yaegi
yaegi copied to clipboard
traefik
unable to import github.com/corazawaf/coraza/v3
The following program sample.go triggers an unexpected result
package main
// yaegi:tags purego
import (
"fmt"
"github.com/corazawaf/coraza/v3"
)
func main() {
waf, err := coraza.NewWAF(coraza.NewWAFConfig().
WithDirectives(`SecRule REMOTE_ADDR "@rx .*" "id:1,phase:1,deny,status:403"`))
// Now we parse our rules
if err != nil {
fmt.Println(err)
}
fmt.Printf("%+v\n", waf)
}
Expected result
% go run main.go
{waf:0x14000174000}
Got
% yaegi ./main.go
run: ./main.go:7:2: import "github.com/corazawaf/coraza/v3" error: /path/to/go/src/project/name/vendor/github.com/corazawaf/coraza/v3/config.go:11:2: import "github.com/corazawaf/coraza/v3/internal/corazawaf" error: /path/to/go/src/project/name/vendor/github.com/corazawaf/coraza/v3/internal/corazawaf/rule.go:13:2: import "unsafe" error: unable to find source related to: "unsafe"
Yaegi Version
0.15.1
Additional Notes
with unsafe being blocked by default in traefik. We cannot develop coraza waf plugin which will be the next generation for modsecurity.
Encountering similar problems, It seems like there are many problems, not very mature。
Hello everyone! I tried to set up coraza in traefik. Here are my thougths, maybe somebody could find them useful.
I wanted to use coraza WAF and started looking in available solutions. Here what I have tried.
coraza-http-wasm-traefik
Beta stage option. It is embedded in traefik as middleware and works during processing, but there is a memory leak. A small investigation showed (by commenting on pieces of code and searching for leaks) that the garbage collector is not working well. And it is archived with the following message:
nottinygc was an interesting experiment to bring OK performance to Wasm binaries compiled with Go. But there are fundamental issues with using GC languages in a sandboxed environment like Wasm - this still applies even after the Wasm GC proposal, and is even worse before it. The wasilibs recommendation is to use a non-GC language such as C++, Rust, or similar, when compiling to Wasm and to not use Go.
I realized that I should leave it as it is. Rewriting coraza into another language to transfer to wasm seems a big task.
coraza-yaegi
Traefik has a second option for the plugin - using its own interpreter Yaegi.
Not working out of the box Issue 1 due to unsafe keyword. I tried to build a patched traefik with the addition of i.Use(unsafe.Symbols) into the project. But then the issues of the interpreter went further.
The first mistake was:
import \"github.com/corazawaf/coraza/v3/internal/memoize\" error: plugins-local/src/github.com/blackyi/coraza/vendor/github.com/corazawaf/coraza/v3/internal/memoize/nosync.go:10:12: not enough arguments in call to makeDoer
Memoization is good, of course, but optional. It could be dealt with later, but now I was trying to figure out how much work I needed to do. Commented it out. Next, the following error popped up - The use of goto statements does not work:
import \"github.com/tidwall/gjson\" error: plugins-local/src/github.com/blackyi/coraza/vendor/github.com/tidwall/gjson/gjson.go:1857:3: undefined: loop"
github.com/corazawaf/coraza/v3/internal/bodyprocessors/json.go:11:2: import \"github.com/tidwall/gjson\" error: plugins-local/src/github.com/blackyi/coraza/vendor/github.com/tidwall/gjson/gjson.go:2415:3: undefined: key"
it showed me that the interpreter has problems with code in the project dependencies. I also commented to understand the depth of the rabbit hole. And on the next mistake, I gave up. I realized that there was too much work to do.
error: plugins-local/src/github.com/blackyi/coraza/vendor/golang.org/x/net/html/parse.go:688:46: cannot use type func(*html.parser) bool as type func(*unsafe2.dummy) bool
I decided that this information might be useful. But for now, the most working option is to use coraza-spoa. Or, by the same analogy, write a plugin for traefik, redirect processing to another service.
