corazawaf
chore: adds kong example.
This PR attempts to run kong with coraza-proxy-wasm enabled, kind of following https://github.com/Kong/proxy-wasm-hello-world
Limitations:
- Kong proxy wasm runtime does not support host calls relative to metrics (e.g. DefineCounterMetric)
- Some rules that attempt to modify the response body are failing as the response body has been already sent (to confirm)
Things to sort out:
- Verify if at least this can pass the e2e test
- Turn into docker compose
- Get someone from Kong involved
Yeah my bad. I should have open this PR as a draft. Not sure if this will ever be in the main project (I truly hope so) unless proxy-wasm get serious support from kong but I was still curious whether this would work or not. Turning this into docker-compose was my first approach but I failed and ended up using the quickstart script.
On Mon, 6 Feb 2023, 01:16 Anuraag Agrawal, @.***> wrote:
@.**** commented on this pull request.
Let's rename the folder to examples and move the current one to an envoy subfolder
In example/kong/Makefile https://github.com/corazawaf/coraza-proxy-wasm/pull/144#discussion_r1096837483 :
@@ -0,0 +1,30 @@ +#!/bin/bash
Let's use a docker-compose instead like the other example
— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-proxy-wasm/pull/144#pullrequestreview-1284386044, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAVNXFB2FL3XLGD6OYDWWA7EZANCNFSM6AAAAAAURKE6RM . You are receiving this because you authored the thread.Message ID: @.***>
@jcchavezs Hi! Hisham from Kong's WasmX team here — it's really cool that you're giving this a go! A lot has happened on our end since the tech preview container we released at Kong Summit 2022; we want to make some more updates public in the near future, but AFAIK there's no confirmed ETA yet.
I just looked at your PR diff and haven't actually played with it, but it looks like with these changes you succeeded loading your filter into the gateway using the tech preview container, right? Nice!
Verify if at least this can pass the e2e test
Very curious about this! I briefly looked at e2e/e2e-example.sh — given a Kong instance configured with the same ports and filter settings, in principle if all goes well that script should be able to run unmodified, right?
Get someone from Kong involved
You can get this box checked :)
Thanks for showing up @hishamhm
we want to make some more updates public in the near future, but AFAIK there's no confirmed ETA yet.
Any chance you can run a kong example with the e2e enabled with your internal image?
I just looked at your PR diff and haven't actually played with it, but it looks like with these changes you succeeded loading your filter into the gateway using the tech preview container, right? Nice!
Yes, I think we can do better at providing examples when the config string is complex (e.g. in our case it is a JSON where strings hold quotes inside).
Very curious about this! I briefly looked at e2e/e2e-example.sh — given a Kong instance configured with the same ports and filter settings, in principle if all goes well that script should be able to run unmodified, right?
Yeah I will try that one once I have some time.
You can get this box checked :)
Awesome, thanks. Are you in any slack? would be cool to have a few words.
@hishamhm I am having an issue by using kong in docker-compose. Basically kong can contact upstream, see https://github.com/corazawaf/coraza-proxy-wasm/pull/144/files#diff-c237865426ae84633a58c9aad1bd2ccb628bf43cff4ecbb262561aa534d8449dR24. Any clue?
@jcchavezs hi, I was away on vacation, but I'm back now and I'll take a look at this as soon as I can!
@jcchavezs Hi José — I gave this branch a try. It's been a long time since I last used Docker Compose, and I'm unfamiliar with Mage, so I hacked my way around them until I got something running in the Kong logs.
Here's a gist with all of my quick-and-dirty tweaks.
At first glance, it seemed to me that the problem with the configuration wasn't actually Kong-specific?... In your service-provisioner.sh script, were you able to talk to your httpbin upstream directly, without going through Kong? I tweaked it a bit so that http to httpbin worked directly, then I tried going at it through Kong. I also simplified the docker-compose configuration by replacing the Postgres database with a database-less Kong configuration, specifying the route, service and plugin directly in the declarative config file. I managed to get the request through, and the error messages indicate that the filter did run:
kong-kong-1 | 172.18.0.4 - - [14/Mar/2023:21:11:41 +0000] "GET / HTTP/1.1" 200 17781 "-" "HTTPie/0.9.2"
kong-kong-1 | 2023/03/14 21:11:41 [warn] 2162#0: *2370 failed to get source address: error status returned by host: not found, client: 172.18.0.4, server: kong, request: "GET / HTTP/1.1", host: "kong:8000"
kong-kong-1 | 2023/03/14 21:11:41 [warn] 2162#0: *2370 failed to get destination address: error status returned by host: not found, client: 172.18.0.4, server: kong, request: "GET / HTTP/1.1", host: "kong:8000"
kong-kong-1 | 2023/03/14 21:11:41 [crit] 2162#0: *2370 /%!(EXTRA T=GET, T=HTTP/2.0), client: 172.18.0.4, server: kong, request: "GET / HTTP/1.1", host: "kong:8000"
kong-kong-1 | 2023/03/14 21:11:41 [crit] 2162#0: *2370 failed to get request headers: error status returned by host: not found, client: 172.18.0.4, server: kong, request: "GET / HTTP/1.1", host: "kong:8000"
kong-httpbin-1 | time="2023-03-14T21:11:41.6085" status=200 method="GET" uri="/" size_bytes=11133 duration_ms=0.30 user_agent="HTTPie/0.9.2" client_ip=172.18.0.4
kong-kong-1 | 2023/03/14 21:11:41 [crit] 2162#0: *2370 [client ""] Coraza: Warning. Inbound Anomaly Score Exceeded (Total Score: 0) [file "@owasp_crs/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "0"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 0)"] [data ""] [severity "emergency"] [ver "OWASP_CRS/4.0.0-rc1"] [maturity "0"] [accuracy "0"] [tag "anomaly-evaluation"] [hostname ""] [uri "/"] [unique_id "mFPOhCJCcgpsAymuCZd"]
kong-kong-1 | while reading response header from upstream, client: 172.18.0.4, server: kong, request: "GET / HTTP/1.1", upstream: "http://172.18.0.2:8080/", host: "kong:8000"
kong-kong-1 | 2023/03/14 21:11:41 [error] 2162#0: *2370 [wasm] trap in proxy_on_response_headers: response already sent <module: "main", vm: "main", runtime: "wasmer"> while reading response header from upstream, client: 172.18.0.4, server: kong, request: "GET / HTTP/1.1", upstream: "http://172.18.0.2:8080/", host: "kong:8000"
kong-kong-1 | 172.18.0.4 - - [14/Mar/2023:21:11:41 +0000] "GET / HTTP/1.1" 500 46 "-" "HTTPie/0.9.2"
kong-service-provisioner-1 | {
kong-service-provisioner-1 | "message":"An unexpected error occurred"
kong-service-provisioner-1 exited with code 0
These errors such as failed to get source address: error status returned by host: not found are probably caused by the Kong image being too old and missing proper support for those properties — I haven't tried it yet with a more recent build.
I assume you already ran the filter on Kong without the docker-compose environment — did you get it running further than what the logs above show?
Thanks a lot @hishamhm, indeed your changes improved the experience however as you point out, proxy wasm fails to get headers. Is there any chance we can try this with a more recent image? It would be cool to at least try rules in phase 1 (those about URI and request headers). If now, do you have a date when those are available? Wasmio 2023 is next week and it could be really cool to have this at least in a PoC.
Wasmio 2023 is next week and it could be really cool to have this at least in a PoC.
@jcchavezs I don't think we'll have a new public snapshot ready by then, but @casimiro from our team will be at the conference. If you or anyone from your team happen to be there, make sure to get in touch!
@jcchavezs Are go changes planned to be merged into main? (Bare-minimal to make it work with Kong)
I think this PR needs an owner to get to the merge, basically verify the example works.
On Mon, Jul 1, 2024 at 7:15 PM s3rj1k @.***> wrote:
@jcchavezs https://github.com/jcchavezs Are go changes planned to be merged into main? (Bare-minimal to make it work with Kong)
— Reply to this email directly, view it on GitHub https://github.com/corazawaf/coraza-proxy-wasm/pull/144#issuecomment-2200657800, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXOYAV5XE7MICJZ7K7V6Z3ZKGFCZAVCNFSM6AAAAABKF7FIAKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBQGY2TOOBQGA . You are receiving this because you were mentioned.Message ID: @.***>
Btw, we now support metrics in ngx_wasm_module since last week. An upcoming release of Kong Gateway will include the latest ngx_wasm_module (no timeline yet, probably later this month or next).
@thibaultcha Do we have some documentation for quick start with corza-wasm+ngx_wasm_module ?
@s3rj1k Not that I know of. We have lots of documentation for ngx_wasm_module, and I'm sure coraza-wasm has its own documentation which should be more than enough.
Not that I know of
I mean do you test that integration somehow in Kong? Maybe some Dockerfile? Or it just was some manual one-shot test from Kong side? (Not being negative here, just trying to understand maybe we already have some work done)
We do not have a continuous integration suite for each Proxy-Wasm filter, I don't think that would be very sustainable... All of our tests for existing Proxy-Wasm filters (coraza-wasm or others) are one-off.
are one-off
I see, thanks, so in case I would want to test this it should work on Kong/ngx_wasm_module HEAD + this PR? cc @jcchavezs