openprx/prx-waf

# PRX-WAF     PRX-WAF 是一个生产就绪的 Web Application Firewall 代理，基于 [Pingora](https://github.com/cloudflare/pingora)（Cloudflare 的 Rust HTTP 代理库）构建。它将多阶段攻击检测、Rhai 脚本引擎、ModSecurity 规则支持、CrowdSec 集成、WASM 插件以及 Vue 3 管理界面整合到单个可部署的二进制文件中。 ## 功能特性 - **Pingora 反向代理** — 支持 HTTP/1.1、HTTP/2、通过 QUIC (Quinn) 的 HTTP/3；加权轮询负载均衡 - **10+ 种攻击检测器** — SQL 注入、XSS、RFI/LFI、SSRF、路径遍历、命令注入、扫描器检测、协议违规 - **CC/DDoS 防护** — 基于单个 IP 的滑动窗口速率限制，阈值可配置 - **Rhai 脚本引擎** — 在沙盒化脚本语言中编写自定义检测规则 - **OWASP CRS 规则支持** — 加载和管理 YAML 格式的 OWASP Core Rule Set - **ModSecurity 规则解析器** — 导入 SecRule 指令（基础子集：ARGS, REQUEST_HEADERS, REQUEST_URI, REQUEST_BODY） - **规则热重载** — 文件监视器 (notify) + SIGHUP 处理器；规则原子重载，无需停机 - **敏感词检测** — 用于 PII / 凭证泄露检测的 Aho-Corasick 多模式匹配 - **防盗链保护** — 基于主机 Referer 的校验 - **CrowdSec 集成** — Bouncer（来自 LAPI 的决策缓存）+ AppSec（远程 HTTP 检测）+ 日志推送器 - **WASM 插件系统** — 用于自定义逻辑的沙盒化 wasmtime 运行时 - **SSL/TLS 自动化** — 通过 instant-acme (ACME v2) 实现 Let's Encrypt；自动续期 - **隧道 / 零信任访问** — 基于 WebSocket 的反向隧道（Cloudflare Tunnel 风格） - **响应缓存** — 支持 TTL 和大小限制的 moka LRU 内存缓存 - **PostgreSQL 16+ 存储** — 持久化所有配置、规则、日志和统计数据 - **Vue 3 管理界面** — JWT + TOTP 认证；实时 WebSocket 监控；内嵌于二进制文件中 - **实时 WebSocket 监控** — 实时流量统计和安全事件流 - **通知系统** — 邮件 (SMTP)、Webhook、Telegram 告警 - **AES-256-GCM 静态加密** — PostgreSQL 中的敏感配置值（API 密钥、密码）经过加密 - **Docker & systemd 部署** — 包含 Docker Compose 文件和 systemd unit 示例 ## 快速开始 ### Docker Compose ``` git clone https://github.com/openprx/prx-waf cd prx-waf # 编辑 docker-compose.yml 中的环境变量（数据库密码等） docker compose up -d # 管理界面：http://localhost:9527 # 默认凭据：admin / admin（请立即修改） ``` ### 手动构建 **前置条件：** Rust 1.82+, PostgreSQL 16+ ``` # 克隆 git clone https://github.com/openprx/prx-waf cd prx-waf # 构建 release 二进制文件 cargo build --release # 创建数据库 createdb prx_waf createuser prx_waf # 运行迁移并植入 admin 用户 ./target/release/prx-waf -c configs/default.toml migrate ./target/release/prx-waf -c configs/default.toml seed-admin # 启动 proxy + API server ./target/release/prx-waf -c configs/default.toml run ``` ## CLI 参考 ``` prx-waf [OPTIONS] Options: -c, --config Config file path [default: configs/default.toml] Commands: run Start proxy + management API (blocks forever) migrate Run database migrations only seed-admin Create default admin user (admin/admin) crowdsec CrowdSec integration management rules Rule management (list, load, validate, hot-reload) sources Rule source management (add, remove, sync) bot Bot detection management (list, add, test) ``` ### CrowdSec 命令 ``` prx-waf crowdsec status # Show integration status prx-waf crowdsec decisions # List active decisions from LAPI prx-waf crowdsec test # Test LAPI connectivity prx-waf crowdsec setup # Interactive setup wizard ``` ### 规则管理命令 ``` # 规则操作 prx-waf rules list # List all loaded rules prx-waf rules list --category sqli # Filter by category prx-waf rules list --source owasp # Filter by source prx-waf rules info # Show rule details prx-waf rules enable # Enable a rule prx-waf rules disable # Disable a rule prx-waf rules reload # Hot-reload all rules from disk prx-waf rules validate # Validate a rule file prx-waf rules import # Import rules from file or URL prx-waf rules export [--format yaml] # Export current rules prx-waf rules update # Fetch latest from remote sources prx-waf rules search # Search rules by name/description prx-waf rules stats # Rule statistics # 来源管理 prx-waf sources list # List configured rule sources prx-waf sources add # Add a remote rule source prx-waf sources remove # Remove a rule source prx-waf sources update [name] # Fetch latest from source prx-waf sources sync # Sync all sources # Bot 检测 prx-waf bot list # List known bot signatures prx-waf bot add [--action block|captcha|log] prx-waf bot remove prx-waf bot test # Test a user-agent against bot rules ``` ## 配置 配置从 TOML 文件加载（默认：`configs/default.toml`）。 ``` [proxy] listen_addr = "0.0.0.0:80" listen_addr_tls = "0.0.0.0:443" worker_threads = 4 # optional, defaults to CPU count [api] listen_addr = "127.0.0.1:9527" [storage] database_url = "postgresql://prx_waf:prx_waf@127.0.0.1:5432/prx_waf" max_connections = 20 [cache] enabled = true max_size_mb = 256 default_ttl_secs = 60 max_ttl_secs = 3600 [http3] enabled = false listen_addr = "0.0.0.0:443" cert_pem = "/etc/ssl/certs/server.pem" key_pem = "/etc/ssl/private/server.key" [security] admin_ip_allowlist = [] # empty = allow all max_request_body_bytes = 10485760 # 10 MB api_rate_limit_rps = 100 cors_origins = [] # --- 规则管理 --- [rules] dir = "rules/" # rules directory to watch hot_reload = true # enable file watching reload_debounce_ms = 500 enable_builtin_owasp = true # built-in OWASP CRS subset enable_builtin_bot = true # built-in bot detection enable_builtin_scanner = true # built-in scanner detection # 远程规则源 [[rules.sources]] name = "custom" path = "rules/custom/" format = "yaml" [[rules.sources]] name = "owasp-crs" url = "https://example.com/rules/owasp.yaml" format = "yaml" update_interval = 86400 # 24h in seconds # --- CrowdSec 集成 --- [crowdsec] enabled = false mode = "bouncer" # bouncer | appsec | both lapi_url = "http://127.0.0.1:8080" api_key = "" update_frequency_secs = 10 fallback_action = "allow" # allow | block | log # 可选：AppSec endpoint # appsec_endpoint = "http://127.0.0.1:7422" # appsec_key = "" # --- 静态 hosts（也可通过管理界面 / 数据库管理）--- # [[hosts]] # host = "example.com" # port = 80 # remote_host = "127.0.0.1" # remote_port = 8080 # ssl = false # guard_status = true ``` ## 规则管理 PRX-WAF 支持多种规则格式和来源。规则在启动时加载，并可在无停机的情况下热重载。 ### 规则格式 | Format | Extension | Description | |--------|-----------|-------------| | YAML | `.yaml`, `.yml` | PRX-WAF 原生格式 | | ModSecurity | `.conf` | SecRule 指令（基础子集） | | JSON | `.json` | 规则对象的 JSON 数组 | ### YAML 规则格式 ``` - id: "CUSTOM-001" name: "Block admin path" description: "Block access to /admin from untrusted IPs" category: "access-control" source: "custom" enabled: true action: "block" severity: "high" pattern: "^/admin" tags: - "admin" - "access-control" ``` ### ModSecurity 规则格式（基础子集） ``` SecRule REQUEST_URI "@rx /admin" \ "id:1001,phase:1,deny,status:403,msg:'Admin path blocked'" SecRule ARGS "@contains