Invitation for Contributors: Seeking NGINX Module Engineer for Building OWASP Coraza WAF Connector

[jptosso]

Hello everyone,

We have an exciting project on the table, and we're looking to engage the collective brilliance of this community. We're seeking contributions from individual engineers, open-source enthusiasts, or even companies interested in helping fortify web application security.

Objective

We aim to build a robust OWASP Coraza Web Application Firewall (WAF) connector that integrates seamlessly with NGINX. This connector will act as a vital link between the NGINX server and the Coraza WAF, effectively enhancing the security capabilities of web applications.

Requirements

The connector should be primarily written in C and interact with libcoraza, the C wrapper for Coraza coded in Go. However, we're also open to building the connector using Rust, given its reputation for memory safety and performance, while maintaining the connection to libcoraza.

Desired Skills

• Proficiency in C programming and/or Rust.
• Solid understanding and hands-on experience with NGINX modules.
• Familiarity with Web Application Firewalls (WAFs), specifically OWASP Coraza or ModSecurity.

Technical Details

The implementation of the connector should meet the following requirements:

• Support for all 5 Phases: The connector should be able to handle request headers, request body, response headers, response body, and logging.
• Directive Invocation: The implementation must invoke directives from the NGINX configuration.
• Support for Reloading: The connector should support NGINX configuration reloading without service interruption.
• Config Merging: The implementation must support merging configurations, such as nested locations with different configurations.

Support

We are committed to actively support throughout the project, especially in understanding and integrating with libcoraza. Our team is equipped to provide clarifications, technical insights, and testing support to ensure the project's success.

Open Invitation

This call is open to everyone - from individual open-source enthusiasts to larger organizations that can contribute. If you are interested in participating in this project, please comment here.

This is a great chance to contribute to an essential security feature for our WAF, work with advanced technologies, and be a part of the effort to create a safer web environment.

We eagerly anticipate your innovative ideas and valuable contributions.

Thanks & Best Regards,
Juan Pablo Tosso & the Coraza Team

References:

• Libcoraza
• ModSecurity Nginx Connector

[dune73]

Chiming in from the OWASP ModSecurity Core Rule Set team: We are 100% behind this and we have also set aside some funds for this. It's not much, but it's enough to get you going.

[jptosso]

Thank you very much, @dune73. CRS participation is very much appreciated and essential for the success of this project.

[swzaaaaaaa]

Please，how is it going？

[jptosso]

Please，how is it going？

No updates

[pvalin]

Hi,

And today? Some news?