-
-
Notifications
You must be signed in to change notification settings - Fork 13
219 lines (185 loc) · 7.39 KB
/
build-run-validate.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: Build, Run and Validate
permissions:
contents: read
pull-requests: write
on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
jobs:
build-run-validate:
name: Build and Test Caddy WAF
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Install Dependencies
run: |
sudo apt update
sudo apt install -y wget git build-essential curl python3 python3-pip
- name: Install Go 1.23.4
uses: actions/setup-go@v4
with:
go-version: '1.23.4'
- name: Validate Go Installation
run: |
go version
if ! go version | grep -q "go1.23.4"; then
echo "Go installation failed or incorrect version"
exit 1
fi
- name: Clone caddy-waf Repository
run: |
git clone https://github.com/fabriziosalmi/caddy-waf.git
cd caddy-waf
- name: Validate Repository Cloning
run: |
if [ ! -d "caddy-waf" ]; then
echo "Repository cloning failed"
exit 1
fi
- name: Install Go Dependencies
run: |
cd caddy-waf
go mod tidy
go get -v github.com/fabriziosalmi/caddy-waf github.com/caddyserver/caddy/v2 github.com/oschwald/maxminddb-golang
- name: Download GeoLite2 Country Database
run: |
cd caddy-waf
wget https://git.io/GeoLite2-Country.mmdb
- name: Validate GeoLite2 Download
run: |
cd caddy-waf
if [ ! -f "GeoLite2-Country.mmdb" ]; then
echo "GeoLite2 database download failed"
exit 1
fi
- name: Install Python Dependencies
run: |
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip
pip install tqdm requests
- name: Cache Python Dependencies
id: cache-pip
uses: actions/cache@v3
with:
path: ~/.cache/pip
key: pip-${{ runner.os }}-${{ hashFiles('**/requirements.txt') }}
restore-keys: |
pip-${{ runner.os }}-
- name: Retrieve and Initialize IP and DNS Blacklists
run: |
cd caddy-waf
source ../venv/bin/activate # Activate the virtual environment
echo "Running get_blacklisted_ip.py..."
python3 get_blacklisted_ip.py
if [ $? -ne 0 ]; then
echo "Failed to retrieve or initialize IP blacklist"
exit 1
fi
echo "IP blacklist retrieved and initialized successfully."
echo "Running get_blacklisted_dns.py..."
python3 get_blacklisted_dns.py
if [ $? -ne 0 ]; then
echo "Failed to retrieve or initialize DNS blacklist"
exit 1
fi
echo "DNS blacklist retrieved and initialized successfully."
- name: Build Caddy with caddy-waf
run: |
cd caddy-waf
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
xcaddy build --with github.com/fabriziosalmi/caddy-waf=./
- name: Validate Build
run: |
cd caddy-waf
if [ ! -f "caddy" ]; then
echo "Caddy build failed"
exit 1
fi
- name: Create Dynamic Files
run: |
cd caddy-waf
# Create a valid JWT token for testing
echo "Creating valid.jwt..."
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" > valid.jwt
# Create a sample JSON file for testing
echo "Creating sample.json..."
echo '{"key": "value"}' > sample.json
echo "Dynamic files created successfully."
- name: Test Caddy Run and Validate WAF Provisioning
run: |
cd caddy-waf
chmod +x caddy
./caddy run > caddy_output.log 2>&1 &
sleep 5
if ! pgrep -f "caddy run"; then
echo "Caddy run failed"
cat caddy_output.log
exit 1
fi
if ! grep -q "WAF middleware provisioned successfully" caddy_output.log; then
echo "WAF provisioning log not found"
cat caddy_output.log
exit 1
fi
echo "Caddy WAF build and run successful with WAF middleware provisioned"
- name: Run Phase-Specific Curl Tests
run: |
cd caddy-waf
# Phase 1: Allow legitimate traffic (User-Agent)
echo "Testing Phase 1: Allow legitimate traffic..."
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -A "Mozilla/5.0" http://localhost:8080)
if [ "$RESPONSE" != "200" ]; then
echo "Failed: Legitimate request was blocked. Expected HTTP 200, got $RESPONSE"
exit 1
else
echo "Success: Legitimate request allowed (HTTP 200)."
fi
# Phase 1: Block known vulnerability scanners (User-Agent)
echo "Testing Phase 1: Block known vulnerability scanners..."
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -A "nikto" http://localhost:8080)
if [ "$RESPONSE" != "403" ]; then
echo "Failed: Vulnerability scanner request was not blocked. Expected HTTP 403, got $RESPONSE"
exit 1
else
echo "Success: Vulnerability scanner request blocked (HTTP 403)."
fi
# Phase 2: Block NoSQL injection in body
echo "Testing Phase 2: Block NoSQL injection..."
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST -d '{"$gt": ""}' http://localhost:8080)
if [ "$RESPONSE" != "403" ]; then
echo "Failed: NoSQL injection request was not blocked. Expected HTTP 403, got $RESPONSE"
exit 1
else
echo "Success: NoSQL injection request blocked (HTTP 403)."
fi
# Phase 3: Block HTTP response splitting (Headers)
echo "Testing Phase 3: Block HTTP response splitting..."
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -H "X-Forwarded-For: 127.0.0.1\r\nInjected-Header: value" http://localhost:8080)
if [ "$RESPONSE" != "403" ]; then
echo "Failed: HTTP response splitting request was not blocked. Expected HTTP 403, got $RESPONSE"
exit 1
else
echo "Success: HTTP response splitting request blocked (HTTP 403)."
fi
# Phase 4: Block JWT tampering (Headers)
echo "Testing Phase 4: Block JWT tampering..."
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" http://localhost:8080)
if [ "$RESPONSE" != "403" ]; then
echo "Failed: JWT tampering request was not blocked. Expected HTTP 403, got $RESPONSE"
exit 1
else
echo "Success: JWT tampering request blocked (HTTP 403)."
fi
echo "All phase-specific WAF rule tests passed successfully!"
- name: Clean Up
if: always()
run: |
pkill -f "caddy run" || true
echo "Cleaned up running Caddy instances"