chaitin-waf
Description#
After enabling the chaitin-waf plugin, the traffic will be forwarded to the Chaitin WAF service for detection and prevention of various web application attacks, ensuring the security of the application and user data.
Response Headers#
Depending on the plugin configuration, it is optional to add additional response headers.
The response headers are listed below:
- X-APISIX-CHAITIN-WAF: Whether APISIX forwards the request to the WAF server.
- yes: forwarded
- no: not forwarded
- unhealthy: matches the match variables, but no WAF server is available.
- err: an error occurred during the execution of the plugin. Also includes the X-APISIX-CHAITIN-WAF-ERROR header.
- waf-err: error while interacting with the WAF server. Also includes the X-APISIX-CHAITIN-WAF-ERROR header.
- timeout: request to the WAF server timed out.
- X-APISIX-CHAITIN-WAF-ERROR: Debug header. Contains WAF error message.
- X-APISIX-CHAITIN-WAF-TIME: The time in milliseconds that APISIX spent interacting with WAF.
- X-APISIX-CHAITIN-WAF-STATUS: The status code returned to APISIX by the WAF server.
- X-APISIX-CHAITIN-WAF-ACTION: The action returned to APISIX by the WAF server.
- pass: request valid and passed.
- reject: request rejected by WAF service.
- X-APISIX-CHAITIN-WAF-SERVER: Debug header. Indicates which WAF server was selected.
Plugin Metadata#
| Name | Type | Required | Default value | Description |
|---|---|---|---|---|
| nodes | array(object) | true | A list of addresses for the Chaitin SafeLine WAF service. | |
| nodes[0].host | string | true | The address of Chaitin SafeLine WAF service. Supports IPv4, IPv6, Unix Socket, etc. | |
| nodes[0].port | integer | false | 80 | The port of the Chaitin SafeLine WAF service. |
| mode | string | false | block | The global default mode if a Route doesn't specify its own: off, monitor, or block. |
| config | object | false | WAF configuration defaults if none are specified on the Route. | |
| config.connect_timeout | integer | false | 1000 | Connect timeout, in milliseconds. |
| config.send_timeout | integer | false | 1000 | Send timeout, in milliseconds. |
| config.read_timeout | integer | false | 1000 | Read timeout, in milliseconds. |
| config.req_body_size | integer | false | 1024 | Request body size, in KB. |
| config.keepalive_size | integer | false | 256 | Maximum concurrent idle connections to the SafeLine WAF detection service. |
| config.keepalive_timeout | integer | false | 60000 | Idle connection timeout, in milliseconds. |
| config.real_client_ip | boolean | false | true | Specifies whether to use the X-Forwarded-For as the client IP (if present). If false, uses the direct client IP from the connection. |
note
You can fetch the admin_key from config.yaml and save to an environment variable with the following command:
admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/chaitin-waf -H "X-API-KEY: $admin_key" -X PUT -d '
{
"nodes": [
{
"host": "unix:/path/to/safeline/resources/detector/snserver.sock",
"port": 8000
}
],
"mode": "block",
"config": {
"real_client_ip": true
}
}'
Attributes#
| Name | Type | Required | Default value | Description |
|---|---|---|---|---|
| mode | string | false | block | Determines how the plugin behaves for matched requests. Valid values are off, monitor, or block. When set to off, the plugin skips WAF checks. In monitor mode, the plugin logs potential blocks without actually blocking the request. In block mode, the plugin enforces blocks as determined by the WAF service. |
| match | array[object] | false | A list of matching rules. The plugin evaluates these rules to decide whether to perform the WAF check on a request. If empty, all requests are processed. | |
| match.vars | array[array] | false | List of variables used for matching requests. Each rule is specified as [variable, operator, value] (for example, ["http_waf", "==", "true"]). These variables refer to NGINX internal variables. For supported operators, see lua-resty-expr. | |
| append_waf_resp_header | bool | false | true | Determines whether the plugin adds WAF-related response headers (such as X-APISIX-CHAITIN-WAF, X-APISIX-CHAITIN-WAF-ACTION, etc.) to the response. |
| append_waf_debug_header | bool | false | false | Determines whether debugging headers (such as X-APISIX-CHAITIN-WAF-ERROR and X-APISIX-CHAITIN-WAF-SERVER) are added. Effective only when append_waf_resp_header is enabled. |
| config | object | false | Provides route-specific configuration for the Chaitin SafeLine WAF service. Settings here override the corresponding metadata defaults when specified. | |
| config.connect_timeout | integer | false | 1000 | The connect timeout for the WAF server, in milliseconds. |
| config.send_timeout | integer | false | 1000 | The send timeout for transmitting data to the WAF server, in milliseconds. |
| config.read_timeout | integer | false | 1000 | The read timeout for receiving data from the WAF server, in milliseconds. |
| config.req_body_size | integer | false | 1024 | The maximum allowed request body size, in KB. |
| config.keepalive_size | integer | false | 256 | The maximum number of idle connections to the WAF detection service that can be maintained concurrently. |
| config.keepalive_timeout | integer | false | 60000 | The idle connection timeout for the WAF service, in milliseconds. |
| config.real_client_ip | boolean | false | true | Specifies whether to determine the client IP from the X-Forwarded-For header. If set to false, the plugin uses the direct client IP from the connection. |
Below is a sample Route configuration that uses:
- httpbun.org as the upstream backend.
- mode set to monitor, so the plugin only logs potential blocks.
- A matching rule that triggers the plugin when the custom header waf: true is set.
- An override to disable the
real client IPlogic by setting config.real_client_ip to false.
curl http://127.0.0.1:9180/apisix/admin/routes/1 \
-H "X-API-KEY: $admin_key" \
-X PUT -d '
{
"uri": "/*",
"plugins": {
"chaitin-waf": {
"mode": "monitor",
"match": [
{
"vars": [
["http_waf", "==", "true"]
]
}
],
"config": {
"real_client_ip": false
},
"append_waf_resp_header": true,
"append_waf_debug_header": false
}
},
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbun.org:80": 1
}
}
}'
Test Plugin#
With the sample configuration described above (including your chosen mode and real_client_ip settings), the plugin behaves as follows:
If the
matchcondition is not satisfied (for example,waf: trueis missing), the request proceeds normally without contacting the WAF. You can observe:curl -H "Host: httpbun.org" http://127.0.0.1:9080/get -i
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 408
Connection: keep-alive
X-APISIX-CHAITIN-WAF: no
Date: Wed, 19 Jul 2023 09:30:42 GMT
X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
Server: APISIX/3.3.0
{
"args": {},
"headers": {
"Accept": "*/*",
"Connection": "close",
"Host": "httpbun.org",
"User-Agent": "curl/8.1.2",
"X-Forwarded-For": "127.0.0.1",
"X-Forwarded-Host": "httpbun.org",
"X-Forwarded-Port": "9080",
"X-Forwarded-Proto": "http",
"X-Real-Ip": "127.0.0.1"
},
"method": "GET",
"origin": "127.0.0.1, 122.231.76.178",
"url": "http://httpbun.org/get"
}Potential injection requests (e.g., containing SQL snippets) are forwarded unmodified if they do not meet the plugin’s match rules, and might result in a
404 Not Foundor other response from the upstream:curl -H "Host: httpbun.org" http://127.0.0.1:9080/getid=1%20AND%201=1 -i
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
Content-Length: 19
Connection: keep-alive
X-APISIX-CHAITIN-WAF: no
Date: Wed, 19 Jul 2023 09:30:28 GMT
X-Content-Type-Options: nosniff
X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
Server: APISIX/3.3.0
404 page not foundMatching safe requests (those that satisfy
match.vars, such as-H "waf: true") are checked by the WAF. If deemed harmless, you see:curl -H "Host: httpbun.org" -H "waf: true" http://127.0.0.1:9080/get -i
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 427
Connection: keep-alive
X-APISIX-CHAITIN-WAF-TIME: 2
X-APISIX-CHAITIN-WAF-STATUS: 200
X-APISIX-CHAITIN-WAF: yes
X-APISIX-CHAITIN-WAF-ACTION: pass
Date: Wed, 19 Jul 2023 09:29:58 GMT
X-Powered-By: httpbun/3c0dc05883dd9212ac38b04705037d50b02f2596
Server: APISIX/3.3.0
{
"args": {},
"headers": {
"Accept": "*/*",
"Connection": "close",
"Host": "httpbun.org",
"User-Agent": "curl/8.1.2",
"Waf": "true",
"X-Forwarded-For": "127.0.0.1",
"X-Forwarded-Host": "httpbun.org",
"X-Forwarded-Port": "9080",
"X-Forwarded-Proto": "http",
"X-Real-Ip": "127.0.0.1"
},
"method": "GET",
"origin": "127.0.0.1, 122.231.76.178",
"url": "http://httpbun.org/get"
}Suspicious requests that meet the plugin’s match rules and are flagged by the WAF are typically rejected with a 403 status, along with headers that include
X-APISIX-CHAITIN-WAF-ACTION: reject. For example:curl -H "Host: httpbun.org" -H "waf: true" http://127.0.0.1:9080/getid=1%20AND%201=1 -i
HTTP/1.1 403 Forbidden
Date: Wed, 19 Jul 2023 09:29:06 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-APISIX-CHAITIN-WAF: yes
X-APISIX-CHAITIN-WAF-TIME: 2
X-APISIX-CHAITIN-WAF-ACTION: reject
X-APISIX-CHAITIN-WAF-STATUS: 403
Server: APISIX/3.3.0
Set-Cookie: sl-session=UdywdGL+uGS7q8xMfnJlbQ==; Domain=; Path=/; Max-Age=86400
{"code": 403, "success":false, "message": "blocked by Chaitin SafeLine Web Application Firewall", "event_id": "51a268653f2c4189bfa3ec66afbcb26d"}
Delete Plugin#
To remove the chaitin-waf plugin, you can delete the corresponding JSON configuration from the Plugin configuration.
APISIX will automatically reload and you do not have to restart for this to take effect:
$ curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
{
"uri": "/*",
"upstream": {
"type": "roundrobin",
"nodes": {
"httpbun.org:80": 1
}
}
}'