Nginx & Apache support

[ms217]

Hi everyone

Just wanted to ask what the general plan is for Nginx and Apache support?
Will both webservers be supported in the near future?

[jptosso]

Hey! Although this is strategic for us and there are multiple ongoing efforts, there are no official announcements for this yet.
There is a huge chance that we might replace this with wasm, technically you can run coraza on nginx using this module: https://github.com/api7/wasm-nginx-module

[ms217]

Hey Juan
Thank your for your answer.

I will take a look at the WebAssembly implementation for Nginx.

[ms217]

Hello Juan

currently I fiddle around with the webassembly (built from source) and I'm trying to load it in Apache via the mod_wasm module.

I can see in the apache log files that the wasm module is generally responsive if I don't add any WasmEnv statements in the vhost file, mod_wasm will respond with the following error message:

ERROR: C-API: Can't run Wasm execution context '78AD5913'! "ERROR! Can't instantiate module! unknown import: env::proxy_set_effective_context has not been defined"

So, I'm still missing something.

I tried already to initiate Coraza but that did not work. Neither with the direct traditional modsecurity SecLang syntax nor when prefixing the SecLang syntax with "WasmEnv" or "WasmArg" which are probably both wrong for that case, or do I need to use the syntax described here: https://coraza.io/docs/tutorials/quick-start/#create-a-waf-instance

Are there any examples anywhere out there since you mentioned that it would technically work on nginx with the wasm-nginx-module?

[jcchavezs]

Hi @ms217, thanks for reaching out. What I think you are trying to do is to compile coraza-proxy-wasm and use it with mod_wasm. I think there is a confusion here: coraza-proxy-wasm is a project that allows to use coraza in a proxy-wasm environment (which is a specific ABI that works in certain proxies, notably envoy, experimentally in Kong and nginx (using a custom extension). In the other hand, mod_wasm is an Apache extension which allows you to run wasm binaries reading from stdin and writing to stdout (completely different ABI) using WASI. Hence the errors you are seeing are completely fine. What is more, mod_wasm isn't a way to run a wasm binary as a proxy but to **run a wasm binary under a URI in Apache**, whether your wasm binary outputs html or text it does not act as a proxy (and won't be given the inability of wasi to call other hosts as part of the interface). I know this is confusing and there are a lot of jargon and acronyms that makes this hard to digest if you don't work with wasm but to summarize it, imagine you want to run a go (main.go) file using bash (sh main.go), it simply won't work. Finally, I started myself a try of compiling coraza to be run in mod_wasm as an standalone endpoint so in case you want to try it I can push it to a sample repo. My idea was to turn that endpoint into a proxy but it is not possible ATM. Do not hesitate to ping me if any further doubt, I am also on the OWASP slack.

…

On Mon, 6 Mar 2023, 15:05 Michael Seevogel, ***@***.***> wrote: Hello Juan I'm currently fiddling around with the webassembly (built from source) and I'm trying to load it in Apache via the mod_wasm <https://github.com/vmware-labs/mod_wasm> module. I can see in the apache log files that the wasm module is generally responsive if I don't add any WasmEnv statements in the vhost file, mod_wasm will respond with the following error message: ERROR: C-API: Can't run Wasm execution context '78AD5913'! "ERROR! Can't instantiate module! unknown import: env::proxy_set_effective_context has not been defined" So, I'm still missing something. I tried already to initiate Coraza but that did not work. Neither with the direct traditional modsecurity SecLang syntax nor when prefixing the SecLang syntax with "WasmEnv" or "WasmArg" which are probably both wrong for that case, or do I need to use the syntax described here: https://coraza.io/docs/tutorials/quick-start/#create-a-waf-instance Are there any examples anywhere out there since you mentioned that it would work on nginx? — Reply to this email directly, view it on GitHub <#557 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAVDJ4EF3ZDATG6O75LW2XVMNANCNFSM6AAAAAATNS35TY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ms217]

Hi @jcchavezs
Thanks for the explanation. I had already that feeling that mod_wasm wasn't working together with Coraza.
Either way, coraza+mod_wasm was my only straw to try something else than modsecurity with Apache.

I can generally try it as an standalone endpoint as you suggest, if that is something that is maintained also in the future then I'm happy to try it.
As a standalone endpoint, coraza will be probably slower than modsecurity or can one expect it to have about the same level of performance?

[jptosso]

There are official efforts underway #803