cebilon123 / waffle Goto Github PK

We need to introduce TLS as the first layer of the defense. Basically, after its introduction, we will be able to validate client handshake which will be useful to guard applications from botnets and related attacks ie. DDOS

This is a email I've got:

hi, please add support ratelimit cf-connecting-ip? original visitor IP
address appears in an appended HTTP header called CF-Connecting-IP.

We need to have YAML config in order to configure domains and ip addresses.

Context:

Currently, there is no way to visualize what requests are coming through our WAF. At the very beginning, we need a frontend that simply visualizes the incoming requests.

It could be done as a list of incoming requests and some kind of graph.

TODO

• add a request visualization (currently we don't have any metrics gathering code, so this needs to be done as well)

AC

• we have an incoming request visualization
• there is high test coverage

Info

We could create our custom frontend i.e. in React, or we can try using Grafana, share some ideas here, and let's discuss 😄

We have TLS based server set up, but we are missing the initial functionality of reverse proxy.
We need to introduce redirect mechanism and the possibility to read possible redirections from config file.

TODO:

• reverse proxy logic
• possible redirect domain : address map from config and database

AC

• we have reverse proxy logic
• we have redirect domain : address mapping from config and database

How to test?

• execute unit tests
• try adding domain : address map to database or/and config

Context

Currently the config and the certificates are embedded in the main.go. It is good approach for now but it would be nice to refactor it, in order to make it simpler to set up and edit during the development.

TODO

• Refactor how the config and certificates are being read
• Add unit tests for the changes
• Fix other tests accordingly (if it's needed)

AC

• There is a new approach of reading the configs and certificates
• There are unit tests made for the changes and others are fixed

How to test?

• The pipeline should succeed
• Unit tests should pass
• WAF should read configs and certificates

Context:
We have http proxy, but we want to copy Cloudflare and their Spectrum service, which means that we need to have TCP reverse proxy.
(Later it could be used for the HTTP proxy as well)

TODO:

• Add simple outline of TCP reverse proxy
• Add unit tests

AC:

• we have functional TCP reverse proxy

We need to create an outline of the defense system, with the first defense: XSS protection

Sometimes we want to disqualify some kinds of payloads in our waf. This rule will help in that.

In order to make it more scalable we need to add multi server architecture.

Context

Currently we have packet reading, and network interface provider tho it's problematic to listen for valid packets from network interfaces and protocols. To accomplish that we can use BPF filter

TODO

• add BPF filter configuration to the collector worker
• add yaml configuration to the collector worker

AC

• there is possibility to write the PBF filter in the config
• we can configure application from the config

We need to have the possibility to create migrations to the database, we can also use GORM to simplify stuff in the beginning.

Context:

There is an method founded by the Salesforce engineers called "TLS fingerprinting" which can be used to found out the exact OS, browser, client data while making the TLS Handshake.

TODO:

• found out how TLS fingerprint works
• add implementation of it to the application

AC:

• there is a rich comment with the exact information, articles and other resources about TLS fingerprint
• there is an implementation of the whole thing
• there is high test coverage in the newly written code

Comment:

I have been doing some research about the subject and in order to make it real and fully functional we need to somehow rewrite the server, in order to have access to all the data send in the TLS Handshake. Currently we have access to the method in the TLS config struct, which gives us access to the thing, but there aren't all the needed data about request in order to make it functional.

There are also already made implementation of the TLS Fingerprinting for the server side and client side in golang.