Juan Pablo Tosso 12:00:25 UTC
Hello everyone, and welcome to our monthly meeting! Let’s wait a few minutes to see who else is joining 🙂
Matteo Pace 12:02:29 UTC
Hey hey 👋
Juan Pablo Tosso 12:03:16 UTC
@JC @fzipitria
Juan Pablo Tosso 12:04:29 UTC
Meeting link: corazawaf/coraza#814
JC 12:04:54 UTC
Aloha
Juan Pablo Tosso 12:05:43 UTC
This month has been full of releases, we released v3, v3.0.1, and v3.0.2. As most of you Know we are super proud of v3 as it is a major update with tons of performance and API improvements
Juan Pablo Tosso 12:06:48 UTC
v3.0.1 is a super important update as it implements a few bug fixes, performance improvements and most important it fixes this security advisory https://github.com/corazawaf/coraza/security/advisories/GHSA-c2pj-v37r-2p6h This bug allows an attacker to DDOS coraza by using a malicious content-type header
Juan Pablo Tosso 12:07:57 UTC
and v3.0.2 fixes a super important bug that was affecting our connectors by sometimes breaking the body buffers
Juan Pablo Tosso 12:08:17 UTC
This month 6 PRs were created and merged: corazawaf/coraza#807 corazawaf/coraza#808 corazawaf/coraza#811 corazawaf/coraza#812 corazawaf/coraza#824 corazawaf/coraza#825
Juan Pablo Tosso 12:09:09 UTC
After v3 release, we have seen a considerable increase in the number of issues and contributions, so I would like to thank the team for the diffusion and the rest of the community for trusting us with our security 🙂 it has been an awesome month
Juan Pablo Tosso 12:10:01 UTC
We are receiving a lot of activity for most of our connectors, there is a lot of interest in the SPOA and we have received a lot of feedbacks so we hope at some point it can become stable
Juan Pablo Tosso 12:10:23 UTC
Caddy connector has received lots of issues but it means there is interest in the community 🙂 development is quite active here
Juan Pablo Tosso 12:10:41 UTC
We are finally receiving a lot of interest and participation in libcoraza, which will become the heart of the Nginx connector
Juan Pablo Tosso 12:12:02 UTC
and of course, our proxy-wasm team has finally released v0.1.0 and v0.1.1 🙂 https://github.com/corazawaf/coraza-proxy-wasm/releases/tag/0.1.0
Juan Pablo Tosso 12:12:24 UTC
so enough of project status, any questions ?
Juan Pablo Tosso 12:13:38 UTC
Ok so the first topic is HTTP audit log writer
Juan Pablo Tosso 12:15:32 UTC
We have to do a few definitions
JC 12:17:09 UTC
right now coraza is not aware of its own version so we cannot add it to the user-agentnice to have, not toooo important tho.
Are we keeping compatibility for mlogc?is this what people does use? What are the alternatives?
Are we adding any extra headers to the log upload?Shall we support auth?
How much is the timeout value?whatever we come up will be wrong but maybe a best guess e.g. 1s?
Should we use content-type? the problem is we are not aware of the formatter’s content-typeGood one, we must make the formatter aware of it
I guess like every other format
nope, it creates a barrier for local development and PoC
Juan Pablo Tosso 12:17:56 UTC
I’m not aware if anyone uses mlogc, its part of the modsec toolkit, @airween what do you think?
↳ airween 12:24:33 UTC
Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)
↳ Juan Pablo Tosso 12:24:50 UTC
but what do you think about the community?
↳ airween 12:26:14 UTC
Sorry, I don't understand this now 🙂 - what do you mean about "the community"?
↳ Juan Pablo Tosso 12:26:35 UTC
I mean, do you see people asking about mlogc? Is it a thing?
↳ Juan Pablo Tosso 12:26:41 UTC
or nobody really uses it
↳ airween 12:28:36 UTC
oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that
↳ Juan Pablo Tosso 12:29:13 UTC
great! thank you very much 🙂
↳ airween 12:29:26 UTC
but now I can't find that issue 😞
↳ airween 12:32:28 UTC
oh, sorry - here is the post what I remember:
owasp-modsecurity/ModSecurity#2275 (comment)
he just mentions there that mlogc is not available in libmodsecurity3.
Hope this helps ❤️
↳ Juan Pablo Tosso 12:33:02 UTC
thank you very much! This is a great reference. It makes sense to ignore mlogc support
Juan Pablo Tosso 12:18:26 UTC
Auth is supported by using basic auth, just set the URL as http://username:[email protected]
↳ JC 12:18:45 UTC
This isn’t ZeroTrust friendly
↳ Juan Pablo Tosso 12:18:56 UTC
nothing is zerotrust friendly
↳ Juan Pablo Tosso 12:20:19 UTC
In that case we would have to extend AuditLogConfig with a username and a password
↳ JC 12:21:07 UTC
Probably support for headers is desirable.
↳ Juan Pablo Tosso 12:22:17 UTC
we could add something like SecAuditLogHttpsHeader X-Api-Key %{API_KEY} To get API keys from ENV?
↳ JC 12:26:08 UTC
Since we are talking about adding a new directive it is better to defer this until someone request it.
Juan Pablo Tosso 12:21:14 UTC
what happens if the binary formatter uses null bytes ?
↳ JC 12:21:41 UTC
What is the problem? We let the receiver to deal with it.
↳ JC 12:21:56 UTC
I mean in https we can't do much more than sending the payload.
↳ JC 12:22:13 UTC
If we want something more sofisticated maybe people use other stuff
↳ Juan Pablo Tosso 12:23:27 UTC
what I mean if we would have to handle CRLFs inside the binary payloads
↳ Juan Pablo Tosso 12:23:45 UTC
but I agree
Juan Pablo Tosso 12:24:28 UTC
ok so for log formatters lets update the map to store both, the content-type and the formatter. Then we propagate it using the options
airween 12:24:33 UTC
Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)
↳ airween 12:24:33 UTC
Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)
↳ Juan Pablo Tosso 12:24:50 UTC
but what do you think about the community?
↳ airween 12:26:14 UTC
Sorry, I don't understand this now 🙂 - what do you mean about "the community"?
↳ Juan Pablo Tosso 12:26:35 UTC
I mean, do you see people asking about mlogc? Is it a thing?
↳ Juan Pablo Tosso 12:26:41 UTC
or nobody really uses it
↳ airween 12:28:36 UTC
oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that
↳ Juan Pablo Tosso 12:29:13 UTC
great! thank you very much 🙂
↳ airween 12:29:26 UTC
but now I can't find that issue 😞
↳ airween 12:32:28 UTC
oh, sorry - here is the post what I remember:
owasp-modsecurity/ModSecurity#2275 (comment)
he just mentions there that mlogc is not available in libmodsecurity3.
Hope this helps ❤️
↳ Juan Pablo Tosso 12:33:02 UTC
thank you very much! This is a great reference. It makes sense to ignore mlogc support
Juan Pablo Tosso 12:24:50 UTC
but what do you think about the community?
↳ airween 12:24:33 UTC
Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)
↳ Juan Pablo Tosso 12:24:50 UTC
but what do you think about the community?
↳ airween 12:26:14 UTC
Sorry, I don't understand this now 🙂 - what do you mean about "the community"?
↳ Juan Pablo Tosso 12:26:35 UTC
I mean, do you see people asking about mlogc? Is it a thing?
↳ Juan Pablo Tosso 12:26:41 UTC
or nobody really uses it
↳ airween 12:28:36 UTC
oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that
↳ Juan Pablo Tosso 12:29:13 UTC
great! thank you very much 🙂
↳ airween 12:29:26 UTC
but now I can't find that issue 😞
↳ airween 12:32:28 UTC
oh, sorry - here is the post what I remember:
owasp-modsecurity/ModSecurity#2275 (comment)
he just mentions there that mlogc is not available in libmodsecurity3.
Hope this helps ❤️
↳ Juan Pablo Tosso 12:33:02 UTC
thank you very much! This is a great reference. It makes sense to ignore mlogc support
Juan Pablo Tosso 12:29:22 UTC
The rest of the points looks good to me:
Juan Pablo Tosso 12:29:42 UTC
let’s consider headers for the future, I think it requires more feedbacks
Juan Pablo Tosso 12:30:43 UTC
if everyone is ok we could proceed to the next topic
Juan Pablo Tosso 12:31:04 UTC
I believe it’s not a thing anymore as we already released v3.0.1 and v3.0.2
↳ JC 12:31:56 UTC
Following semver
↳ Juan Pablo Tosso 12:32:27 UTC
exactly we should always use semantic versioning as it is the go standard for go mod
Juan Pablo Tosso 12:31:22 UTC
Sponsorship perks !
JC 12:31:56 UTC
Following semver
↳ JC 12:31:56 UTC
Following semver
↳ Juan Pablo Tosso 12:32:27 UTC
exactly we should always use semantic versioning as it is the go standard for go mod
Juan Pablo Tosso 12:33:02 UTC
thank you very much! This is a great reference. It makes sense to ignore mlogc support
↳ airween 12:24:33 UTC
Uhm, sorry, I don't use mlogc. (Actually I use autit.log very rarely...)
↳ Juan Pablo Tosso 12:24:50 UTC
but what do you think about the community?
↳ airween 12:26:14 UTC
Sorry, I don't understand this now 🙂 - what do you mean about "the community"?
↳ Juan Pablo Tosso 12:26:35 UTC
I mean, do you see people asking about mlogc? Is it a thing?
↳ Juan Pablo Tosso 12:26:41 UTC
or nobody really uses it
↳ airween 12:28:36 UTC
oh, I got it - once I saw an issue under ModSecurity GH page that they want to finish the developing of that tool, because none of them use that
↳ Juan Pablo Tosso 12:29:13 UTC
great! thank you very much 🙂
↳ airween 12:29:26 UTC
but now I can't find that issue 😞
↳ airween 12:32:28 UTC
oh, sorry - here is the post what I remember:
owasp-modsecurity/ModSecurity#2275 (comment)
he just mentions there that mlogc is not available in libmodsecurity3.
Hope this helps ❤️
↳ Juan Pablo Tosso 12:33:02 UTC
thank you very much! This is a great reference. It makes sense to ignore mlogc support
Juan Pablo Tosso 12:33:20 UTC
I want to use as examples:
Juan Pablo Tosso 12:34:07 UTC
Also I would like to mention that although we don’t have any financial requirement as a project, we would be able to do some interesting things, like issues with bounties, a dev on duty program, and a coraza live event somewhere in the world
↳ JC 12:35:42 UTC
The ConRaza cc @fzipitria
↳ Juan Pablo Tosso 12:36:09 UTC
corazacon
↳ Juan Pablo Tosso 12:36:27 UTC
corazapalooza
Juan Pablo Tosso 12:36:03 UTC
There is also another kind of support that we appreciate a lot, for example, Tetrate provides helps in the development, and Traceable formally supports my work in coraza. Among other companies like Intel. Should we also have a perk for them?
↳ JC 12:36:59 UTC
Interesting idea
Juan Pablo Tosso 12:38:05 UTC
Zap has the following criteria for platinum sponsorship: Perks:
Juan Pablo Tosso 12:39:39 UTC
I don’t think there is anyone working 80% on coraza so maybe we should adjust it to a lower sponsorship level
Juan Pablo Tosso 12:44:10 UTC
Let’s copy Zap’s criterias wit ha few changes:
JC 12:46:32 UTC
I would create an issue on this and see if there are companies interested
Juan Pablo Tosso 12:46:49 UTC
Ok lgtm
Juan Pablo Tosso 12:47:00 UTC
so we will continue this topic inside the issue
Juan Pablo Tosso 12:47:31 UTC
Finally, JC’s philosophical topic, to Dependabot or not to dependabot
Juan Pablo Tosso 12:47:55 UTC
I personally love dependabot, it doesnt hurt
JC 12:48:12 UTC
So I should have create an issue for this, it's being in my head for a while
JC 12:48:31 UTC
Whenever we release a new stable version in coraza, updating all the connectors is a pain.
JC 12:48:47 UTC
So I think that should be automated.
Juan Pablo Tosso 12:49:38 UTC
mmh I think dependabot should take care of that, but I don’t know how
JC 12:50:08 UTC
I saw this working in other orgs.
JC 12:50:31 UTC
So we just need to implement a flow for dependabot to fot he updated whenever coraza is out. Now that coraza is stable we can do that easily.
JC 12:50:54 UTC
Like we don't have to deal with breaking changes.
Juan Pablo Tosso 12:55:13 UTC
let’s create an issue to do the configs
Juan Pablo Tosso 12:55:24 UTC
but I agree with you, we use dependabot everywhere and it just makes sense
Juan Pablo Tosso 12:56:05 UTC
any other thing you would like to discuss team? As @JC calls us, corazones :rolling_on_the_floor_laughing: which means hearts in spanish
JC 12:56:55 UTC
I wonder if we should look at supply chain checks on CI like using snyk or things like that.
Juan Pablo Tosso 12:57:36 UTC
it is interesting but we should also keep in mind that most of our dependencies are for development and building, not for runtime
JC 12:58:19 UTC
But my real big concern is who is taking ownership of the actions we just talked about in this meeting. When people wakes up it would be cool for us to check the meeting and see if any of us can own some work @Matteo Pace @Roshan Piyush @fzipitria @Anuraag Agrawal
JC 12:59:55 UTC
I can own dependabot check
JC 13:00:12 UTC
Since @Juan Pablo Tosso is owning the https reporter
Matteo Pace 13:01:36 UTC
I think would be great to create all the issues that you just talk about and wait for some assignments/self assignments
Juan Pablo Tosso 13:03:12 UTC
I agree with Matteo, lets create proper issues
Matteo Pace 13:03:14 UTC
About dependabot, I don’t know if it is feasible, but some issues required to manually run go mod tidy
↳ Juan Pablo Tosso 13:03:39 UTC
https://docs.github.com/en/code-security/dependabot/working-with-dependabot/configuring-access-to-private-registries-for-dependabot there are a lot of options for dependabot
↳ Matteo Pace 13:05:24 UTC
I will be careful if it happens again, and see if it is doable to make it run automatically
Juan Pablo Tosso 13:03:16 UTC
and each one of us take ownership
Liang Zhibang 13:07:00 UTC
please review my PR 🫡 corazawaf/libcoraza#30
↳ Juan Pablo Tosso 13:08:41 UTC
nice catch, I will take a look and approve it, thank you
↳ Liang Zhibang 13:09:48 UTC
🫡
Juan Pablo Tosso 13:08:47 UTC
Ok so we close our monthly meetings
Juan Pablo Tosso 13:08:56 UTC
Please team help me creating issues
Juan Pablo Tosso 13:08:58 UTC
Thank you everyone!
Liang Zhibang 13:14:04 UTC
I’ve ported coraza to openresty successfully. But my libcoraza-nginx not compatible with libcoraza. I think of create a repo named libcoraza-nginx
↳ Juan Pablo Tosso 13:14:57 UTC
lets try to keep it as generic as possible but we can do that in the meantime
↳ Liang Zhibang 13:16:25 UTC
you are right.
Liang Zhibang 13:14:19 UTC
https://github.com/potats0/lua-resty-coraza
Liang Zhibang 13:15:07 UTC
load full coreruleset spend 50M in arm ubuntu
Liang Zhibang 13:16:49 UTC
worker process 4,
↳ Juan Pablo Tosso 13:17:51 UTC
terrific work, thank you very much Liang, we will keep a close eye
Liang Zhibang 13:23:31 UTC
qps with coraza
Liang Zhibang 13:23:51 UTC
qps without coraza
Juan Pablo Tosso 13:28:35 UTC
and have you tested blocking?
Liang Zhibang 13:29:47 UTC
sure
Juan Pablo Tosso 13:29:51 UTC
@fzipitria / @JC what should be a decent test plan to test there are no memory leaks?
Liang Zhibang 13:30:04 UTC
I tested
Juan Pablo Tosso 13:30:28 UTC
it is hard to test memory leaks using cgo because of the garbage collector
Liang Zhibang 13:31:03 UTC
if memory was leaked the nginx will oom when 10000 requests
Juan Pablo Tosso 13:31:14 UTC
I see
Juan Pablo Tosso 13:31:53 UTC
I’m impressed, I will take a deeper look and get back to you. We really appreciate your contribution
Juan Pablo Tosso 13:32:29 UTC
We have to solve the log callbacks issue too
Juan Pablo Tosso 13:32:39 UTC
where are you pointing the error logs?
Liang Zhibang 13:33:50 UTC
i didn't point the error log .I am wondering about log callback
Juan Pablo Tosso 13:34:15 UTC
there is a function but it is not working. I will take some time to fix it and get back to you
Liang Zhibang 13:35:31 UTC
sure, i'm waiting for you, and thank you for contributing
Juan Pablo Tosso 13:36:02 UTC
but we should send coraza a pointer to a function that handles the log
void ngx_http_modsecurity_log(void log, const void data) { const char *msg; if (log == NULL) { return; } msg = (const char *) data;
ngx_log_error(NGX_LOG_INFO, (ngx_log_t *)log, 0, "%s", msg);
} msc_set_log_cb(conf->modsec, ngx_http_modsecurity_log);
Juan Pablo Tosso 13:36:07 UTC
this is how modsec - nginx handles it
Liang Zhibang 13:39:56 UTC
cgo is hard to invoke pointer of function
Juan Pablo Tosso 13:40:08 UTC
yes but there is a hack
Juan Pablo Tosso 13:40:19 UTC
you create a C function inside go, then you do it from there
Juan Pablo Tosso 13:40:34 UTC
so instead of calling the C function, you call the CGO C function that calls the C function
Liang Zhibang 13:44:05 UTC
you mean that log callback for printing error log of coraza?
Juan Pablo Tosso 13:44:13 UTC
yes
Juan Pablo Tosso 13:44:29 UTC
@airween would be happy if it is fixed lol
Liang Zhibang 13:45:42 UTC
libcoraza exposed a few api for calling.maybe use go reflect to solve the problem
Juan Pablo Tosso 13:46:20 UTC
https://github.com/corazawaf/libcoraza/blob/master/libcoraza/log.go
Juan Pablo Tosso 13:46:36 UTC
Juan Pablo Tosso 13:46:57 UTC
coraza_set_log_cb should call C.send_log_to_cb
Liang Zhibang 13:48:12 UTC
get it