Skip to content

Document managed rules (OWASP Core Rule Set) on the Firewall page#68

Open
acoshift wants to merge 1 commit into
mainfrom
waf-managed-rules
Open

Document managed rules (OWASP Core Rule Set) on the Firewall page#68
acoshift wants to merge 1 commit into
mainfrom
waf-managed-rules

Conversation

@acoshift

Copy link
Copy Markdown
Member

Documents the WAF managed-rules feature (per SPEC-waf-managed-rules.md §7) on the Firewall page.

What's in the section

New "Managed rules (OWASP Core Rule Set)" section between Rate limiting and Metrics in content/networking/waf.md:

  • What managed rules are and why they complement hand-written rules.
  • Evaluation order: your rules → managed rules → rate limits, with both pipeline facts spelled out — a managed-rule block never consumes rate budget, and an allow rule skips only your remaining rules (managed rules and rate limits still evaluate — allow-listing a scanner does not exempt it from CRS; excludedRules is the relief valve). Both verified against the engine: ActionAllow forwards to the next handler (parapet@v0.18.4 pkg/waf), and plugin.CorazaZone / plugin.RateLimitZone are registered after plugin.WAFZone (parapet-ingress-controller PR #181, branch coraza-v1-fixes).
  • Anomaly scoring model (critical match = 5, default threshold 5), body inspection up to the platform limit.
  • The managedRules knobs table: enabled (required), mode enforce/detect, paranoiaLevel 1–4 (default 1), anomalyThreshold 1–100 (default 5), excludedRules (CRS ids 911100–948999, max 50) — matching spec §2.1/§2.2.
  • Whole-replace warning: omitting managedRules on waf.set clears it; "enabled": false pauses enforcement while keeping tuning (spec §2.1/§3.3).
  • False-positive workflow routed through support, plus the v1 match-visibility honesty box (detect matches are operator-visible only until the Phase-2 metrics fast-follow, spec §1.3/§5/§9b).
  • Per-location availability via location.get features.waf.managedRules; waf.set with managed rules enabled on an unflagged location is rejected (spec §2.3/§3.3).

No SecLang/Include internals leak into tenant docs (spec §1.2).

Screenshot

The console managed-rules card (spec row 4) is not merged yet, so the {{< shot >}} is a commented-out TODO and the waf-managed-rules entry in scripts/screenshots/capture.mjs is committed commented-out — an interim refresh.sh run cannot write a card-less asset. Uncomment both together and re-run the capture once the console card ships; the TODO says exactly that.

Test evidence

  • hugo --minify builds clean (59 pages).
  • Rendered public/networking/waf/index.html inspected: 3 callouts render, no {{</{{% shortcode leakage, the TODO HTML comment is stripped by minify, the escaped {{</* shot */>}} does not execute or leak.
  • node --check scripts/screenshots/capture.mjs passes.
  • git merge-tree run against the three sibling WAF branches (see below).

Rollout

Per spec §14, the rollout gates on a parapet release: moonrhythm/parapet-ingress-controller PR #181 (coraza-v1-fixes — unconditional phase-2 evaluation, zone metric label, the Include @crs-setup.conf.example + Include @owasp_crs/*.conf form, log-flag OnMatch) is still OPEN and must merge and be released first.

Order: parapet release + CORAZA_ENABLED=true in cluster-rcf2/cluster-lab → api → deployer binary (before apiserver) → apiserver migration, then binary → flip per-location feature flags → console + docs (this PR). The deploys CLI ships after an api re-pin (no PR CI there — verify locally). This docs page describes behavior that only exists once the apiserver is deployed and location flags are flipped, so merge this last (with console), after the flags are live.

Expected conflicts with sibling WAF branches

Three sibling branches are open (waf-test, waf-ip-lists, waf-events); all branch from origin/main. git merge-tree against each:

  • waf-test — clean, no coordination needed.
  • waf-ip-lists — conflicts in content/networking/waf.md: both insert a new section at the same seam between Rate limiting and Metrics. Resolution: keep both sections; intended order is Named IP lists first (it extends the rule/expression story), Managed rules second (adjacent to Metrics, matching this page's pipeline narrative that ends at rate limits). Whichever branch merges second rebases and places its section per that order.
  • waf-events — conflicts in scripts/screenshots/capture.mjs: adjacent-line inserts in the screens array. Resolution: keep both entries (this branch's entry stays commented-out until the console card merges).

New section between Rate limiting and Metrics: what CRS covers, the
evaluation order (your rules -> managed rules -> rate limits, a managed
block never burns rate budget, and an allow rule skips only your own
remaining rules -- managed rules and rate limits still evaluate),
anomaly scoring, the managedRules knobs (enforce/detect, paranoia 1-4,
threshold, excludedRules), the whole-replace warning (enabled:false
keeps tuning, omitting clears it), the false-positive exclusion
workflow, the v1 match-visibility caveat, and per-location availability
via features.waf.managedRules.

Screenshot is a TODO placeholder until the console card merges; the
capture.mjs waf-managed-rules entry is committed commented-out so an
interim refresh.sh run cannot write a card-less asset -- uncomment it
and re-run the capture together with enabling the shot.
@deploys-app

deploys-app Bot commented Jul 11, 2026

Copy link
Copy Markdown

Preview docs-pr-68

URL: https://docs-pr-68-606515731026706458.rcf2.deploys.app

Site: 563534e5edebf57c440a6fce4044b3a494ee43636a7937d925cfc4fc34a391c2

Commit: e33c60d

updated 2026-07-11T02:09:29Z

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant