corazawaf / libcoraza Goto Github PK
View Code? Open in Web Editor NEWOWASP Coraza C connector
License: Other
libcoraza's People
Contributors
Stargazers
Watchers
libcoraza's Issues
Replace logging callback interface
Coraza and modsec logging works differently, which presents a challenge for libcoraza. In modsec, there logger callback per transaction, while in coraza there is a general error log callback.
- We need to set up a friendlier callback, modsec
voidis not properly documented, and it is weird. - In the meantime we can use waf loggers instead transaction logger, but that will mean logs won't be aware of custom error logs in nginx for specific URLs or others, there will be only one error log per coraza context
- Make current log callback work for Coraza, it is just a placeholder, it is not working.
Switch map to sync.Map to make it safe in multi-thread application?
Currently, libcoraza uses map to store the states:
Line 42 in 23b4abd
map is not thread-safe, if we want to use libcoraza in a multi-thread C/C++ application, it would be better to switch to sync.Map.
Compared with the whole operation, the extra cost from the sync.Map is acceptable. And seems the use cases in libcoraza satisfy "a given key is only ever written once but read many times" so it may be better than using extra sync.RWMutex.
More info can be found in https://pkg.go.dev/sync#Map
Reimplement WAF map
Although the general suggestion is a sync.Map, we must make sure it is scalable in terms of resources and it properly cleans memory for deleted instances.
Also we should stop storing the WAF itself and we should store both, WAFConfig and WAF in a single struct, that way we can extend configuration for configuration merging, which would be useful for nginx and apache.
type waf struct {
WAF coraza.WAF
Config coraza.WAFConfig
}Looking for a maintainer
Until now this repo has been more like an experiment but it is a serious bump in the path to support NGINX. We need a maintainer whose main goal would be to make this library maintainable and runnable in prod. Some of the milestones through that path would be
- better testing, both unit and e2e
- performance measurements to see how much overhead it will add in request path
- better dev env
Another option is to archive this if no maintainer is joining we archive this repo.
For issues related to maintainership, check looking for maintainer
error installing libcoraza
I want to test corazafor nginx and for this I am trying to compile and install libcoraza on Centos 8.
Configure and make work correctly, but when doing make install I receive the following error:
/bin/sh ./config.status
config.status: creating Makefile
config.status: creating Doxyfile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands
config.status: executing libtool commands
(CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/sh /opt/libcoraza/missing autoheader)
rm -f stamp-h1
touch config.h.in
cd . && /bin/sh ./config.status config.h
config.status: creating config.h
config.status: config.h is unchanged
make[1]: Entering directory '/opt/libcoraza'
make[1]: Nothing to be done for 'install-exec-am'.
make all-am
make[2]: Entering directory '/opt/libcoraza'
make[2]: Leaving directory '/opt/libcoraza'
CCLD tests/simple_get
./libcoraza.a(000023.o): In function _goboringcrypto_EVP_CIPHER_CTX_free': /_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:809: undefined reference to dlsym'
./libcoraza.a(000023.o): In function _goboringcrypto_EVP_CIPHER_CTX_new': /_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:327: undefined reference to dlsym'
./libcoraza.a(000023.o): In function _goboringcrypto_EVP_CIPHER_CTX_set_padding': /_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:328: undefined reference to dlsym'
./libcoraza.a(000023.o): In function _goboringcrypto_EVP_CipherInit_ex': /_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:329: undefined reference to dlsym'
./libcoraza.a(000023.o): In function _goboringcrypto_EVP_CipherUpdate': /_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:332: undefined reference to dlsym'
./libcoraza.a(000023.o):/_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:776: more undefined references to dlsym' follow ./libcoraza.a(000029.o): In function goboringcrypto_DLOPEN_OPENSSL':
//vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:71: undefined reference to dlopen' ./libcoraza.a(000029.o): In function goboringcrypto_FIPS_mode':
//vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:146: undefined reference to dlsym' ./libcoraza.a(000029.o): In function goboringcrypto_internal_OPENSSL_init':
//vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:81: undefined reference to dlsym' ./libcoraza.a(000029.o): In function goboringcrypto_internal_ERR_error_string_n':
//vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:112: undefined reference to dlsym' ./libcoraza.a(000029.o): In function goboringcrypto_internal_ERR_get_error_line_data':
//vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:95: undefined reference to dlsym' ./libcoraza.a(000030.o): In function goboringcrypto_RAND_bytes':
//vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:159: undefined reference to dlsym' ./libcoraza.a(000031.o):/_/vendor/github.com/golang-fips/openssl-fips/openssl/goopenssl.h:222: more undefined references to dlsym' follow
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:409: tests/simple_get] Error 1
make[1]: Leaving directory '/opt/libcoraza'
make: *** [Makefile:696: install-am] Error 2
Add examples
This will be welcoming to new users.
cc @nacx
Release artifacts
We should publish generated artifacts on each merge. That would ease the test of this libraries in connectors.
My company maybe interested in using libcoraza.
I do not see much activity.
I do have some questions?
Q: It seems that it is transpiling the Go to C and we are calling into the transpiled version of Coraza?
Q: If the above is true, is it getting the latest version of Coraza or is this a snapshot of a particular version?
Thanx
Upgrades to Coraza v3
error installing libcoraza
I want to test coraza for nginx and for this I am trying to compile and install libcoraza on Alpine Linux 3.19.1.
# docker run -it alpine:latest ash
# uname -a
Linux ba4017be8bd2 6.6.14-0-lts #1-Alpine SMP PREEMPT_DYNAMIC Fri, 26 Jan 2024 11:08:07 +0000 x86_64 Linux
apk update && apk add \
autoconf automake build-base libtool make \
gawk mawk nawk \
clang17-dev musl-dev \
go
cd /tmp
git clone --depth 1 https://github.com/corazawaf/libcoraza libcoraza
cd libcoraza
go get -u github.com/corazawaf/coraza/v3@9184eeebf038decac73bf81616374c0932eb2ba7
go mod vendor && go mod tidy
# ./build.sh & output info:
./build.sh
libtoolize: putting auxiliary files in '.'.
libtoolize: copying file './ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'macros'.
libtoolize: copying file 'macros/libtool.m4'
libtoolize: copying file 'macros/ltoptions.m4'
libtoolize: copying file 'macros/ltsugar.m4'
libtoolize: copying file 'macros/ltversion.m4'
libtoolize: copying file 'macros/lt~obsolete.m4'
configure.ac:25: installing './ar-lib'
configure.ac:23: installing './compile'
configure.ac:36: installing './config.guess'
configure.ac:36: installing './config.sub'
configure.ac:13: installing './install-sh'
configure.ac:13: installing './missing'
Makefile.am: installing './depcomp'
# ./configure & output info:
./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a race-free mkdir -p... ./install-sh -c -d
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking whether make supports nested variables... (cached) yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether gcc understands -c and -o together... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for ar... ar
checking the archiver (ar) interface... ar
checking whether make sets $(MAKE)... (cached) yes
checking for go... true
./configure: line 4873: PKG_PROG_PKG_CONFIG: not found
checking build system type... x86_64-pc-linux-musl
checking host system type... x86_64-pc-linux-musl
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc... /usr/x86_64-alpine-linux-musl/bin/ld
checking if the linker (/usr/x86_64-alpine-linux-musl/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 98304
checking how to convert x86_64-pc-linux-musl file names to x86_64-pc-linux-musl format... func_convert_file_noop
checking how to convert x86_64-pc-linux-musl file names to toolchain format... func_convert_file_noop
checking for /usr/x86_64-alpine-linux-musl/bin/ld option to reload object files... -r
checking for file... file
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for archiver @FILE support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc object... ok
checking for sysroot... no
checking for a working dd... /bin/dd
checking how to truncate binary pipes... /bin/dd bs=4096 count=1
checking for mt... no
checking if : is a manifest tool... no
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fPIC -DPIC
checking if gcc PIC flag -fPIC -DPIC works... yes
checking if gcc static flag -static works... yes
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/x86_64-alpine-linux-musl/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating Doxyfile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
----------------------------------------------------------------------
libcoraza Version UNKNOWN configuration:
OS Type Linux
Prefix /usr/local
Preprocessor gcc -E
C Compiler gcc -g -O2
Go Version go1.21.8
-----------------------------------------------------------------------
# ./configure | grep no & output info
./configure | grep no
checking whether we are cross compiling... no
checking for gcc option to enable C11 features... none needed
./configure: line 4873: PKG_PROG_PKG_CONFIG: not found
checking for a sed that does not truncate output... /bin/sed
checking how to convert x86_64-pc-linux-musl file names to x86_64-pc-linux-musl format... func_convert_file_noop
checking how to convert x86_64-pc-linux-musl file names to toolchain format... func_convert_file_noop
checking for dlltool... no
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking if gcc supports -fno-rtti -fno-exceptions... no
checking whether -lc should be explicitly linked in... no
# make & ouput info
make
go tool cgo -exportheader coraza/coraza.h libcoraza/coraza.go libcoraza/log.go
go build -buildmode=c-archive -o libcoraza.a libcoraza/coraza.go libcoraza/log.go
go build -buildmode=c-shared -o libcoraza.so libcoraza/coraza.go libcoraza/log.go
make all-am
make[1]: Entering directory '/tmp/libcoraza'
make[1]: Leaving directory '/tmp/libcoraza'
Configure and make work correctly, but when doing make install I receive the following error:
# make install & output info
make install
make[1]: Entering directory '/tmp/libcoraza'
make[1]: Nothing to be done for 'install-exec-am'.
make all-am
make[2]: Entering directory '/tmp/libcoraza'
make[2]: Leaving directory '/tmp/libcoraza'
CC tests/simple_get.o
tests/simple_get.c: In function 'main':
tests/simple_get.c:26:28: warning: passing argument 2 of 'coraza_set_log_cb' from incompatible pointer type [-Wincompatible-pointer-types]
26 | coraza_set_log_cb(waf, logcb);
| ^~~~~
| |
| void (*)(void *, const void *)
In file included from tests/simple_get.c:3:
cgo-gcc-export-header-prolog:89:63: note: expected 'coraza_log_cb' {aka 'void (*)(const void *)'} but argument is of type 'void (*)(void *, const void *)'
CCLD tests/simple_get
make tests/simple_get
make[2]: Entering directory '/tmp/libcoraza'
make[2]: 'tests/simple_get' is up to date.
make[2]: Leaving directory '/tmp/libcoraza'
./tests/simple_get
Starting...
make[1]: *** [Makefile:851: check] Segmentation fault (core dumped)
make[1]: Leaving directory '/tmp/libcoraza'
make: *** [Makefile:702: install-am] Error 2
In case of SecRuleEngine DetectionOnly the intervention call gives back a NULL (nil) #233
This is a reference to: corazawaf/coraza#233 by @airween
Add SWIG support
Many connectors will be born once this project is production-ready. We must keep in focus SWIG compatibility for the final v1 release.
SWIG is a software development tool that connects programs written in C and C++ with a variety of high-level programming languages. SWIG is used with different types of target languages including common scripting languages such as Javascript, Perl, PHP, Python, Tcl and Ruby.
- Add some macros for compatibility
- Make documentation compatible
- Document the building process
- Add it to the Makefile
Run FTW for testing
Like every other connector this library should be tested under FTW
Run e2e for nginx/apache on CI
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.