Releases: madebymode/traefik-modsecurity-plugin
Releases · madebymode/traefik-modsecurity-plugin
v1.6.0
What's Changed
- v2 | CRSv4.3.0 Support by @troyxmccall in #13
- chore: version traefik and go to LTS by @troyxmccall in #14
BREAKING CHANGES
This would typically involve a v2 release, but traefik does not allow plugins over v1.x
https://community.traefik.io/t/failed-to-download-plugin/17155/2
- drop cached status code responses from OWASP, CRSv4 includes 500+ rules and many modern attack vectors involve cookies/headers, it is a security risk to cache these OWASP responses
- drop maxBodySize check as traefik already has built in middleware for checking bodySize
see example docker-compose for v1.6.0
version: "3.7"
services:
traefik:
image: traefik
ports:
- "80:80"
- "8080:8080"
command:
- "--log.level=DEBUG"
- "--accesslog=true"
- --api.dashboard=true
- --api.insecure=true
- --experimental.plugins.traefik-modsecurity-plugin.modulename=github.com/madebymode/traefik-modsecurity-plugin
- --experimental.plugins.traefik-modsecurity-plugin.version=v1.6.0
- --providers.docker=true
- --entrypoints.http.address=:80
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
labels:
- traefik.enable=true
- traefik.http.services.traefik.loadbalancer.server.port=8080
# use traefiks built-in maxRequestBodyBytes middleware - there's no need for us to bake this ourselves
- traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=1048576
# owasp-crs 4.x uses port 8080
- traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:8080
# enable our 429 jail for repeat 403 (OWASP blocks) offenders - experimental
- traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.jailEnabled=true
waf:
image: owasp/modsecurity-crs:4.3.0-apache-alpine-202406090906
environment:
- PARANOIA=1
- ANOMALY_INBOUND=10
- ANOMALY_OUTBOUND=5
- BACKEND=http://dummy
# New in CRS 4
- REPORTING_LEVEL=2
#######################################################
# ModSecurity ENV Variables
#######################################################
- MODSEC_AUDIT_LOG_FORMAT=JSON
- MODSEC_RULE_ENGINE=On
dummy:
image: traefik/whoami
website-with-waf:
image: traefik/whoami
labels:
- traefik.enable=true
- traefik.http.routers.website-with-waf.rule=PathPrefix(`/website`)
- traefik.http.routers.website-with-waf.middlewares=waf@docker
website:
image: traefik/whoami
labels:
- traefik.enable=true
- traefik.http.routers.website.rule=PathPrefix(`/bypass`)Full Changelog: v1.5.0...v1.6.0
Contributors
troyxmccall
Assets 2
v1.5.0
What's Changed
- New Defaults: by @troyxmccall in #8
- deps: bump OWASP image by @troyxmccall in #8
- patch: bump GitHub actions builders to nodev20 by @troyxmccall in #9
- build(deps): bump gopkg.in/yaml.v3 from 3.0.0-20200313102051-9f266ea9e77c to 3.0.0 by @dependabot in #10
Full Changelog: v1.4.6...v1.5.0
Contributors
troyxmccall and dependabot
Assets 2
v1.4.6
v1.4.5
v1.4.4
v1.4.3
1.4.3 (2023-05-04)
Manual release bc I apparently can't write valid Semantic commits (will work on this)
Bug Fixes
v1.4.2
v1.4.1
v1.4.0
feature: swap modsecurity to use nginx and alpine for faster response and processing
feature: net.Dialer & http.Transport for optimal performance (especially with 200's)
feature: cache layer in our plugin that can cache responses from modsecurity