go-waf is a web application firewall (WAF) developed in Go using the Gin framework. It provides robust security features to protect web applications from various threats while ensuring high performance and scalability.
- Rate Limiting: Manage and restrict the number of requests a client can make within a specified time frame to prevent abuse.
- SQL Injection Detection: Identify and block potential SQL injection attacks to safeguard your database.
- XSS Injection Detection: Detect and mitigate cross-site scripting (XSS) attacks to protect user data and maintain application integrity.
- Caching: Improve response times and reduce backend load by caching frequently accessed data.
- Reverse Proxy: Seamlessly forward requests to backend services, handling SSL termination and other proxy-related tasks.
- Go 1.23 or later for development
- Docker for containerized deployment
-
Clone the repository:
git clone https://github.com/jahrulnr/go-waf.git cd go-waf -
Install dependencies:
go mod tidy
-
Copy the example environment file:
cp .env-example .env
Update the values in the
.envfile as needed. -
Build the application:
go build -o go-waf cmd/main.go
To run the application in development mode with live reloading:
make devTo build and run the application using Docker:
make docker-devThe application can be configured using environment variables or a .env file. For a comprehensive list of available configuration options, refer to config/config.go.
Configure the reverse proxy settings in your .env file:
ADDR=:8080: The port on which the service will listen.HOST=bangunsoft.com: The domain used for masking the destination.HOST_DESTINATION=http://my-app:3000: The actual backend service URL. The application will fetch data from the backend service and replace theHOST_DESTINATIONdomain with theHOSTdomain in the response. This is particularly useful for local development or docker hostname. For example:- If you set
HOST=bangunsoft.comandHOST_DESTINATION=http://my-app:3000, the application will replacehttp://my-app:3000withhttp://bangunsoft.comin the response.
Enable the WAF by setting USE_WAF=true in your .env file.
Configure the WAF settings:
WAF_CONFIG=config/keywords.yml: Specify the path to the WAF configuration file.WAF_PROTECT_HEADER=true: Enable protection for HTTP headers.WAF_PROTECT_BODY=true: Enable protection for the body of requests.
Enable rate limiting by setting USE_RATELIMIT=true in your .env file.
Configure the rate limiting settings:
RATELIMIT_SECOND=1: The time window for rate limiting, in seconds.RATELIMIT_MAX=50: The maximum number of requests allowed within the specified time window. For example, with the above settings, a client can make up to 50 requests per second.
USE_CACHE=true: Enable caching.CACHE_TTL=3600: Set the time-to-live for cached items (in seconds).CACHE_DRIVER=file: Specify the cache driver to use.CACHE_REMOVE_METHOD=ban: Method to remove cached items.CACHE_REMOVE_ALLOW_IP=127.0.0.1,::1,127.0.0.0/8: IP addresses allowed to remove cache items.
- To delete a specific cache entry, use the following command:
curl localhost:8080/blog -X BAN
- To bulk delete cache entries that match a prefix, use:
This command will remove all cache entries that start with
curl localhost:8080/blog?is_prefix=true -X BAN/blog.
This project is licensed under the MIT License. See the LICENSE file for details.
Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.
- Gin Web Framework
- Logrus for logging
- Redis for caching
- gin-rate-limit for rate limiting
- gzip for Gzip compression
- libinjection-go for injection detection
- Etc.