#SecRuleEngine DetectionOnly
+
+
+# -- Request body handling ---------------------------------------------------
+
+# Allow Coraza to access request bodies. If you don't, Coraza
+# won't be able to see any POST parameters, which opens a large security
+# hole for attackers to exploit.
+#
+SecRequestBodyAccess On
+
+# Enable XML request body parser.
+# Initiate XML Processor in case of xml content-type
+#
+SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
+     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
+
+# Enable JSON request body parser.
+# Initiate JSON Processor in case of JSON content-type; change accordingly
+# if your application does not use 'application/json'
+#
+SecRule REQUEST_HEADERS:Content-Type "^application/json" \
+     "id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+# Sample rule to enable JSON request body parser for more subtypes.
+# Uncomment or adapt this rule if you want to engage the JSON
+# Processor for "+json" subtypes
+#
+#SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
+#     "id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
+
+# Maximum request body size we will accept for buffering. If you support
+# file uploads then the value given on the first line has to be as large
+# as the largest file you are willing to accept. The second value refers
+# to the size of data, with files excluded. You want to keep that value as
+# low as practical.
+#
+SecRequestBodyLimit 13107200
+
+SecRequestBodyInMemoryLimit 131072
+
+SecRequestBodyNoFilesLimit 131072
+
+# What to do if the request body size is above our configured limit.
+# Keep in mind that this setting will automatically be set to ProcessPartial
+# when SecRuleEngine is set to DetectionOnly mode in order to minimize
+# disruptions when initially deploying Coraza.
+#
+SecRequestBodyLimitAction Reject
+
+# Verify that we've correctly processed the request body.
+# As a rule of thumb, when failing to process a request body
+# you should reject the request (when deployed in blocking mode)
+# or log a high-severity alert (when deployed in detection-only mode).
+#
+SecRule REQBODY_ERROR "!@eq 0" \
+"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
+
+# By default be strict with what we accept in the multipart/form-data
+# request body. If the rule below proves to be too strict for your
+# environment consider changing it to detection-only. You are encouraged
+# _not_ to remove it altogether.
+#
+SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
+"id:'200003',phase:2,t:none,log,deny,status:400, \
+msg:'Multipart request body failed strict validation: \
+PE %{REQBODY_PROCESSOR_ERROR}, \
+BQ %{MULTIPART_BOUNDARY_QUOTED}, \
+BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
+DB %{MULTIPART_DATA_BEFORE}, \
+DA %{MULTIPART_DATA_AFTER}, \
+HF %{MULTIPART_HEADER_FOLDING}, \
+LF %{MULTIPART_LF_LINE}, \
+SM %{MULTIPART_MISSING_SEMICOLON}, \
+IQ %{MULTIPART_INVALID_QUOTING}, \
+IP %{MULTIPART_INVALID_PART}, \
+IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
+FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
+
+# Did we see anything that might be a boundary?
+#
+# Here is a short description about the Coraza Multipart parser: the
+# parser returns with value 0, if all "boundary-like" line matches with
+# the boundary string which given in MIME header. In any other cases it returns
+# with different value, eg. 1 or 2.
+#
+# The RFC 1341 descript the multipart content-type and its syntax must contains
+# only three mandatory lines (above the content):
+# * Content-Type: multipart/mixed; boundary=BOUNDARY_STRING
+# * --BOUNDARY_STRING
+# * --BOUNDARY_STRING--
+#
+# First line indicates, that this is a multipart content, second shows that
+# here starts a part of the multipart content, third shows the end of content.
+#
+# If there are any other lines, which starts with "--", then it should be
+# another boundary id - or not.
+#
+# After 3.0.3, there are two kinds of types of boundary errors: strict and permissive.
+#
+# If multipart content contains the three necessary lines with correct order, but
+# there are one or more lines with "--", then parser returns with value 2 (non-zero).
+#
+# If some of the necessary lines (usually the start or end) misses, or the order
+# is wrong, then parser returns with value 1 (also a non-zero).
+#
+# You can choose, which one is what you need. The example below contains the
+# 'strict' mode, which means if there are any lines with start of "--", then
+# Coraza blocked the content. But the next, commented example contains
+# the 'permissive' mode, then you check only if the necessary lines exists in
+# correct order. Whit this, you can enable to upload PEM files (eg "----BEGIN.."),
+# or other text files, which contains eg. HTTP headers.
+#
+# The difference is only the operator - in strict mode (first) the content blocked
+# in case of any non-zero value. In permissive mode (second, commented) the
+# content blocked only if the value is explicit 1. If it 0 or 2, the content will
+# allowed.
+#
+
+#
+# See #1747 and #1924 for further information on the possible values for
+# MULTIPART_UNMATCHED_BOUNDARY.
+#
+SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
+    "id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
+
+# Some internal errors will set flags in TX and we will need to look for these.
+# All of these are prefixed with "MSC_".  The following flags currently exist:
+#
+# COR_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
+#
+SecRule TX:/^COR_/ "!@streq 0" \
+        "id:'200005',phase:2,t:none,deny,msg:'Coraza internal error flagged: %{MATCHED_VAR_NAME}'"
+
+
+# -- Response body handling --------------------------------------------------
+
+# Allow Coraza to access response bodies. 
+# You should have this directive enabled in order to identify errors
+# and data leakage issues.
+# 
+# Do keep in mind that enabling this directive does increases both
+# memory consumption and response latency.
+#
+SecResponseBodyAccess On
+
+# Which response MIME types do you want to inspect? You should adjust the
+# configuration below to catch documents but avoid static files
+# (e.g., images and archives).
+#
+SecResponseBodyMimeType text/plain text/html text/xml
+
+# Buffer response bodies of up to 512 KB in length.
+SecResponseBodyLimit 524288
+
+# What happens when we encounter a response body larger than the configured
+# limit? By default, we process what we have and let the rest through.
+# That's somewhat less secure, but does not break any legitimate pages.
+#
+SecResponseBodyLimitAction ProcessPartial
+
+
+# -- Filesystem configuration ------------------------------------------------
+
+# The location where Coraza will keep its persistent data.  This default setting 
+# is chosen due to all systems have /tmp available however, it
+# too should be updated to a place that other users can't access.
+#
+SecDataDir /tmp/
+
+
+# -- File uploads handling configuration -------------------------------------
+
+# The location where Coraza stores intercepted uploaded files. This
+# location must be private to Coraza. You don't want other users on
+# the server to access the files, do you?
+#
+#SecUploadDir /opt/coraza/var/upload/
+
+# By default, only keep the files that were determined to be unusual
+# in some way (by an external inspection script). For this to work you
+# will also need at least one file inspection rule.
+#
+#SecUploadKeepFiles RelevantOnly
+
+# Uploaded files are by default created with permissions that do not allow
+# any other user to access them. You may need to relax that if you want to
+# interface Coraza to an external program (e.g., an anti-virus).
+#
+#SecUploadFileMode 0600
+
+
+# -- Debug log configuration -------------------------------------------------
+
+# Default debug log path
+# Debug levels:
+# 0:   No logging (least verbose)
+# 1:   Error
+# 2:   Warn
+# 3:   Info
+# 4-8: Debug
+# 9:   Trace (most verbose)
+# Most logging has not been implemented because it will be replaced with
+# advanced rule profiling options
+SecDebugLog debug.log
+SecDebugLogLevel 1
+
+
+# -- Audit log configuration -------------------------------------------------
+
+# Log the transactions that are marked by a rule, as well as those that
+# trigger a server error (determined by a 5xx or 4xx, excluding 404,  
+# level response status codes).
+#
+#SecAuditEngine RelevantOnly
+SecAuditEngine On
+SecAuditLog audit.log
+#SecAuditLogRelevantStatus "^(?:(5|4)(0|1)[0-9])$"
+SecAuditLogFormat JSON
+
+# Log everything we know about a transaction.
+SecAuditLogParts ABIJDEFHKZ
+
+# Use a single file for logging. This is much easier to look at, but
+# assumes that you will use the audit log only occasionally.
+#
+SecAuditLogType Serial
+
+
+# -- Miscellaneous -----------------------------------------------------------
+
+# Use the most commonly used application/x-www-form-urlencoded parameter
+# separator. There's probably only one application somewhere that uses
+# something else so don't expect to change this value.
+#
+SecArgumentSeparator &
+
+# Settle on version 0 (zero) cookies, as that is what most applications
+# use. Using an incorrect cookie version may open your installation to
+# evasion attacks (against the rules that examine named cookies).
+#
+SecCookieFormat 0

t/default.conf

@@ -0,0 +1,4 @@
+SecDebugLogLevel 9
+SecDebugLog /dev/stdout
+SecAuditEngine On
+#SecRule REQUEST_HEADERS:User-Agent "Mozilla" "phase:1, id:3,drop,status:403,log,msg:'Blocked User-Agent'"

t/integration_block_req_header.t

@@ -0,0 +1,54 @@
+use Test::Nginx::Socket 'no_plan';
+
+our $HttpConfig = <<'_EOC_';
+    lua_package_path "lib/?.lua;/usr/local/share/lua/5.1/?.lua;;";
+    lua_socket_log_errors off;
+    lua_code_cache on;
+    lua_need_request_body on;
+    init_worker_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_init()
+            coraza.rules_add([[SecRule REQUEST_HEADERS:User-Agent "Mozilla" "phase:1, id:3,drop,status:452,log,msg:'Blocked User-Agent'"]])
+    }
+_EOC_
+
+our $LocationConfig = <<'_EOC_';
+    location /t {
+            access_by_lua_block {
+            local coraza = require "resty.coraza"
+            coraza.do_access_filter()
+        }
+
+        content_by_lua_block {
+            ngx.say("passed")
+        }
+
+        header_filter_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_header_filter()
+        }
+
+        log_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_free()
+        }
+    }
+_EOC_
+
+# master_on();
+# workers(4);
+run_tests();
+
+__DATA__
+
+=== TEST 1: integration test blocked
+--- http_config eval: $::HttpConfig
+--- config eval: $::LocationConfig
+--- more_headers
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.44
+--- request
+POST /t/shell.php
+aaaaaaaaa=aaaaaa
+--- error_code: 452
+--- response_body_like eval
+'{"code": 452, "message": "This connection was blocked by Coroza!"}'

t/integration_block_resp_header.t

@@ -0,0 +1,52 @@
+use Test::Nginx::Socket 'no_plan';
+
+our $HttpConfig = <<'_EOC_';
+    lua_package_path "lib/?.lua;/usr/local/share/lua/5.1/?.lua;;";
+    lua_socket_log_errors off;
+    lua_code_cache on;
+    lua_need_request_body on;
+    init_worker_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_init()
+            coraza.rules_add([[SecRule RESPONSE_HEADERS:Content-Type "text" "phase:3, id:4,drop,status:451,log,msg:'Blocked content-type'"]])
+    }
+_EOC_
+
+our $LocationConfig = <<'_EOC_';
+    location /t {
+            access_by_lua_block {
+            local coraza = require "resty.coraza"
+            coraza.do_access_filter()
+        }
+
+        content_by_lua_block {
+            ngx.say("passed")
+        }
+
+        header_filter_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_header_filter()
+        }
+
+        log_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_free()
+        }
+    }
+_EOC_
+
+# master_on();
+# workers(4);
+run_tests();
+
+__DATA__
+
+=== TEST 1: integration test blocked
+--- http_config eval: $::HttpConfig
+--- config eval: $::LocationConfig
+--- request
+POST /t/shell.php?a=b
+aaaaaaaaa=aaaaaa
+--- error_code: 451
+--- response_body_like eval
+""

t/integration_passed.t

@@ -0,0 +1,51 @@
+use Test::Nginx::Socket 'no_plan';
+
+our $HttpConfig = <<'_EOC_';
+    lua_package_path "lib/?.lua;/usr/local/share/lua/5.1/?.lua;;";
+    lua_socket_log_errors off;
+    lua_code_cache on;
+    lua_need_request_body on;
+    init_worker_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_init()
+   }
+_EOC_
+
+our $LocationConfig = <<'_EOC_';
+    location /t {
+            access_by_lua_block {
+            local coraza = require "resty.coraza"
+            coraza.do_access_filter()
+        }
+
+        content_by_lua_block {
+            ngx.say("passed")
+        }
+
+        header_filter_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_header_filter()
+        }
+
+        log_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_free()
+        }
+    }
+_EOC_
+
+# master_on();
+# workers(4);
+run_tests();
+
+__DATA__
+
+=== TEST 1: integration test blocked
+--- http_config eval: $::HttpConfig
+--- config eval: $::LocationConfig
+--- request
+POST /t/shell.php
+aaaaaaaaa=aaaaaa
+--- error_code: 200
+--- response_body_like eval
+"passed"

t/integration_with_coreruleset.t

@@ -0,0 +1,53 @@
+use Test::Nginx::Socket 'no_plan';
+
+our $HttpConfig = <<'_EOC_';
+    lua_package_path "lib/?.lua;/usr/local/share/lua/5.1/?.lua;;";
+    lua_socket_log_errors off;
+    lua_code_cache on;
+    lua_need_request_body on;
+    init_worker_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_init()
+            coraza.rules_add_file("/Users/mac/GolandProjects/libcoraza/lua-resty-coroza/lib/resty/coraza.conf")
+            coraza.rules_add("Include /Users/mac/Downloads/coreruleset-4.0-dev/rules/*.conf")
+    }
+_EOC_
+
+our $LocationConfig = <<'_EOC_';
+    location /t {
+            access_by_lua_block {
+            local coraza = require "resty.coraza"
+            coraza.do_access_filter()
+        }
+
+        content_by_lua_block {
+            ngx.say("passed")
+        }
+
+        header_filter_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_header_filter()
+        }
+
+        log_by_lua_block{
+            local coraza = require "resty.coraza"
+            coraza.do_free()
+        }
+    }
+_EOC_
+
+# master_on();
+# workers(4);
+run_tests();
+
+__DATA__
+
+=== TEST 1: integration test blocked
+--- http_config eval: $::HttpConfig
+--- config eval: $::LocationConfig
+--- request
+POST /t/shell.php
+aaaaaaaaa=aaaaaa
+--- error_code: 200
+--- response_body_like eval
+"passed"