waf-pipeline
The phased detection orchestrator for Light WAF — a fast, modular Layer-7 Web Application Firewall reverse proxy in Rust.
It runs the registered WafModules phase by phase, accumulates
a CRS-style cumulative anomaly score, and resolves the final verdict.
What it does
- Phased execution — modules declare a
Phase; the pipeline runs each phase in order and can short-circuit on a decisive verdict. - Cumulative anomaly scoring — every matched rule contributes points by
Severity(resolved via[waf.severity_scores]); when the running score reachesblock_thresholdthe request is blocked (403). Several low-severity matches can add up to a block, the CRS way. - Verdict — a
PipelineVerdict:Allow,Block { rule_id, reason }, orReject { status, retry_after }(e.g. 429 from rate limiting). - Panic isolation — each module runs under
catch_unwind; per the[resilience]policy a panicking module is either skipped (fail_open, the default — a bug of ours must not drop availability below the no-WAF baseline) or turned into a deny (fail_closed).
Part of Light WAF
| Crate | Role |
|---|---|
waf-core |
Base types: Config, Decision, RequestContext, the WafModule contract, the StateStore seam |
waf-normalizer |
Request normalization: decode + NFKC + body/query/cookie parsing + limits |
| waf-pipeline | Phased orchestrator + cumulative anomaly scoring |
waf-detection |
Detection modules (SQLi/XSS/RCE/…) + fast-path prefilter |
waf-wasm |
Proxy-Wasm runtime (wasmi) loading .wasm filters as modules |
waf-proxy |
The waf binary: hyper/tokio reverse proxy |
See the repository for the full architecture.