Light WAF v0.2.0
Light WAF v0.2.0 — Extensible TLS seam (ACME / mTLS-ready)
A fast, modular Layer-7 Web Application Firewall written in Rust, operating as a
reverse proxy: it inspects every HTTP request, accumulates a CRS-style anomaly score,
and decides Allow / Block (403) / Reject (400 | 429) before forwarding to the backend.
This is a small, additive and backward-compatible release. There are no breaking
changes and no changes to detection — the corpus verdicts are identical to v0.1.0.
The whole workspace is bumped to 0.2.0 together (uniform versioning), even though only
waf-proxy's public surface grew.
What's new
Extensible TlsCertSource seam (the headline)
The TlsCertSource trait gains two defaulted hooks — additive, so every existing
implementation (and FileCertSource) keeps working unchanged:
resolver() -> Option<Arc<dyn ResolvesServerCert>>— whenSome, the core builds the
rustlsServerConfigwith a dynamic server-cert resolver instead ofload(). The
certificate can now rotate at runtime without rebuilding the acceptor (hitless rotation),
and the listener advertises theacme-tls/1ALPN so an on-listener TLS-ALPN-01 challenge
can be negotiated on the same port.client_verifier() -> Option<Arc<dyn ClientCertVerifier>>— whenSome, the listener
requires and verifies client certificates (mTLS / managed PKI). DefaultNone→ no client
auth, exactly as before.
Both default to None, so the OPEN single-cert path (load()) is unchanged. This is the
injection point that lets an enterprise build managed-TLS — hitless ACME and mTLS —
on top of the published crate without forking the core (compatible with the
BOUNDARY.md §5 ABI freeze,
the same pattern as WafModule::structural()).
Per-crate documentation on crates.io
Every published crate now ships its own README.md, so each crates.io
page documents that crate's role instead of showing only the one-line description.
Compatibility
- No breaking changes. The two new trait methods are defaulted; existing code compiles and
behaves identically. - Detection unchanged — validation corpus 10/10, 0% false positives at PL3, same
recall as v0.1.0 (instrumentation/seams are pure additions, not detection changes). clippy -D warningsclean, full workspace test suite green, TLS matrix re-gated.
Install / upgrade
# the binary (command: `waf`)
cargo install waf-proxy # picks up 0.2.0
# or use the core as a library (open-core, no fork — embed via Proxy::builder + seams)
cargo add waf-core@0.2Published crates
| Crate | Role |
|---|---|
waf-core |
Base types, WafModule/Decision, StateStore seam |
waf-normalizer |
Decode + NFKC + parsing + limits |
waf-pipeline |
Phased orchestrator + anomaly scoring |
waf-detection |
Detection modules + fast-path prefilter |
waf-wasm |
Proxy-Wasm runtime (wasmi) |
waf-proxy |
The binary (waf) + embeddable lib |
License
Open source under Apache-2.0. The open-source vs. enterprise boundary is documented
normatively in BOUNDARY.md.