chore: adds kong example.

example/kong/README.md

@@ -0,0 +1,19 @@
+# Kong example
+
+## Getting started
+
+```shell
+METRICS=off mage build
+```
+
+In `example/kong` folder:
+
+```shell
+docker-compose up
+```
+
+In `e2e`:
+
+```shell
+ENVOY_HOST=localhost:8000 HTTPBIN_HOST=localhost:8080 ./e2e-example.sh
+```

example/kong/config/kong.yaml

@@ -0,0 +1,36 @@
+# a very minimal declarative config file
+_format_version: "1.1"
+_transform: true
+
+services:
+- name: httpbin
+  host: "httpbin"
+  path: "/"
+  port: 8080
+  protocol: http
+  routes:
+  - name: httpbin
+    methods:
+    - GET
+    paths:
+    - /
+    - /anything
+    - /uuid
+  plugins:
+  - name: proxy-wasm
+    config:
+      filters:
+      - name: main
+        config: '{
+           "rules": [
+              "Include @demo-conf",
+              "Include @crs-setup-demo-conf",
+              "SecRuleEngine DetectionOnly",
+              "SecDebugLogLevel 3",
+              "Include @owasp_crs/*.conf",
+              "SecRule REQUEST_URI \"@streq /uuid\" \"id:101,phase:1,t:lowercase,deny\"",
+              "SecRule REQUEST_BODY \"@rx maliciouspayload\" \"id:102,phase:2,t:lowercase,deny\"",
+              "SecRule RESPONSE_HEADERS::status \"@rx 406\" \"id:103,phase:3,t:lowercase,deny\"",
+              "SecRule RESPONSE_BODY \"@contains responsebodycode\" \"id:104,phase:4,t:lowercase,deny\""
+            ]
+        }'

example/kong/docker-compose.yaml

@@ -0,0 +1,72 @@
+# Inspired in https://github.com/Kong/docker-kong
+version: '3.9'
+
+volumes:
+  kong_prefix_vol:
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+  kong_tmp_vol:
+    driver_opts:
+      type: tmpfs
+      device: tmpfs
+
+networks:
+  kong-net:
+    external: false
+
+services:
+  kong:
+    image: "kong/incubator:gateway-wasmer-3.0.0.0"
+    user: "${KONG_USER:-kong}"
+    environment:
+      KONG_DATABASE: "off"
+      KONG_ADMIN_ACCESS_LOG: /dev/stdout
+      KONG_ADMIN_ERROR_LOG: /dev/stderr
+      KONG_PROXY_LISTEN: "${KONG_PROXY_LISTEN:-0.0.0.0:8000}"
+      KONG_ADMIN_LISTEN: "${KONG_ADMIN_LISTEN:-0.0.0.0:8001}"
+      KONG_PROXY_ACCESS_LOG: /dev/stdout
+      KONG_PROXY_ERROR_LOG: /dev/stderr
+      KONG_PREFIX: ${KONG_PREFIX:-/var/run/kong}
+      KONG_DECLARATIVE_CONFIG: "/opt/kong/kong.yaml"
+      KONG_WASM: "on"
+      KONG_WASM_MODULES: "/wasm/main.wasm"
+    networks:
+      - kong-net
+    ports:
+      # The following two environment variables default to an insecure value (0.0.0.0)
+      # according to the CIS Security test.
+      - "${KONG_INBOUND_PROXY_LISTEN:-0.0.0.0}:8000:8000/tcp"
+      - "${KONG_INBOUND_SSL_PROXY_LISTEN:-0.0.0.0}:8443:8443/tcp"
+      # Making them mandatory but undefined, like so would be backwards-breaking:
+      # - "${KONG_INBOUND_PROXY_LISTEN?Missing inbound proxy host}:8000:8000/tcp"
+      # - "${KONG_INBOUND_SSL_PROXY_LISTEN?Missing inbound proxy ssl host}:8443:8443/tcp"
+      # Alternative is deactivating check 5.13 in the security bench, if we consider Kong's own config to be enough security here
+
+      - "127.0.0.1:8001:8001/tcp"
+      - "127.0.0.1:8444:8444/tcp"
+    healthcheck:
+      test: [ "CMD", "kong", "health" ]
+      interval: 10s
+      timeout: 10s
+      retries: 10
+    restart: on-failure:5
+    read_only: true
+    volumes:
+      - kong_prefix_vol:${KONG_PREFIX:-/var/run/kong}
+      - kong_tmp_vol:/tmp
+      - ./config:/opt/kong
+      - ../../build:/wasm
+    security_opt:
+      - no-new-privileges
+    depends_on:
+      - httpbin
+
+  httpbin:
+    image: mccutchen/go-httpbin:v2.5.0
+    environment:
+      - MAX_BODY_SIZE=15728640 # 15 MiB
+    ports:
+      - 8080:8080
+    networks:
+      - kong-net

magefiles/magefile.go

@@ -172,6 +172,9 @@ func Build() error {
 	if os.Getenv("MEMSTATS") == "true" {
 		buildTags = append(buildTags, "memstats")
 	}
+	if os.Getenv("METRICS") == "false" {
+		buildTags = append(buildTags, "disable_metrics")
+	}
 
 	buildTagArg := fmt.Sprintf("-tags='%s'", strings.Join(buildTags, " "))
 

wasmplugin/metrics.go

@@ -1,6 +1,8 @@
 // Copyright The OWASP Coraza contributors
 // SPDX-License-Identifier: Apache-2.0
 
+//go:build !disable_metrics
+
 package wasmplugin
 
 import (

wasmplugin/metrics_off.go

@@ -0,0 +1,16 @@
+// Copyright The OWASP Coraza contributors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build disable_metrics
+
+package wasmplugin
+
+type wafMetrics struct{}
+
+func NewWAFMetrics() *wafMetrics {
+	return &wafMetrics{}
+}
+
+func (*wafMetrics) CountTX() {}
+
+func (*wafMetrics) CountTXInterruption(_ string, _ int) {}

wasmplugin/plugin.go

@@ -67,6 +67,10 @@ func (ctx *corazaPlugin) OnPluginStart(pluginConfigurationSize int) types.OnPlug
 		// buffering request body to files anyways.
 		WithRootFS(root)
 
+	for _, r := range config.rules {
+		proxywasm.LogInfof("- %s", r)
+	}
+
 	waf, err := coraza.NewWAF(conf.WithDirectives(strings.Join(config.rules, "\n")))
 	if err != nil {
 		proxywasm.LogCriticalf("Failed to parse rules: %v", err)
@@ -153,6 +157,7 @@ func (ctx *httpContext) OnHttpRequestHeaders(numHeaders int, endOfStream bool) t
 
 	ctx.httpProtocol = string(protocol)
 
+	proxywasm.LogCriticalf(uri, method, ctx.httpProtocol)
 	tx.ProcessURI(uri, method, ctx.httpProtocol)
 
 	hs, err := proxywasm.GetHttpRequestHeaders()
@@ -541,7 +546,6 @@ func retrieveAddressInfo(logger debuglog.Logger, target string) (string, int) {
 			logger.Debug().
 				Err(err).
 				Msg(fmt.Sprintf("Failed to get %s port", target))
-
 		}
 	}
 	return targetIP, targetPort