MCPcopy Index your code
hub / github.com/acouvreur/traefik-modsecurity-plugin

github.com/acouvreur/traefik-modsecurity-plugin @v1.3.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.3.0 ↗ · + Follow
10 symbols 22 edges 3 files 4 documented · 40%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Traefik Modsecurity Plugin

Banner

Traefik plugin to proxy requests to owasp/modsecurity-crs:apache

Github Actions Go Report Go Version Latest Release

Demo

Demo with WAF intercepting relative access in query param.

Demo

Usage (docker-compose.yml)

See docker-compose.yml

  1. docker-compose up
  2. Go to http://localhost:8000/website, the request is received without warnings
  3. Go to http://localhost:8000/website?test=../etc, the request is intercepted and returned with 403 Forbidden by owasp/modsecurity

How it works

This is a very simple plugin that proxies the query to the owasp/modsecurity apache container.

The plugin checks that the response from the waf container hasn't an http code > 400 before forwarding the request to the real service.

If it is > 400, then the error page is returned instead.

The dummy service is created so the waf container forward the request to a service and respond with 200 OK all the time.

Configuration

This plugin supports these configuration:

  • modSecurityUrl: (mandatory) it's the URL for the owasp/modsecurity container.
  • timeoutMillis: (optional) timeout in milliseconds for the http client to talk with modsecurity container. (default 2 seconds)
  • maxBodySize: (optional) it's the maximum limit for requests body size. Requests exceeding this value will be rejected using HTTP 413 Request Entity Too Large. The default value for this parameter is 10MB. Zero means "use default value".

Note: body of every request will be buffered in memory while the request is in-flight (i.e.: during the security check and during the request processing by traefik and the backend), so you may want to tune maxBodySize depending on how much RAM you have.

Local development (docker-compose.local.yml)

See docker-compose.local.yml

docker-compose -f docker-compose.local.yml up to load the local plugin

Core symbols most depended-on inside this repo

forwardResponse
called by 3
modsecurity.go
ServeHTTP
called by 1
modsecurity.go
isWebsocket
called by 1
modsecurity.go
CreateConfig
called by 0
modsecurity.go
New
called by 0
modsecurity.go

Shape

Function 6
Struct 3
Method 1

Languages

Go100%

Modules by API surface

modsecurity.go7 symbols
modsecurity_test.go3 symbols

For agents

$ claude mcp add traefik-modsecurity-plugin \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact