⠀⠀⠀⠀⠀⢀⠤⠐⠒⠀⠀⠀⠒⠒⠤⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠀⡠⠊⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠑⢄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⡔⠁⠀⠀⠀⠀⠀⢰⠁⠀⠀⠀⠀⠀⠀⠈⠆⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⢰⠀⠀⠀⠀⠀⠀⠀⣾⠀⠀⠔⠒⠢⠀⠀⠀⢼⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⡆⠀⠀⠀⠀⠀⠀⠀⠸⣆⠀⠀⠙⠀⠀⠠⠐⠚⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠇⠀⠀⠀⠀⠀⠀⠀⠀⢻⠀⠀⠀⠀⠀⠀⡄⢠⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡀⠀⠀
⠀⢸⠀⠀⠀⠀⠀⠀⠀⠀⢸⠀⠀⠀⠀⣀⣀⡠⡌⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⢄⣲⣬⣶⣿⣿⡇⡇⠀
⠀⠀⠆⠀⠀⠀⠀⠀⠀⠀⠘⡆⠀⠀⢀⣀⡀⢠⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⢴⣾⣶⣿⣿⣿⣿⣿⣿⣿⣿⡇⠀
⠀⠀⢸⠀⠀⠀⠀⠠⢄⠀⠀⢣⠀⠀⠑⠒⠂⡌⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠉⠛⢿⣿⣿⣿⣿⣿⣿⣿⡇⠀
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠑⠤⡀⠑⠀⠀⠀⡘⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⣡⣿⣿⣿⣿⣿⣿⣿⣇⠀
⠀⠀⢀⡄⠀⠀⠀⠀⠀⠀⠀⠈⢑⠖⠒⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠐⣴⣿⣿⣿⡟⠁⠈⠛⠿⣿⠀
⠀⣰⣿⣿⣄⠀⠀⠀⠀⠀⠀⠀⢸⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⢈⣾⣿⣿⣿⠏⠀⠀⠀⠀⠀⠈⠀
⠈⣿⣿⣿⣿⣷⡤⣀⡀⠀⠀⢀⠎⣦⣄⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣢⣿⣿⣿⡿⠃⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠘⣿⣿⣿⣿⣿⣄⠈⢒⣤⡎⠀⢸⣿⣿⣿⣷⣶⣤⣄⣀⠀⠀⠀⢠⣽⣿⠿⠿⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀
⠀⠀⠹⣿⣿⣿⣿⣿⣾⠛⠉⣿⣦⣸⣿⣿⣿⣿⣿⣿⣿⣿⣿⡗⣰⣿⣿⣿⠀⠀⣿⠀⠀
safty
safty is a Rust application project to quickly build a tailor-made WAF reverse proxy.
🦀 🦀 🦀
- Clone the project
- Modify the WAF ruleset in main.rs:91
- Rebuild and run
Env variables to use:
# set log level
RUST_LOG=trace
# the application will accept incoming HTTP requests, and point them to the
# protocol + host + port
# indicated in this URL
DOWNSTREAM_URI=http://foo.bar:8080/Rules are all written into the codebase, no config file format exists right now.
Rules are evaluated from the top down, and combinators are available to chain together complex rules.
Examples are as follows:
This rule blocks access to the folder /admin.
Read like:
- All of the above conditions must match:
- If path is /admin: drop, else take the next rule
- If method is POST and URL matches ^/photos, drop. Else, take the next rule.
- allow
AllPassFilter::new(vec![
Box::new(ScopeRegexPathFilter::new("^/admin", DropFilter::new())),
Box::new(ScopeRegexMethodPathFilter::new("POST", "^/photos", DropFilter::new())),
Box::new(PassFilter::new())
])The filter drops requests that contain a single quote in the body, and passes other requests.
Read like:
- All of the above conditions must match:
- If single quote in request: drop
- allow
AllPassFilter::new(vec![
Box::new(SingleQuotesFilter::new()),
Box::new(PassFilter::new())
])A filter must return Pass, Drop or NotMyProblem given a HTTP request. If the filter returns Pass, the request is passed. If the filter returns Drop, the request is dropped (ignored). If the filter returns NotMyProblem, the next filter is consulted.
Returns Pass for all requests. Useful for combining with ScopeRegex etc.
Returns Drop for all requests. Useful for combining with ScopeRegex etc.
Accepts a Vec of rules. Evaluates them in order. The first rule that returns
Pass or Drop wins.
AllPassFilter::new(vec![
... rules,
// probably you want Pass or Drop as the last rule
Box::new(PassFilter::new())
])Accepts a single rule. Applies the inner rule only if the request's path matches a given regex.
ScopeRegexPathFilter::new("^/admin", PassFilter::new())Accepts a single rule. Applies the inner rule only if the request's path matches a given regex and the method matches the given method.
use hyper::http::Method;
ScopeRegexMethodPathFilter::new(Method::POST, "^/admin", PassFilter::new())Accepts a single rule. Inverts the inner rule's decision (Drop => Pass, Pass => Drop)
InvertFilter::new(PassFilter::new()) // same as DropFilterDrops if the HTTP request body contains a single quote (byte 0x27)
SingleQuotesFilter::new()