Skip to content

Light WAF v0.2.0

Choose a tag to compare

@0x00spor3 0x00spor3 released this 30 Jun 08:46

Light WAF v0.2.0 — Extensible TLS seam (ACME / mTLS-ready)

A fast, modular Layer-7 Web Application Firewall written in Rust, operating as a
reverse proxy: it inspects every HTTP request, accumulates a CRS-style anomaly score,
and decides Allow / Block (403) / Reject (400 | 429) before forwarding to the backend.

This is a small, additive and backward-compatible release. There are no breaking
changes
and no changes to detection — the corpus verdicts are identical to v0.1.0.
The whole workspace is bumped to 0.2.0 together (uniform versioning), even though only
waf-proxy's public surface grew.

What's new

Extensible TlsCertSource seam (the headline)

The TlsCertSource trait gains two defaulted hooks — additive, so every existing
implementation (and FileCertSource) keeps working unchanged:

  • resolver() -> Option<Arc<dyn ResolvesServerCert>> — when Some, the core builds the
    rustls ServerConfig with a dynamic server-cert resolver instead of load(). The
    certificate can now rotate at runtime without rebuilding the acceptor (hitless rotation),
    and the listener advertises the acme-tls/1 ALPN so an on-listener TLS-ALPN-01 challenge
    can be negotiated on the same port.
  • client_verifier() -> Option<Arc<dyn ClientCertVerifier>> — when Some, the listener
    requires and verifies client certificates (mTLS / managed PKI). Default None → no client
    auth, exactly as before.

Both default to None, so the OPEN single-cert path (load()) is unchanged. This is the
injection point that lets an enterprise build managed-TLS — hitless ACME and mTLS
on top of the published crate without forking the core (compatible with the
BOUNDARY.md §5 ABI freeze,
the same pattern as WafModule::structural()).

Per-crate documentation on crates.io

Every published crate now ships its own README.md, so each crates.io
page documents that crate's role instead of showing only the one-line description.

Compatibility

  • No breaking changes. The two new trait methods are defaulted; existing code compiles and
    behaves identically.
  • Detection unchanged — validation corpus 10/10, 0% false positives at PL3, same
    recall as v0.1.0 (instrumentation/seams are pure additions, not detection changes).
  • clippy -D warnings clean, full workspace test suite green, TLS matrix re-gated.

Install / upgrade

# the binary (command: `waf`)
cargo install waf-proxy        # picks up 0.2.0

# or use the core as a library (open-core, no fork — embed via Proxy::builder + seams)
cargo add waf-core@0.2

Published crates

Crate Role
waf-core Base types, WafModule/Decision, StateStore seam
waf-normalizer Decode + NFKC + parsing + limits
waf-pipeline Phased orchestrator + anomaly scoring
waf-detection Detection modules + fast-path prefilter
waf-wasm Proxy-Wasm runtime (wasmi)
waf-proxy The binary (waf) + embeddable lib

License

Open source under Apache-2.0. The open-source vs. enterprise boundary is documented
normatively in BOUNDARY.md.