# README
go-waf
go-waf is a web application firewall (WAF) developed in Go using the Gin framework. It provides robust security features to protect web applications from various threats while ensuring high performance and scalability.
Table of Contents
Features
- Rate Limiting: Manage and restrict the number of requests a client can make within a specified time frame to prevent abuse.
- SQL Injection Detection: Identify and block potential SQL injection attacks to safeguard your database.
- XSS Injection Detection: Detect and mitigate cross-site scripting (XSS) attacks to protect user data and maintain application integrity.
- Caching: Improve response times and reduce backend load by caching frequently accessed data.
- Reverse Proxy: Seamlessly forward requests to backend services, handling SSL termination and other proxy-related tasks.
Getting Started
Prerequisites
- Go 1.23 or later for development
- Docker for containerized deployment
Installation
-
Clone the repository:
git clone https://github.com/jahrulnr/go-waf.git cd go-waf -
Install dependencies:
go mod tidy -
Copy the example environment file:
cp .env-example .envUpdate the values in the
.envfile as needed. -
Build the application:
go build -o go-waf cmd/main.go
Running the Application
To run the application in development mode with live reloading:
make dev
To build and run the application using Docker:
make docker-dev
Configuration
The application can be configured using environment variables or a .env file. For a comprehensive list of available configuration options, refer to config/config.go.
Usage
Reverse Proxy
Configure the reverse proxy settings in your .env file:
ADDR=:8080: The port on which the service will listen.HOST=bangunsoft.com: The domain used for masking the destination.HOST_DESTINATION=http://my-app:3000: The actual backend service URL. The application will fetch data from the backend service and replace theHOST_DESTINATIONdomain with theHOSTdomain in the response. This is particularly useful for local development or docker hostname. For example:- If you set
HOST=bangunsoft.comandHOST_DESTINATION=http://my-app:3000, the application will replacehttp://my-app:3000withhttp://bangunsoft.comin the response.
Web Application Firewall (WAF)
Enable the WAF by setting USE_WAF=true in your .env file.
Configure the WAF settings:
WAF_CONFIG=config/keywords.yml: Specify the path to the WAF configuration file.WAF_PROTECT_HEADER=true: Enable protection for HTTP headers.WAF_PROTECT_BODY=true: Enable protection for the body of requests.
Rate Limiting
Enable rate limiting by setting USE_RATELIMIT=true in your .env file.
Configure the rate limiting settings:
RATELIMIT_SECOND=1: The time window for rate limiting, in seconds.RATELIMIT_MAX=50: The maximum number of requests allowed within the specified time window. For example, with the above settings, a client can make up to 50 requests per second.
Cache Configuration
USE_CACHE=true: Enable caching.CACHE_TTL=3600: Set the time-to-live for cached items (in seconds).CACHE_DRIVER=file: Specify the cache driver to use.CACHE_REMOVE_METHOD=ban: Method to remove cached items.CACHE_REMOVE_ALLOW_IP=127.0.0.1,::1,127.0.0.0/8: IP addresses allowed to remove cache items.
Clearing Cache
- To delete a specific cache entry, use the following command:
curl localhost:8080/blog -X BAN - To bulk delete cache entries that match a prefix, use:
This command will remove all cache entries that start withcurl localhost:8080/blog?is_prefix=true -X BAN/blog.
License
This project is licensed under the MIT License. See the LICENSE file for details.
Contributing
Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.
Acknowledgments
- Gin Web Framework
- Logrus for logging
- Redis for caching
- gin-rate-limit for rate limiting
- gzip for Gzip compression
- libinjection-go for injection detection
- Etc.