docs: improves readme for docker.

[jcchavezs]

No description provided.

[RedXanadu]

Thank you @jcchavezs!

[jcchavezs]

Did it work?

…

On Wed, 29 Mar 2023, 22:18 Andrew Howe, ***@***.***> wrote: Thank you @jcchavezs <https://github.com/jcchavezs>! — Reply to this email directly, view it on GitHub <#4 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYASNM3ZGCMLUAPOSKZLW6SKKFANCNFSM6AAAAAAWK5QE7U> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RedXanadu]

@jcchavezs

Did it work?

I'm revisiting this again today, and unfortunately it doesn't seem to work :(

Maybe I'm missing something.

---

Testing the Go variant, I get:

$ go run github.com/jcchavezs/coraza-httpbin/cmd/coraza-httpbin@latest -directives ./directives.conf.example
2023/04/03 17:49:00 invalid WAF config from file: failed to parse string: failed to readfile: open path: invalid argument
exit status 1

That is with my directives set like so:

SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 1
Include /home/xanadu/.git/coreruleset/crs-setup.conf.example
Include /home/xanadu/.git/coreruleset/rules/*.conf

---

Testing the Docker variant, I get:

$ sudo docker run ghcr.io/jcchavezs/coraza-httpbin:main
exec /usr/bin/coraza-httpbin: no such file or directory

Do I need to compile Coraza and copy the binary into the container?

[jcchavezs]

Looking into this.

…

On Mon, 3 Apr 2023, 19:07 Andrew Howe, ***@***.***> wrote: @jcchavezs <https://github.com/jcchavezs> Did it work? I'm revisiting this again today, and unfortunately it doesn't seem to work :( Maybe I'm missing something. ------------------------------ Testing the Go variant, I get: $ go run ***@***.*** -directives ./directives.conf.example 2023/04/03 17:49:00 invalid WAF config from file: failed to parse string: failed to readfile: open path: invalid argument exit status 1 That is with my directives set like so: SecRuleEngine On SecDebugLog /dev/stdout SecDebugLogLevel 1 Include /home/xanadu/.git/coreruleset/crs-setup.conf.example Include /home/xanadu/.git/coreruleset/rules/*.conf ------------------------------ Testing the Docker variant, I get: $ sudo docker run ghcr.io/jcchavezs/coraza-httpbin:main exec /usr/bin/coraza-httpbin: no such file or directory — Reply to this email directly, view it on GitHub <#4 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAUVABFCU4ZCHB53DFTW7L7W3ANCNFSM6AAAAAAWK5QE7U> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[jcchavezs]

Hi @RedXanadu, thanks for the feedback and the error traces so I could reproduce the error. Unfortunately this is an issue with the file system as it does not like absolute paths. I tried different approaches and ended up creating my own library for merging filesystems because existing ones did have some opinions and did not implement all interfaces.

I will soon fix as soon as finish test the new merge library.

[jcchavezs]

@RedXanadu could you please try this branch #6?

[RedXanadu]

@jcchavezs No joy: I'm getting the same errors with that branch:

$ go run github.com/jcchavezs/coraza-httpbin/cmd/coraza-httpbin@latest -directives ./directives.conf.example
2023/04/13 17:12:45 invalid WAF config from file: failed to parse string: failed to readfile: open path: invalid argument
exit status 1

and

$ sudo docker run ghcr.io/jcchavezs/coraza-httpbin:main
exec /usr/bin/coraza-httpbin: no such file or directory

Still using the same directives file:

SecRuleEngine On
SecDebugLog /dev/stdout
SecDebugLogLevel 1
Include /home/xanadu/.git/coreruleset/crs-setup.conf.example
Include /home/xanadu/.git/coreruleset/rules/*.conf

[jcchavezs]

Hi @RedXanadu I am sorry for not coming back earlier. I think the problem is that you are trying to run it from main (which did not include the changes in the PR by the time). I merged the PR into main so you might want to try now and everything should work as announced. To make sure everything works as expected I added some tests in the PR (see https://github.com/jcchavezs/coraza-httpbin/blob/main/cmd/coraza-httpbin/main_test.go).

Notice go run github.com/jcchavezs/coraza-httpbin/cmd/coraza-httpbin@latest -directives ./directives.conf.example attempt to run the binary (downloaded by Go, not the one in your local) and the local directives file.

[RedXanadu]

Thanks @jcchavezs! Confirmed that this now works. This will make testing Coraza so much easier 😀

One quick question: do I need to tweak httpbin to accept non-GET requests? POST requests aren't making it to CRS, it seems.

One of my usual CRS tests is
curl localhost --data 'test=/bin/bash'
but it isn't being detected: I'm just getting a 405 Method Not Allowed returned from somewhere, and no CRS detection (maybe httpbin is interfering?):

$ curl localhost:8080 -v -o/dev/null --data 'test=/bin/bash'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> POST / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.0.1
> Accept: */*
> Content-Length: 14
> Content-Type: application/x-www-form-urlencoded
> 
} [14 bytes data]
< HTTP/1.1 405 Method Not Allowed
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Origin: *
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 17 Apr 2023 14:18:09 GMT
< Content-Length: 24
< 
{ [24 bytes data]
100    38  100    24  100    14   5083   2965 --:--:-- --:--:-- --:--:--  9500
* Connection #0 to host localhost left intact

[jcchavezs]

Interesting. Did you try with the default example config? Did you load the coraza recommended conf? I wonder why get and post could get different treatment.

…

On Mon, 17 Apr 2023, 16:20 Andrew Howe, ***@***.***> wrote: Thanks @jcchavezs <https://github.com/jcchavezs>! Confirmed that this now works. This will make testing Coraza so much easier 😀 One quick question: do I need to tweak httpbin to accept non-GET requests? POST requests aren't making it to CRS, it seems. One of my usual CRS tests is curl localhost --data 'test=/bin/bash' but it isn't being detected: I'm just getting a 405 Method Not Allowed from somewhere (maybe httpbin?): $ curl localhost:8080 -v -o/dev/null --data 'test=/bin/bash' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 127.0.0.1:8080... * Connected to localhost (127.0.0.1) port 8080 (#0) > POST / HTTP/1.1 > Host: localhost:8080 > User-Agent: curl/8.0.1 > Accept: */* > Content-Length: 14 > Content-Type: application/x-www-form-urlencoded > } [14 bytes data] < HTTP/1.1 405 Method Not Allowed < Access-Control-Allow-Credentials: true < Access-Control-Allow-Origin: * < Content-Type: text/plain; charset=utf-8 < X-Content-Type-Options: nosniff < Date: Mon, 17 Apr 2023 14:18:09 GMT < Content-Length: 24 < { [24 bytes data] 100 38 100 24 100 14 5083 2965 --:--:-- --:--:-- --:--:-- 9500 * Connection #0 to host localhost left intact — Reply to this email directly, view it on GitHub <#4 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYARN3LE7MJPU5ND3PQTXBVGUXANCNFSM6AAAAAAWK5QE7U> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RedXanadu]

Yes, with the default directive file/config POST arguments are not causing CRS to flag.

What is the Coraza recommended conf? Is that an extra file that should be Include-d somewhere?

[jcchavezs]

Is secrequestbodyaccess enabled and or the content type correct?

…

On Mon, 17 Apr 2023, 18:25 Andrew Howe, ***@***.***> wrote: Yes, with the default directive file/config POST arguments are not causing CRS to flag. What is the Coraza recommended conf? Is that an extra file that should be Include-d somewhere? — Reply to this email directly, view it on GitHub <#4 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAXOYAQGROF4BBYCR2TYH4LXBVVG5ANCNFSM6AAAAAAWK5QE7U> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[RedXanadu]

@jcchavezs Adding SecRequestBodyAccess On to directives.conf.example fixed it 😄 Thanks!

So, should this file be Include-d for coraza-httpbin to work correctly?

https://github.com/corazawaf/coraza/blob/v3/dev/coraza.conf-recommended

I would like to document on the CRS documentation website how to use coraza-httpbin for testing CRS+Coraza, so if one of the steps must be:

"Download and include the file https://github.com/corazawaf/coraza/blob/v3/dev/coraza.conf-recommended"

then I'll document it like that.

[jcchavezs]

Awesome @RedXanadu. Ideally that can be imported directly https://github.com/corazawaf/coraza-coreruleset/blob/main/rules/%40coraza.conf-recommended so maybe it should be fixed in this repo itself.

[jcchavezs]

Done #8