This is just a small project I use now, I honestly do not have enough knowledge to say this is secure as a "native" implementation, if you have any tips file an issue. If you would like to take over this project let me know, I only built this because I need it, but I hate the GO language and would really like to not touch it again.
This is a simlpe container based on the GOLANG base container with an http server that uses Coraza as waf to block incoming connections.
Coraza is set to disruptive mode (SecRuleEngine On instead of the defaultSecRuleEngine DetectionOnly)
There is a simple docker-compose.yml file that shows how to use this image in traefik.
The loaded files in are /etc/coraza/default/coraza.conf, /etc/coraza/coreruleset/crs-setup.conf.example, .conf files in the /etc/coraza/coreruleset/rules/ folder and .conf files in the /etc/coraza/custom/ folder.
First of all you should mount the /etc/coraza/coreruleset/ folder and use an up to date version of the CRS, the one shipped is grabbed when the container is built.
Then the /etc/coraza/default/ directory has the file coraza.conf that is the reccomended coraza config - you should update that too, you can mount the /etc/coraza/default/ for easier access to the file (sometimes docker has problems mounting a file instead of a directory).
You can also mount the /etc/coraza/custom/ folder and place there the .conf file, every .conf file there will be read at startup, this may be useful when just syncing git with the upstream CRS to avoid adding files in that repo accidentally.
Replace path/to/xyz to the respective mounted path.
# Update coraza.conf
wget https://raw.githubusercontent.com/corazawaf/coraza/v3/dev/coraza.conf-recommended -O path/to/default/coraza.conf
# also set Coraza with the disruptive mode to block requests instead of just logging them
sed -i'.bak' 's|SecRuleEngine DetectionOnly|SecRuleEngine On|' coraza.conf
# Update CRS
cd path/to/coreruleset
git clone pull
This aims to be an easy replacement for the Modsecurity container with default values, to use while waiting other Coraza implementation matures (like wasm [1/2] or the yaegi interpreter gets full 3rd party compatibility) and get ready to be used in other software like Traefik. This is why this project aims to be a temporary fix and hopefully will be replaced by more advanced software in the next few months/years.
I found this useful to use with the traefik modsecurity plugin (source), replacing the owasp/modsecurity-crs:apache image (docker hub) with this one. The docker-compose files refer to this plugin.
The server is heavily based on the official http-server example from Coraza.
The directory testdata is a stripped down version form the official example (I removed the support to change the response body on the fly).
Essentially a WTFPL – Do What the Fuck You Want to Public License. Modified to please ping me if you improve the software so I can start using your version. It is not a requirement. Actually the modification is a joke, Do What the Fuck You Want.