cebilon123 / waffle Goto Github PK
View Code? Open in Web Editor NEWWeb Application Firewall, made in go.
License: MIT License
Web Application Firewall, made in go.
License: MIT License
We need to introduce TLS as the first layer of the defense. Basically, after its introduction, we will be able to validate client handshake which will be useful to guard applications from botnets and related attacks ie. DDOS
This is a email I've got:
hi, please add support ratelimit cf-connecting-ip? original visitor IP
address appears in an appended HTTP header called CF-Connecting-IP.
We need to have YAML config in order to configure domains and ip addresses.
Currently, there is no way to visualize what requests are coming through our WAF. At the very beginning, we need a frontend that simply visualizes the incoming requests.
It could be done as a list of incoming requests and some kind of graph.
We could create our custom frontend i.e. in React, or we can try using Grafana, share some ideas here, and let's discuss ๐
We have TLS based server set up, but we are missing the initial functionality of reverse proxy.
We need to introduce redirect mechanism and the possibility to read possible redirections from config file.
Currently the config and the certificates are embedded in the main.go
. It is good approach for now but it would be nice to refactor it, in order to make it simpler to set up and edit during the development.
Context:
We have http proxy, but we want to copy Cloudflare and their Spectrum service, which means that we need to have TCP reverse proxy.
(Later it could be used for the HTTP proxy as well)
TODO:
AC:
We need to create an outline of the defense system, with the first defense: XSS protection
Sometimes we want to disqualify some kinds of payloads in our waf. This rule will help in that.
In order to make it more scalable we need to add multi server architecture.
Currently we have packet reading, and network interface provider tho it's problematic to listen for valid packets from network interfaces and protocols. To accomplish that we can use BPF filter
We need to have the possibility to create migrations to the database, we can also use GORM to simplify stuff in the beginning.
There is an method founded by the Salesforce engineers called "TLS fingerprinting" which can be used to found out the exact OS, browser, client data while making the TLS Handshake.
I have been doing some research about the subject and in order to make it real and fully functional we need to somehow rewrite the server, in order to have access to all the data send in the TLS Handshake. Currently we have access to the method in the TLS config struct, which gives us access to the thing, but there aren't all the needed data about request in order to make it functional.
There are also already made implementation of the TLS Fingerprinting for the server side and client side in golang.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.