synapse-waf 0.9.1

High-performance WAF and reverse proxy with embedded intelligence — built on Cloudflare Pingora
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

# Synapse WAF Configuration
# Copy to config.yaml and customize

# Server settings
server:
  # Address to listen on
  listen: "0.0.0.0:6190"

  # Number of worker threads (0 = auto-detect CPU count)
  workers: 0

# Upstream backend servers (round-robin load balancing)
upstreams:
  - host: "127.0.0.1"
    port: 8080
  # Add more backends for load balancing:
  # - host: "127.0.0.1"
  #   port: 8081

# Rate limiting
rate_limit:
  # Requests per second per client IP
  rps: 10000

  # Enable/disable rate limiting
  enabled: true

# Logging
logging:
  # Log level: trace, debug, info, warn, error
  level: "info"

  # Log format: text, json
  format: "text"

  # Log access requests
  access_log: true

# Detection settings
detection:
  # Enable/disable detection categories
  sqli: true
  xss: true
  path_traversal: true
  command_injection: true

  # Action on detection: block, log, challenge
  action: "block"

  # Custom response code for blocked requests
  block_status: 403

# TLS/HTTPS configuration (Phase 6)
tls:
  # Enable TLS on the proxy listener
  enabled: false

  # Default certificate for unmatched domains
  # cert_path: "/etc/synapse-pingora/certs/default.pem"
  # key_path: "/etc/synapse-pingora/keys/default.key"

  # Minimum TLS version: "1.2" or "1.3"
  min_version: "1.2"

  # Per-domain certificates (optional, for SNI matching)
  # per_domain_certs:
  #   - domain: "example.com"
  #     cert_path: "/etc/synapse-pingora/certs/example.pem"
  #     key_path: "/etc/synapse-pingora/keys/example.key"
  #   - domain: "*.api.example.com"
  #     cert_path: "/etc/synapse-pingora/certs/api-wildcard.pem"
  #     key_path: "/etc/synapse-pingora/keys/api-wildcard.key"

# Health endpoint (/_sensor/status)
# - Returns 200 with health metrics when healthy
# - Returns 503 when unhealthy
# - Compatible with load balancer health checks
# - Access via: GET http://localhost:6190/_sensor/status

# DLP (Data Loss Prevention) scanning
# Scans request/response bodies for PII and sensitive data.
# Supports credit cards (Luhn), SSN, IBAN, API keys, and 22 pattern types.
dlp:
  enabled: false
  max_body_size_bytes: 1048576    # 1MB hard limit
  max_body_inspection_bytes: 8192 # 8KB inspection cap (truncate, not reject)
  scan_text_only: true            # Skip binary content types
  action: "mask"                  # mask, hash, block, log
  patterns:
    - name: "credit_card"
      pattern: "\\b\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b"
      action: "mask"
    - name: "ssn"
      pattern: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
      action: "block"