A modern web application firewall (WAF) management system built on top of HAProxy and OWASP Coraza WAF with the Coraza SPOA integration. This system provides a comprehensive backend API for managing HAProxy configurations, Coraza WAF rules, and traffic inspection.
run the application in less than 30 seconds,default username: admin,default password: admin123
output.mp4
|
|
|
|
Simple WAF implements a modular architecture with HAProxy at the front handling traffic and multiple security engines providing protection:
- Coraza WAF Engine: OWASP ModSecurity-compatible filtering
- MicroEngine: Rule-based matching engine for IP filtering, URL checking, and complex conditional logic
- Geographic Analysis: Location-based traffic filtering
- Rate Limiting: Traffic control and request throttling
The system uses a plugin architecture that allows for continuous enhancement with new security modules.
graph TD
Client[Client] -->|HTTP Request| HAProxy
HAProxy -->|TCP Connection| SPOE[Coraza SPOE Agent]
SPOE -->|Message Type Recognition| TypeCheck
TypeCheck -->|coraza-req| ReqHandler[Request Handler]
TypeCheck -->|coraza-res| ResHandler[Response Handler]
ReqHandler -->|Get App Name| ReqApp[Find Application]
ResHandler -->|Get App Name| ResApp[Find Application]
ReqApp -->|Process Request| ReqProcess[Request Processor]
ResApp -->|Process Response| ResProcess[Response Processor]
ReqProcess --> Return[Return Results to HAProxy]
ResProcess --> Return
HAProxy -->|Apply Action| Action[Allow/Deny/Log]
Action -->|Response| Client
[HAProxy Request] β [internal.Agent.Serve(Listener)]
β
Create spop.Agent
agent := spop.Agent{
Handler: a,
BaseContext: a.Context,
}
β
[spop.Agent.Serve(Listener)]
β
Accept new connections
nc, err := l.Accept()
β
Create protocol handler
p := newProtocolClient(ctx, nc, as, handler)
β
Start goroutine for connection
go func() {
p.Serve()
}()
β
[protocolClient.Serve]
Process frames in connection
β
[frameHandler processes Frame]
Dispatch based on frame type
β
[onNotify handles messages]
Create message scanner and objects
Call Handler.HandleSPOE
β
[internal.Agent.HandleSPOE processing]
β
Parse message type (coraza-req/coraza-res)
β
Get application name
β
Find Application
β
Execute message handler
β
Process return results
β
[Return to HAProxy]
-
Multi-Engine Protection
-
Coraza WAF Engine:
- OWASP Core Rule Set (CRS) support
- ModSecurity SecLang rule compatibility
- Custom rule management
-
MicroEngine:
- Rule-based matching for IP, URL, and request path
- Complex condition combinations (AND/OR logic)
- IP blacklist/whitelist with CIDR support
- Efficient regex matching with caching
-
Geographic Analysis:
- Country and region-based filtering
- Geographic attack visualization
-
Traffic Control:
- Rate limiting and request throttling
- Connection control mechanisms
-
-
HAProxy Integration
- Full HAProxy lifecycle management (start, stop, restart)
- Dynamic configuration generation
- Real-time status monitoring
-
Advanced Security
- HTTP request inspection
- HTTP response inspection
- Real-time attack detection and prevention
- RBAC user permission system
-
Monitoring and Logging
- WAF attack logs and analytics
- Traffic statistics
- Performance metrics
-
API-Driven Workflow
- RESTful API with Gin framework
- Swagger/ReDoc API documentation
- JWT authentication
- Go 1.24.1 or higher
- Node.js 23.10.0 and pnpm 10.11.0 (for frontend development)
- HAProxy 3.0 (for local development)
- MongoDB 6.0
- Docker and Docker Compose (for containerized deployment)
- Clone the repository:
git clone https://github.com/HUAHUAI23/RuiQi.git
cd RuiQi- Setup the frontend development environment:
cd server/web
pnpm install
pnpm dev # For development mode with hot reload
# or
pnpm build # For production build
cd ../..- Configure backend environment:
cp server/.env.template server/.env
# Edit .env with your configurations- Run the Go backend service:
go work use ./coraza-spoa ./pkg ./server
cd server
go run main.goThe development server will start with:
- API server:
http://localhost:2333/api/v1 - Swagger UI:
http://localhost:2333/swagger/index.html - ReDoc UI:
http://localhost:2333/redoc - Frontend:
http://localhost:2333/
- Clone the repository:
git clone https://github.com/HUAHUAI23/RuiQi.git
cd RuiQi- Build the Docker image:
docker build -t ruiqi-waf:latest .- Run as a standalone container:
docker run -p 2333:2333 -p 8080:8080 -p 443:443 -p 80:80 -p 9443:9443 -p 8404:8404 ruiqi-waf:latest- Alternatively, use Docker Compose for a complete deployment with MongoDB:
# Edit docker-compose.yaml to configure environment variables if needed
docker-compose up -dThis will start both MongoDB and Simple WAF services with all required configurations.
Our project features and development progress:
-
Monitoring Dashboard
- Real-time attack visualization map
- Geographic attack origin analytics
- Comprehensive security metrics dashboard
-
Advanced Traffic Control
- Fine-grained rate limiting
- Request frequency analysis
- Adaptive throttling based on traffic patterns
-
Alert Integration
- Webhook alert system
- Integration with popular messaging platforms
- Customizable alert templates
-
AI Security Analysis
- ML-based attack pattern detection
- AI-assisted rule generation
- Automated ModSecurity directive creation
- MCP (Model Control Plane) integration
-
Enhanced Rule Management
- OWASP Top 10 specific rule templates
- Rule effectiveness scoring
- One-click protection profiles
For detailed technical documentation on engine architecture and implementation, see the proposals in the /doc/proposal directory.
This project is licensed under the MIT License - see the LICENSE file for details.