Document managed rules (OWASP Core Rule Set) on the Firewall page#68
Open
acoshift wants to merge 1 commit into
Open
Document managed rules (OWASP Core Rule Set) on the Firewall page#68acoshift wants to merge 1 commit into
acoshift wants to merge 1 commit into
Conversation
New section between Rate limiting and Metrics: what CRS covers, the evaluation order (your rules -> managed rules -> rate limits, a managed block never burns rate budget, and an allow rule skips only your own remaining rules -- managed rules and rate limits still evaluate), anomaly scoring, the managedRules knobs (enforce/detect, paranoia 1-4, threshold, excludedRules), the whole-replace warning (enabled:false keeps tuning, omitting clears it), the false-positive exclusion workflow, the v1 match-visibility caveat, and per-location availability via features.waf.managedRules. Screenshot is a TODO placeholder until the console card merges; the capture.mjs waf-managed-rules entry is committed commented-out so an interim refresh.sh run cannot write a card-less asset -- uncomment it and re-run the capture together with enabling the shot.
Preview
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Documents the WAF managed-rules feature (per SPEC-waf-managed-rules.md §7) on the Firewall page.
What's in the section
New "Managed rules (OWASP Core Rule Set)" section between Rate limiting and Metrics in
content/networking/waf.md:your rules → managed rules → rate limits, with both pipeline facts spelled out — a managed-rule block never consumes rate budget, and anallowrule skips only your remaining rules (managed rules and rate limits still evaluate — allow-listing a scanner does not exempt it from CRS;excludedRulesis the relief valve). Both verified against the engine:ActionAllowforwards to the next handler (parapet@v0.18.4 pkg/waf), andplugin.CorazaZone/plugin.RateLimitZoneare registered afterplugin.WAFZone(parapet-ingress-controller PR #181, branchcoraza-v1-fixes).managedRulesknobs table:enabled(required),modeenforce/detect,paranoiaLevel1–4 (default 1),anomalyThreshold1–100 (default 5),excludedRules(CRS ids 911100–948999, max 50) — matching spec §2.1/§2.2.managedRulesonwaf.setclears it;"enabled": falsepauses enforcement while keeping tuning (spec §2.1/§3.3).detectmatches are operator-visible only until the Phase-2 metrics fast-follow, spec §1.3/§5/§9b).location.getfeatures.waf.managedRules;waf.setwith managed rules enabled on an unflagged location is rejected (spec §2.3/§3.3).No SecLang/Include internals leak into tenant docs (spec §1.2).
Screenshot
The console managed-rules card (spec row 4) is not merged yet, so the
{{< shot >}}is a commented-out TODO and thewaf-managed-rulesentry inscripts/screenshots/capture.mjsis committed commented-out — an interimrefresh.shrun cannot write a card-less asset. Uncomment both together and re-run the capture once the console card ships; the TODO says exactly that.Test evidence
hugo --minifybuilds clean (59 pages).public/networking/waf/index.htmlinspected: 3 callouts render, no{{</{{%shortcode leakage, the TODO HTML comment is stripped by minify, the escaped{{</* shot */>}}does not execute or leak.node --check scripts/screenshots/capture.mjspasses.git merge-treerun against the three sibling WAF branches (see below).Rollout
Per spec §14, the rollout gates on a parapet release: moonrhythm/parapet-ingress-controller PR #181 (
coraza-v1-fixes— unconditional phase-2 evaluation,zonemetric label, theInclude @crs-setup.conf.example+Include @owasp_crs/*.confform, log-flag OnMatch) is still OPEN and must merge and be released first.Order: parapet release +
CORAZA_ENABLED=truein cluster-rcf2/cluster-lab → api → deployer binary (before apiserver) → apiserver migration, then binary → flip per-location feature flags → console + docs (this PR). The deploys CLI ships after an api re-pin (no PR CI there — verify locally). This docs page describes behavior that only exists once the apiserver is deployed and location flags are flipped, so merge this last (with console), after the flags are live.Expected conflicts with sibling WAF branches
Three sibling branches are open (
waf-test,waf-ip-lists,waf-events); all branch fromorigin/main.git merge-treeagainst each:waf-test— clean, no coordination needed.waf-ip-lists— conflicts incontent/networking/waf.md: both insert a new section at the same seam between Rate limiting and Metrics. Resolution: keep both sections; intended order is Named IP lists first (it extends the rule/expression story), Managed rules second (adjacent to Metrics, matching this page's pipeline narrative that ends at rate limits). Whichever branch merges second rebases and places its section per that order.waf-events— conflicts inscripts/screenshots/capture.mjs: adjacent-line inserts in thescreensarray. Resolution: keep both entries (this branch's entry stays commented-out until the console card merges).