http-coraza #

Coraza WAF for nginx — a Go-powered, drop-in replacement for ModSecurity v3 that speaks the same SecLang rules and OWASP CRS, embedded as a dynamic module via libcoraza. Full write-up: Coraza WAF, the Go ModSecurity replacement →.

Source: upstream source

Read more: deep-dive article on deb.myguard.nl

Directives

coraza #

syntax: coraza on | off (on/off flag);  ·  context: http, server, location

![Compile module](https://github.com/corazawaf/coraza-nginx/actions/workflows/build.yml) # Coraza NGINX Connector The coraza-nginx connector is the connection point between nginx and libcoraza.

coraza_rules #

syntax: coraza_rules 1 arg;  ·  context: http, server, location

Includes Coraza WAF rules directly inline within the nginx configuration.

coraza_rules_file #

syntax: coraza_rules_file 1 arg;  ·  context: http, server, location

Specifies the path to a file containing Coraza WAF rule configuration.

coraza_transaction_id #

syntax: coraza_transaction_id 1+ args;  ·  context: http, server, location

The following example is loading rules from a file and injecting specific configurations per directory/alias: coraza_transaction_id -------------------------- syntax: coraza_transaction_id string context: http, server, location default: no Allows to pass transaction ID from nginx instead of generating it in the library.

Example

load_module "/usr/lib/nginx/modules/ngx_http_coraza_module.so";

worker_processes auto;
error_log /dev/stderr warn;
pid /tmp/nginx.pid;

events {
    worker_connections 1024;
}

http {
    coraza on;
    coraza_rules_file /opt/coraza/config/coraza-rules.conf;

    server {
        listen 80 default_server;

        # Default: serve a simple response via echo-like approach
        # Using a small internal redirect to an always-200 backend
        location @fallback {
            return 200 "OK\n";
        }

        location / {
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /phase1 {
            coraza_rules '
                SecRule ARGS:action "@streq block403" "id:20001,phase:1,deny,status:403,log"
            ';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /phase2 {
            coraza_rules '
                SecRule REQUEST_BODY "@contains PHASE2ATTACK" "id:20002,phase:2,deny,status:403,log"
            ';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /redirect-302 {
            coraza_rules '
                SecRule ARGS:target "@streq redirect" "id:20701,phase:1,status:302,log,redirect:http://www.coraza.io"
            ';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /redirect-301 {
            coraza_rules '
                SecRule ARGS:target "@streq redirect" "id:20702,phase:1,status:301,log,redirect:http://www.coraza.io"
            ';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /deny-401 {
            coraza_rules '
                SecRule ARGS:action "@streq block" "id:20401,phase:1,deny,status:401,log"
            ';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /merge-engine-off {
            coraza_rules 'SecRuleEngine Off';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /merge-bodyaccess-off {
            coraza_rules 'SecRequestBodyAccess Off';
            error_page 404 405 = @fallback;
            root /tmp/empty;
        }

        location /merge-inherited {
            coraza_rules '
                SecRule ARGS:localonly "@streq yes" "id:20010,phase:1,deny,
…

↑ back to index