Skip to content

v1.6.0

Latest
Latest
Compare
Choose a tag to compare
@troyxmccall troyxmccall released this 24 Jun 13:48
· 1 commit to main since this release
v1.6.0
723da0d

What's Changed

BREAKING CHANGES

This would typically involve a v2 release, but traefik does not allow plugins over v1.x

https://community.traefik.io/t/failed-to-download-plugin/17155/2

  • drop cached status code responses from OWASP, CRSv4 includes 500+ rules and many modern attack vectors involve cookies/headers, it is a security risk to cache these OWASP responses
  • drop maxBodySize check as traefik already has built in middleware for checking bodySize

see example docker-compose for v1.6.0

version: "3.7"

services:
  traefik:
    image: traefik
    ports:
      - "80:80"
      - "8080:8080"
    command:
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - --api.dashboard=true
      - --api.insecure=true
      - --experimental.plugins.traefik-modsecurity-plugin.modulename=github.com/madebymode/traefik-modsecurity-plugin
      - --experimental.plugins.traefik-modsecurity-plugin.version=v1.6.0
      - --providers.docker=true
      - --entrypoints.http.address=:80
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
    labels:
      - traefik.enable=true
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      # use traefiks built-in maxRequestBodyBytes middleware - there's no need for us to bake this ourselves
      - traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=1048576
      # owasp-crs 4.x uses port 8080
      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:8080
      # enable our 429 jail for repeat 403 (OWASP blocks) offenders - experimental 
      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.jailEnabled=true

  waf:
    image: owasp/modsecurity-crs:4.3.0-apache-alpine-202406090906
    environment:
      - PARANOIA=1
      - ANOMALY_INBOUND=10
      - ANOMALY_OUTBOUND=5
      - BACKEND=http://dummy
      # New in CRS 4
      - REPORTING_LEVEL=2

      #######################################################
      # ModSecurity ENV Variables
      #######################################################

      - MODSEC_AUDIT_LOG_FORMAT=JSON
      - MODSEC_RULE_ENGINE=On

  dummy:
    image: traefik/whoami

  website-with-waf:
    image: traefik/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.website-with-waf.rule=PathPrefix(`/website`)
      - traefik.http.routers.website-with-waf.middlewares=waf@docker
  website:
    image: traefik/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.website.rule=PathPrefix(`/bypass`)

Full Changelog: v1.5.0...v1.6.0

Contributors

troyxmccall
Assets 2
Loading