Enables CRS early blocking (envoyproxy#129)

arminabf · Jan 11, 2023 · 5ee6a72 · 5ee6a72
1 parent 52264b5
commit 5ee6a72
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -103,6 +103,9 @@ configuration:
     }
 ```
 
+#### Recommendations using CRS with proxy-wasm
+- In order to mitigate as much as possible malicious requests (or connections open) sent upstream, it is recommended to keep the [CRS Early Blocking](https://coreruleset.org/20220302/the-case-for-early-blocking/) feature enabled (SecAction [`900120`](./wasmplugin/rules/crs-setup.conf.example)).
+
 ### Running go-ftw (CRS Regression tests)
 
 The following command runs the [go-ftw](https://github.com/fzipi/go-ftw) test suite against the filter with the CRS fully loaded.

diff --git a/wasmplugin/rules/crs-setup-demo.conf b/wasmplugin/rules/crs-setup-demo.conf
@@ -398,13 +398,13 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # does not get evaluated if the request is being blocked early. So when you
 # disabled early blocking again at some point in the future, then new alerts
 # from phase 2 might pop up.
-#SecAction \
-#  "id:900120,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:tx.early_blocking=1"
+SecAction \
+ "id:900120,\
+ phase:1,\
+ nolog,\
+ pass,\
+ t:none,\
+ setvar:tx.early_blocking=1"
 
 
 #

diff --git a/wasmplugin/rules/crs-setup.conf.example b/wasmplugin/rules/crs-setup.conf.example
@@ -398,13 +398,13 @@ SecDefaultAction "phase:2,log,auditlog,pass"
 # does not get evaluated if the request is being blocked early. So when you
 # disabled early blocking again at some point in the future, then new alerts
 # from phase 2 might pop up.
-#SecAction \
-#  "id:900120,\
-#  phase:1,\
-#  nolog,\
-#  pass,\
-#  t:none,\
-#  setvar:tx.early_blocking=1"
+SecAction \
+ "id:900120,\
+ phase:1,\
+ nolog,\
+ pass,\
+ t:none,\
+ setvar:tx.early_blocking=1"
 
 
 #