chengdedeng / Waf
Licence: other
🚦Web Application Firewall or API Gateway(应用防火墙/API网关)
Stars: ✭ 547
Programming Languages
java
68154 projects - #9 most used programming language
Projects that are alternatives of or similar to Waf
Xwaf
xWAF 3.0 - Free Web Application Firewall, Open-Source.
Stars: ✭ 48 (-91.22%)
Mutual labels: firewall, waf
Docker Waf
An NGINX and ModSecurity based Web Application Firewall for Docker
Stars: ✭ 181 (-66.91%)
Mutual labels: firewall, waf
Cidram
CIDRAM: Classless Inter-Domain Routing Access Manager.
Stars: ✭ 86 (-84.28%)
Mutual labels: firewall, waf
aws-firewall-factory
Deploy, update, and stage your WAFs while managing them centrally via FMS.
Stars: ✭ 72 (-86.84%)
Mutual labels: firewall, waf
Whatwaf
Detect and bypass web application firewalls and protection systems
Stars: ✭ 1,881 (+243.88%)
Mutual labels: firewall, waf
Awesome Waf
🔥 Everything about web-application firewalls (WAF).
Stars: ✭ 4,047 (+639.85%)
Mutual labels: firewall, waf
Frp
A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
Stars: ✭ 51,746 (+9359.96%)
Mutual labels: http-proxy, firewall
shieldfy-php-client
The official PHP SDK for Shieldfy
Stars: ✭ 15 (-97.26%)
Mutual labels: firewall, waf
SmartGW
Domain based VPN Gateway/Proxy for all devices
Stars: ✭ 49 (-91.04%)
Mutual labels: firewall, http-proxy
waf4wordpress
WAF for WordPress 🔥 with 60+ security checks and weekly updates
Stars: ✭ 102 (-81.35%)
Mutual labels: firewall, waf
Laravel Firewall
Web Application Firewall (WAF) package for Laravel
Stars: ✭ 544 (-0.55%)
Mutual labels: firewall, waf
Proxy requests
a class that uses scraped proxies to make http GET/POST requests (Python requests)
Stars: ✭ 357 (-34.73%)
Mutual labels: http-proxy
Modsecurity
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys…
Stars: ✭ 5,015 (+816.82%)
Mutual labels: waf
Rocky
Full-featured, middleware-oriented, programmatic HTTP and WebSocket proxy for node.js
Stars: ✭ 357 (-34.73%)
Mutual labels: http-proxy
Gluetun
VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN, DNS over TLS, with a few proxy servers built-in.
Stars: ✭ 346 (-36.75%)
Mutual labels: http-proxy
Awesome Anti Censorship
curated list of open-source anti-censorship tools
Stars: ✭ 521 (-4.75%)
Mutual labels: firewall
Awesome Nginx Security
🔥 A curated list of awesome links related to application security related to the environments with NGINX or Kubernetes Ingres Controller (based on NGINX)
Stars: ✭ 417 (-23.77%)
Mutual labels: waf
Ansible Role Firewall
Ansible Role - iptables Firewall configuration.
Stars: ✭ 343 (-37.29%)
Mutual labels: firewall
WAF是使用Java开发的API Gateway,由于WAF构建在开源代理LittleProxy之上,所以说WAF底层使用的是Netty。
特性
- 安全拦截,支持各种分析检测,支持脚本(沙箱);
- 流控/CC防护,支持IP粒度,可扩展;
- HTTP代理,支持"hijacking" HTTPS connection using "Man in the Middle" style attack;
- URL Rewrite;
- HTTP Redirect;
- Socks5;
- 集中式配置;
- 自定义协议转化,HTTP->DUBBO,HTTP->GRPC等(可导入swagger接口文档);
Quick Start
编译:
mvn package
运行:
由于使用appassembler-maven-plugin 打成了符合JSW规范的包,所以解压target目录下的Zip文件, 然后在bin目录下运行对应平台的脚本,以Linux为例:
bin/waf { console | start | stop | restart | status | dump }
配置:
2.0开始配置分为基础配置和应用配置,基础配置就是Classpath下的waf.properties、admin.properties、application.properties、cluster.properties; 应用配置则需要通过接口进行设置,waf目前还没有一套简易的UI来进行设置,不过集成了swagger,可以通过swagger ui界面来配置。2.0相较于1.0,配置集中化之后的好处在于配置修改 不再需要停机重新加载,规则随时可以添加、禁用删除。配置中心目前zookeeper是稳定的,atomix自研的配置中心目前还不完善,建议别开启atomix的spi实现。尽管没有UI,但是接口做了 详细的校验,大家可以放心设置,不大会出现配置参数设置错误导致的系统崩溃。
架构
HTTP Proxy选择了基于Netty研发的LittleProxy, LittleProxy是LANTERN的维护者发起的开源项目,是一款非常优秀的Java HTTP Proxy. 关于Loadbalance,WAF有两种模式可以供选择,一种基于Proxy Chain,另一种是基于HostResolver.Proxy Chain是把目标机的映射交给 下游的Proxy,而HostResolver则是WAF自身完成映射.需要特别注意的是,Proxy Chain中如果存在多Proxy是不会负载均衡的,只有前一个不可用时才会用下一个.
HttpRequestFilterChain 和 HttpResponseFilterChain 责任链,分别对进来和出去的数据进行拦截分析.Request拦截又分为黑白名单两种,Response拦截主要给输出的数据进行安全加固.在Request的拦截规则方面,我参考了loveshell/ngx_lua_waf.
更多技术详情请移步个人Java版WAF技术细节 HttpProxy研发心得
性能
测试目的
Nginx的性能是有目共睹的,WAF既然作为一个HTTP Proxy,所以需要跟Nginx对比一下,看看性能的差距有多大.
因为目的是要压出中间Proxy的性能极限,所以后端服务性能要非常高,至少要比中间Proxy性能好,所以选用了Nginx模拟后端服务. 为了减少网络开销对测试影响,所有的测试都是在一台机器上完成的.
测试基准:
1.AB->Nginx_Proxy->Nginx_AS
2.AB->WAF->Nginx_AS
3.ab -k -c 100 -n 1000000 目标地址(HTTP长链)
4.ab -c 100 -n 1000000 目标地址(HTTP短链)
JDK版本
java version "1.8.0_131"
Java(TM) SE Runtime Environment (build 1.8.0_131-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.131-b11, mixed mode)
WAF JVM配置:
wrapper.java.additional.1=-server
wrapper.java.additional.2=-Xms2048m
wrapper.java.additional.3=-Xmx2048m
wrapper.java.additional.4=-Xmn800m
wrapper.java.additional.5=-XX:+UseG1GC
wrapper.java.additional.6=-Xloggc:/tmp/log/gc.log
wrapper.java.additional.7=-XX:+HeapDumpOnOutOfMemoryError
wrapper.java.additional.8=-XX:+PrintGCDetails
wrapper.java.additional.9=-XX:+PrintGCTimeStamps
wrapper.java.additional.10=-XX:+PreserveFramePointer
WAF基础配置:
#on表示waf支持loadbalance,需要配置upstream.properties,与waf.proxy.chain和waf.mitm互斥
waf.lb=on
#设置重试间隔时间,默认10秒
waf.lb.fail_timeout=10
#是否路由到waf下游的proxy,与waf.proxy.lb互斥
waf.chain=off
#waf下游的proxy,多个用","分隔.注意只有前一个不可用,才会用下一个,下游proxy不会负载均衡
waf.chain.servers=127.0.0.1:4321
#是否启用TLS,与waf.mitm互斥
waf.tls=off
#是否HTTPS开启中间人拦截,与waf.tls和waf.proxy.lb互斥
waf.mitm=off
#接收者线程数,如果系统只有一个服务端port需要监听,则BossGroup线程组线程数设置为 1。
#https://stackoverflow.com/questions/22280916/do-we-need-more-than-a-single-thread-for-boss-group
waf.acceptorThreads=1
#处理client请求的工作线程数
waf.clientToProxyWorkerThreads=100
#处理proxy与后端服务器的工作线程数
waf.proxyToServerWorkerThreads=100
#waf服务器端口
waf.serverPort=9091
#是否开启Socks5支持
waf.ss=off
waf.ss.server.host=127.0.0.1
waf.ss.server.port=1080
#The timeout (in seconds) for auto-closing idle connections.
waf.idleConnectionTimeout=70
服务器/虚拟机(测试机)配置:
4 Intel(R) Xeon(R) CPU E5-2640 v2 @ 2.00GHz
结果:
CPU(id基本在10以内)
%Cpu0 : 49.8 us, 33.7 sy, 0.0 ni, 6.1 id, 0.0 wa, 0.0 hi, 10.4 si, 0.0 st
%Cpu1 : 48.0 us, 33.9 sy, 0.0 ni, 7.4 id, 0.0 wa, 0.0 hi, 10.7 si, 0.0 st
%Cpu2 : 49.8 us, 33.0 sy, 0.0 ni, 7.4 id, 0.0 wa, 0.0 hi, 9.8 si, 0.0 st
%Cpu3 : 48.8 us, 31.5 sy, 0.0 ni, 8.5 id, 0.0 wa, 0.0 hi, 11.2 si, 0.0 st
QPS
| 测试场景 | 测试条件 | QPS |
|---|---|---|
| AB->Nginx_AS | HTTP长链 | 64815 |
| AB->Nginx_AS | HTTP短链 | 6174 |
| AB->Nginx_Proxy->Nginx_AS | HTTP长链 | 16924 |
| AB->Nginx_Proxy->Nginx_AS | HTTP短链 | 13137 |
| AB->WAF->Nginx_AS | HTTP长链 | 5566 |
| AB->WAF->Nginx_AS | HTTP短链 | 5559 |
火焰图:
github不支持火焰图显示,点击下载源文件.
常见问题
- 开启TLS or MITM后,会在项目的目录下生成waf_cert证书,TLS会自动下发证书,MITM需要手动加入证书,信任之后就可以正常工作了.
-
waf.proxy.lb和waf.proxy.mitm,waf.tls和waf.proxy.mitm,waf.proxy.chain和waf.proxy.lb两两之间只能开启其中之一. - 如果只是HTTP或者HTTPS抓包,可以关闭所有的安全拦截.
- 如果Gateway前面还有loadbalance,例如Nginx,Nginx->Gateway一定要用HTTP1.1,否者会报
upstream prematurely closed connection while reading upstream。出现该问题的原因 可以仔细阅读HttpFilterAdapterImpl.java中方法 proxyToServerRequestSending的注释。
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].