Skip to main content
logoTetrate Enterprise Gateway for EnvoyVersion: next

Using the Built-in "Coraza" Web Application Firewall in Tetrate Enterprise Gateway

The Web Application Firewall (WAF) in Tetrate Enterprise Gateway (TEG) examines both inbound and outbound HTTP traffic to identify threats such as attack attempts, malformed traffic, and data exfiltration. By utilizing signature matching, TEG's built-in WAF, powered by Coraza, can block suspicious traffic, issue alerts, and log incidents for further investigation.

Configuration

Coraza is an open-source, high-performance WAF using the widely-accepted mod_security SecLang rules format. It comes pre-configured with the OWASP Core Rule Set (CRS), version 4.25.0 at the time of this writing, which can be customized to fit specific security needs.

Enabling the WAF

Starting with TEG v1.8.2, the default data-plane Envoy image bundles the Coraza WAF module, so the WAF works out of the box — you no longer need to override the Envoy Proxy image in your Helm values to enable it. Simply attach an ExtendedSecurityPolicy to your Gateway as described below.

FIPS deployments

FIPS deployments must still override the Envoy Proxy image with the FIPS variant, which bundles the FIPS-compliant WAF module. See Install FIPS-validated TEG for details.

Attaching ExtendedSecurityPolicy to Gateway

WAF can be configured as part of the ExtendedSecurityPolicy resource, which is attached to a Gateway. In short, the ExtendedSecurityPolicy resource allows you to define WAF rules, and the WAF filter will be attached to the Gateways. For details, see API documentation for Extended SecurityPolicy.

First, let's deploy an example application. Then, apply an ExtendedSecurityPolicy as follows:

apiVersion: teg.tetrate.io/v1alpha1
kind: ExtendedSecurityPolicy
metadata:
name: attach-waf
namespace: httpbin
spec:
targetRefs:
- name: dedicated-gateway
kind: Gateway
group: gateway.networking.k8s.io
waf: {} # Let's use the default WAF policy.

where we attach the ExtendedSecurityPolicy to the dedicated-gateway Gateway in the httpbin namespace. The waf: {} field indicates that we want to use the default WAF policy.

Let's attempt a malicious request:

curl -i "http://${DEDICATED_GATEWAY_IP}/httpbin/get?arg=<script>alert(0)</script>"

A 403 Forbidden response indicates Coraza has successfully identified the request as a potential XSS attack. Further evidence can be found in the gateway's proxy access logs.

Customizing WAF Rules

FIPS compliant WAF

If you are using the FIPS compliant images, there are certain primitives and settings that cannot be used that would cause errors at runtime, as they would trigger crypto functions not allowed in FIPS:

  • t:md5 and t:sha1 transformations.
  • Enabling CRS default collections via rule 900130 or by manually setting tx.enable_default_collections.
  • Enabling CRS sampling via rule 900400 or by manually setting tx.sampling_percentage to a value lower than 100.

Default Configuration

The default WAF policy is as follows:

waf-config.yaml
apiVersion: teg.tetrate.io/v1alpha1
kind: ExtendedSecurityPolicy
spec:
waf:
directives: |
Include /etc/teg/waf/teg-default.conf
Include @crs-setup.conf
Include @owasp_crs/*.conf

where you can put the WAF directives into the directives field.

The TEG Envoy image packages the default WAF tuning directives in /etc/teg/waf/teg-default.conf, so custom WAF configurations can include TEG's default Coraza settings directly and override only the directives that need to change.

Detailed explanations:

  • /etc/teg/waf/teg-default.conf: Loads Coraza's base settings from @coraza.conf, then applies TEG's default WAF tuning. TEG's defaults set SecRuleEngine On, SecDebugLogLevel 2, conservative 4096-byte request and response body inspection limits, SecRequestBodyLimitAction ProcessPartial, SecResponseBodyLimitAction ProcessPartial, and SecResponseBodyAccess Off.
  • SecRuleEngine On: Activates blocking of detected threats. You can override this after including /etc/teg/waf/teg-default.conf, for example with SecRuleEngine DetectionOnly.
  • SecDebugLogLevel 2: Keeps Coraza warning logs useful while avoiding verbose debug output by default.
  • SecRequestBodyLimit 4096, SecRequestBodyInMemoryLimit 4096, and SecRequestBodyLimitAction ProcessPartial: Keep request body inspection below Envoy Gateway's default buffer limit and process partial bodies instead of rejecting traffic only because the body is larger than TEG's conservative inspection window.
  • SecResponseBodyLimit 4096, SecResponseBodyLimitAction ProcessPartial, and SecResponseBodyAccess Off: Keep response body buffering conservative and non-disruptive by default. Response body inspection is disabled unless you explicitly opt in.
  • @crs-setup.conf: Loads the TEG-provided CRS setup file, which sets up the initial rules and operational parameters.
  • @owasp_crs/*.conf: Loads the OWASP CRS rule files from the bundled coraza core rule set dependency. These files implement the security measures, including request method enforcement and SQL injection detection rules.

Modifying and Testing New Rules

When modifying rules in the ExtendedSecurityPolicy, the sequence in which directives are listed is crucial; each setting must be strategically placed to ensure proper processing order. Here are steps to fine-tune the WAF behavior:

  1. Set Coraza to DetectionOnly mode to non-disruptively observe rule impacts:

    values.yaml
    directives:
    Include /etc/teg/waf/teg-default.conf
    SecRuleEngine DetectionOnly
    Include @crs-setup.conf
    Include @owasp_crs/*.conf
  2. Every log line associated with a triggered rule will contain the string Coraza: Warning. Review the gateway pod logs to identify triggered rules and adjust accordingly to balance security and usability.

  3. Once satisfied, switch SecRuleEngine back to On to enforce the rules.

For a detailed guide on rule tuning, refer to the OWASP rule tuning documentation.

If the configuration is invalid, you will see an error message in the logs of the TEG controller as well as it will be reflected on the status of ExtendedSecurityPolicy resource. Loading invalid configuration will not affect the ongoing traffic, and the WAF will continue to operate with the last valid configuration.