Name

OpenWAF

The first all-round open source Web security protection system, more protection than others.

Table of Contents

• Name
• Version
• Synopsis
• Description
• Installation
• Community
  • English Mailing List
  • Chinese Mailing List
  • Personal QQ Mail
• Bugs and Patches
• TODO
• Changes
• Copyright and License
• Modules Configuration Directives
• Nginx Variables
• SecRules
  • Variables
  • Transformation Functions
  • Operators
  • Others
• Donation

Version

This document describes OpenWAF v1.1 released on Mar 8, 2021.

Dockerfile and Docker Images have been upgraded to version 1.1 on Mar 8, 2021.

Synopsis

    #nginx.conf
    lua_package_path '/twaf/?.lua;;';
    
    init_by_lua_file /twaf/app/twaf_init.lua;
    
    lua_shared_dict twaf_shm 50m;
    
    upstream test {
        server 0.0.0.1; #just an invalid address as a place holder
        balancer_by_lua_file twaf_balancer.lua;
    }
    
    server {
        listen 443 ssl;
        server_name _;
        
        ssl_certificate_by_lua_file  twaf_ssl_cert.lua;
        rewrite_by_lua_file          /twaf/app/twaf_rewrite.lua;
        access_by_lua_file           /twaf/app/twaf_access.lua;
        header_filter_by_lua_file    /twaf/app/twaf_header_filter.lua;
        body_filter_by_lua_file      /twaf/app/twaf_body_filter.lua
        log_by_lua_file              /twaf/app/twaf_log.lua;
        
        set $twaf_https 1;
        set $twaf_upstream_server "";
        
        ssl_certificate nginx.crt;
        ssl_certificate_key nginx.key;
        
        location / {
            lua_need_request_body on;
            proxy_pass $twaf_upstream_server;
        }
    }
    
    server {
        listen      80;
        server_name  _;
        
        rewrite_by_lua_file       /twaf/app/twaf_rewrite.lua;
        access_by_lua_file        /twaf/app/twaf_access.lua;
        header_filter_by_lua_file /twaf/app/twaf_header_filter.lua;
        body_filter_by_lua_file   /twaf/app/twaf_body_filter.lua
        log_by_lua_file           /twaf/app/twaf_log.lua;
        
        set $twaf_upstream_server "";
        
        location / {
            lua_need_request_body on;
            proxy_pass $twaf_upstream_server;
        }
    }

    #default_config-json

    #main_safe_policy-json

Back to TOC

Description

  OpenWAF is the first fully open source Web application protection system (WAF), based on nginx_lua API analysis of HTTP request information. OpenWAF is composed of two functional engines: behavior analysis engine and rule engine. The rule engine mainly analyzes the individual requests, and the behavior analysis engine is mainly responsible for the tracking of the request information.
  Rule engine inspired by modsecurity and freewaf(lua-resty-waf), the ModSecurity rules will be implemented using lua. The rule engine can be based on the protocol specification, automatic tools, injection attacks, cross site attacks, information leaks and other security exception request, adding support for dynamic rules, timely repair vulnerabilities.
  Behavior analysis engine including fuzzy identification based on frequency, anti malware crawler, human-computer identification anti detection module, anti CSRF, anti CC, anti right, protection against attack file upload module, cookie tamper proof, anti-theft chain, custom headers and attack response page proof module of information disclosure.
  In addition to the two engines, but also includes statistics, log, attack response page, access rules and other basic modules. In addition to the existing functional modules, OpenWAF also supports dynamic modification of the configuration, the dynamic addition of third party modules, so that the engine does not restart under the conditions of the outage, upgrade protection.
  OpenWAF supports the above features as a strategy for different web application applications with different strategies to protect. The future will build a cloud platform, the strategy can also be shared for others.

basic modules:

• openwaf_conf
• openwaf_log
• openwaf_reqstat
• openwaf_core
• openwaf_access_rule

safe modules:

• openwaf_rule_engine
• openwaf_attack_response
• openwaf_api
• openwaf_anti_mal_crawler
• openwaf_anti_cc

Detailed configuration documents and examples, please refer to the above module documentation

Back to TOC

Installation

请看 OpenWAF 安装文档

Back to TOC

Community

English Mailing List

The OpenWAF-en mailing list is for English speakers.

Chinese Mailing List

The OpenWAF-cn mailing list is for Chinese speakers.

Personal QQ Mail

290557551@qq.com

QQ Group

579790127

Back to TOC

Bugs and Patches

Please submit bug reports, wishlists, or patches by

1. creating a ticket on the GitHub Issue Tracker,
2. or posting to the OpenWAF community.

Back to TOC

TODO

• Add access_rule module dynamic switch
• Support connecting SSO
• Dynamic token
• APISG(API Security gateway)
• Mock

Back to TOC

Changes

Changelog

Back to TOC

Copyright and License

This module is licensed under the BSD license.

Copyright (C) 2016-2016, by Jian "Miracle" Qi (齐健) miracleqi25@gmail.com, Titan Co.Ltd.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Back to TOC

Modules Configuration Directives

• twaf_access_rule
• twaf_anti_hotlink
• twaf_anti_mal_crawler
• twaf_reqstat
• twaf_log
• twaf_secrules
• twaf_anti_cc

Back to TOC

twaf_access_rule

{
    "twaf_access_rule": {
        "rules": [                                 -- 注意先后顺序
            {                                      
                "user": "user_id",                 -- 用户名ID，非必填，默认值"-"
                "ngx_ssl": false,                  -- nginx认证的开关，非必填，默认值false
                "ngx_ssl_cert": "path",            -- nginx认证所需PEM证书地址
                "ngx_ssl_key": "path",             -- nginx认证所需PEM私钥地址
                "host": "^1\\.1\\.1\\.1$",         -- 域名，支持正则匹配，支持字符串或数组，同时支持IPv4/IPv6
                "port": 80,                        -- 端口号。支持number或数组类型，非必填，默认值80或443
                "path": "\/",                      -- 路径，支持正则匹配，非必填，默认值"/"
                "url_case_sensitive": false,       -- 路径区分大小写，boolean类型，非必填，默认值 false
                "server_ssl": false,               -- 后端服务器ssl开关，boolean类型，非必填，默认值 false
                "forward": "server_5",             -- 后端服务器upstream名称，string类型
                "forward_addr": "1.1.1.2",         -- 后端服务器ip地址，string类型
                "forward_port": "8080",            -- 后端服务器端口号，非必填，默认值80或443
                "uuid": "access_567b067ff2060",    -- 用来标记此规则的uuid，非必填，默认16位随机字符串
                "policy": "policy_uuid"            -- 安全策略ID，string类型，非必填，默认值twaf_default_conf
            }
        ]
    }
}

rules

syntax: *"rule