Today I’ll show how to enable the Web Application Firewall, or WAF, in OpenResty Edge.

OpenResty Edge’s WAF platform is many times faster than almost all open-source WAF solutions like ModSecurity and lua-resty-waf.

Embeded image

Enable WAF for applications

Let’s go to the web console of OpenResty Edge. This is our sample deployment of the console. Every user has their own deployment.

Screenshot

We use our continuing sample application for the test-edge.com domain.

Screenshot

Let’s enter this application.

Screenshot

Go to the Page Rules page.

Screenshot

We already have a reverse proxy page rule set up in an earlier tutorial.

Screenshot

Now let’s enable some WAF rulesets.

Edit the page rules.

Screenshot

Click the WAF switch to enable it.

Screenshot

Screenshot

Here we can choose the WAF rulesets to enable.

Screenshot

Here we just keep the default rulesets.

Screenshot

Select the action for the requests hitting the WAF rules.

Screenshot

The Log only action helps test the WAF rule itself without worrying about affecting the requests.

Screenshot

Save the rule.

Screenshot

We need to make a new configuration release to push out our new changes, as always.

Screenshot

Click on this button.

Screenshot

Ship it!

Screenshot

Our new release is now synchronized to all our gateway servers.

Screenshot

Now the change has been pushed to all the gateway clusters and servers.

Embeded video

Embeded video

Embeded video

Our configuration changes do NOT require server reload, restart, or binary upgrade. So it’s very efficient and scalable.

Embeded image

Test the WAF settings of applications

Let’s send a malicious request attempting a SQL injection.

Screenshot

The request returned the default index page of the origin site. It was to be expected since we chose to log hits only.

Let’s check the WAF hit Logs in the web console.

Screenshot

Screenshot

We can see that the rule was indeed hit and logged.

Screenshot

This part shows the details of the individual requests caught by the WAF.

Screenshot

Click the Check Rule button to see the details of the WAF rule matched.

Screenshot

Show the rule definition in the Edge language.

Screenshot

Disable and re-enable WAF

If you find any false positives, you can toggle this switch to disable the corresponding WAF rule individually.

Screenshot

Disabled rules will be displayed on the WAF Config page.

Screenshot

Here is the list of disabled WAF rules.

Screenshot

And this is the WAF rule we just disabled.

Screenshot

Click the Delete button to re-enable the rule.

Screenshot

Screenshot

WAF whitelist

Furthermore, you can add a WAF white-list to skip requests which should bypass the WAF to save CPU cycles.

Screenshot

For example, static assets generally don’t need WAF filtering. Skipping those resources can reduce the overhead on your servers.

Screenshot

Screenshot

Change the block action after a WAF hit

This time, let’s change the “Log only” action to something else. Like returning a 403 error response.

Embeded image

Go to the Page Rules page.

Screenshot

Edit the page rule again.

Screenshot

Change the action.

Screenshot

We’ll block malicious requests this time.

Screenshot

Here we can set the sensitivity level.

Screenshot

Alternatively, we can also set a score number directly.

Screenshot

It is the sum of the risk scores of all the matched WAF rules. The action will not run until the total score threshold is reached.

Save the rule.

Screenshot

Release the configuration changes again.

Screenshot

Screenshot

Screenshot

Screenshot

Test the new block action

Send the malicious request again.

Screenshot

The server returned a “403 Forbidden” response this time.

Check out the WAF Logs page again.

Screenshot

The action logged is indeed “Block with HTTP code 403” here.

Screenshot

Create WAF rule set

The WAF platform is very flexible and extensible. You can also create your own WAF rulesets.

Screenshot

Go to the Global Config page.

Screenshot

Click the “Global WAF” menu item.

Screenshot

Click the New Rule Set button.

Screenshot

Enter the ruleset name here, and definition here.

Screenshot

And also custom WAF rules in our Edge language, or Edgelang for short.

Screenshot

And then we can save it.

Screenshot

Quit this page.

The implementation of WAF in OpenResty Edge

Screenshot

OpenResty Edge’s WAF is extremely efficient because it implements many advanced optimization techniques.

It supports combining regular expressions referenced by all the WAF rules into a single state machine. This way, it can immediately know which rules and which parts of those rules are matched by scanning the request data only once.

It also supports combining constant string prefix and suffix patterns into single Trie tree data structures across all the WAF rules.

Screenshot

Screenshot

Screenshot

These optimizations are not just specific to the WAF platform.

All the page rules and Edge language rules enjoy exactly the same optimizations as well.

Screenshot

This is what I’d like to cover today.

Screenshot

What is OpenResty Edge

OpenResty Edge is our all-in-one gateway software for microservices and distributed traffic architectures. It combines traffic management, private CDN construction, API gateway, security, and more to help you easily build, manage, and protect modern applications. OpenResty Edge delivers industry-leading performance and scalability to meet the demanding needs of high concurrency, high load scenarios. It supports scheduling containerized application traffic such as K8s and manages massive domains, making it easy to meet the needs of large websites and complex applications.

If you like this tutorial, please subscribe to this blog site and/or our YouTube channel. Thank you!

About The Author

Yichun Zhang (Github handle: agentzh), is the original creator of the OpenResty® open-source project and the CEO of OpenResty Inc..

Yichun is one of the earliest advocates and leaders of “open-source technology”. He worked at many internationally renowned tech companies, such as Cloudflare, Yahoo!. He is a pioneer of “edge computing”, “dynamic tracing” and “machine coding”, with over 22 years of programming and 16 years of open source experience. Yichun is well-known in the open-source space as the project leader of OpenResty®, adopted by more than 40 million global website domains.

OpenResty Inc., the enterprise software start-up founded by Yichun in 2017, has customers from some of the biggest companies in the world. Its flagship product, OpenResty XRay, is a non-invasive profiling and troubleshooting tool that significantly enhances and utilizes dynamic tracing technology. And its OpenResty Edge product is a powerful distributed traffic management and private CDN software product.

As an avid open-source contributor, Yichun has contributed more than a million lines of code to numerous open-source projects, including Linux kernel, Nginx, LuaJIT, GDB, SystemTap, LLVM, Perl, etc. He has also authored more than 60 open-source software libraries.