From 26e17a6698c43d3d57d936d601cdacfdca203a63 Mon Sep 17 00:00:00 2001
From: Maya Baya <maya@example.org>
Date: Sun, 22 May 2022 08:56:40 +0200
Subject: [PATCH] fix: Fix WAF configuration - temporarily disable it until
 issue reported by external contributor -
 https://github.com/corazawaf/coraza-caddy/issues/10 will not be resolved

---
 .../templates/deployment.yaml                 | 18 +++++++++++++++
 .../wordpress-hardened/templates/ingress.yaml |  4 ++--
 .../templates/waf.configmap.yaml              | 10 ++++++++
 helm/wordpress-hardened/values.yaml           | 23 +++++++++++--------
 4 files changed, 43 insertions(+), 12 deletions(-)
 create mode 100644 helm/wordpress-hardened/templates/waf.configmap.yaml

diff --git a/helm/wordpress-hardened/templates/deployment.yaml b/helm/wordpress-hardened/templates/deployment.yaml
index 97f6ea6..38d4313 100644
--- a/helm/wordpress-hardened/templates/deployment.yaml
+++ b/helm/wordpress-hardened/templates/deployment.yaml
@@ -74,6 +74,12 @@ spec:
                       {{- end }}
                       {{- end }}
 
+                  volumeMounts:
+                      # allows to add extra directives
+                      - name: waf-custom-config
+                        mountPath: /etc/caddy/rules/custom.conf
+                        subPath: custom.conf
+
                   ports:
                       - name: http-waf
                         containerPort: 8090
@@ -147,6 +153,13 @@ spec:
                           scheme: HTTP
                           port: http
                   {{- end }}
+                  startupProbe:
+                      httpGet:
+                          path: /liveness.php
+                          scheme: HTTP
+                          port: http
+                      failureThreshold: 10
+                      periodSeconds: 5
                   resources:
                       {{- toYaml .Values.resources | nindent 20 }}
             volumes:
@@ -160,3 +173,8 @@ spec:
                   persistentVolumeClaim:
                       claimName: {{ .Values.pv.wp_content.claimName }}
                 {{- end }}
+              {{- if .Values.waf.enabled }}
+                - name: waf-custom-config
+                  configMap:
+                      name: {{ include "wordpress-hardened.fullname" . }}-waf-custom-config
+              {{- end }}
diff --git a/helm/wordpress-hardened/templates/ingress.yaml b/helm/wordpress-hardened/templates/ingress.yaml
index f8c21ca..e0550bb 100644
--- a/helm/wordpress-hardened/templates/ingress.yaml
+++ b/helm/wordpress-hardened/templates/ingress.yaml
@@ -8,7 +8,7 @@
   {{ $_ := set $ingress.annotations "kubernetes.io/ingress.class" $ingress.className}}
   {{ end }}
   {{ end }}
-  {{ if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion -}}
+  {{ if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
 apiVersion: networking.k8s.io/v1
   {{- else if semverCompare ">=1.14-0" $.Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
@@ -53,7 +53,7 @@ spec:
                     backend:
                       {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
                         service:
-                            name: {{ if $.Values.waf.enabled }}{{ $fullName }}-waf-protected{{ else }}{ $fullName }}{{ end }}
+                            name: {{ if $.Values.waf.enabled }}{{ $fullName }}-waf-protected{{ else }}{{ $fullName }}{{ end }}
                             port:
                                 number: 80
                       {{- else }}
diff --git a/helm/wordpress-hardened/templates/waf.configmap.yaml b/helm/wordpress-hardened/templates/waf.configmap.yaml
new file mode 100644
index 0000000..f8bb833
--- /dev/null
+++ b/helm/wordpress-hardened/templates/waf.configmap.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.waf.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: {{ include "wordpress-hardened.fullname" . }}-waf-custom-config
+data:
+    custom.conf: |
+        {{ .Values.waf.directives }}
+{{- end }}
diff --git a/helm/wordpress-hardened/values.yaml b/helm/wordpress-hardened/values.yaml
index 549a20e..952205c 100644
--- a/helm/wordpress-hardened/values.yaml
+++ b/helm/wordpress-hardened/values.yaml
@@ -114,20 +114,23 @@ waf:
     enabled: true
     image:
         repository: ghcr.io/riotkit-org/waf-proxy
-        tag: 2.5.1-coraza-v1.2.0-bv0.0.10
+        tag: snapshot
     env:
         ENABLE_RULE_WORDPRESS: true
-        WP_CLIENT_IP: x-forwarded-for
-        WP_ENABLE_BRUTEFORCE_MITIGATION: true
-        WP_BRUTEFORCE_TIMESPAN: 300
-        WP_BRUTEFORCE_THRESHOLD: 5
-        WP_BRUTEFORCE_BAN_PERIOD: 300
-        WP_ENABLE_XMLRPC: true
-        WP_ENABLE_USER_ENUMERATION: false
-        WP_ENABLE_DOS_PROTECTION: true
-        WP_HARDENED: true
         ENABLE_CRS: true
+        ENABLE_RATE_LIMITER: true
+        RATE_LIMIT_EVENTS: "30"
+        RATE_LIMIT_WINDOW: "5s"
 
+        # due to bug temporarily the CORAZA WAF is disabled, it will be enabled by default in future releases
+        ENABLE_CORAZA_WAF: false
+
+    directives: |
+        #SecDefaultAction "phase:4,allow,log"
+        #SecAction "id:1,pass,log"
+        #SecAuditLog /dev/stdout
+        #SecDebugLog /dev/stdout
+        #SecDebugLogLevel 5
     health:
         liveness:
             enabled: true