waf-proxy — Light WAF
Light WAF is a Web Application Firewall in Rust operating as a reverse proxy at Layer 7: it inspects every HTTP request, applies detection rules, accumulates a CRS-style anomaly score, and decides Allow / Block (403) / Reject (400 | 429) before forwarding to the backend.
Goals: light (few dependencies), fast (< 1 ms p99 on the common path; ~2 µs worst-case inspection latency), modular (every detection is a plugin toggled from config), observable (structured JSON logs + opt-in Prometheus), secure by design (explicit per-scenario fail-open / fail-closed).
This crate ships the waf binary (and a waf_proxy library). It is the top of the
workspace: the hyper/tokio reverse proxy, config loading, hot reload, TLS termination, and the
embedding seams.
Install
Run
Config path precedence: --config > env WAF_CONFIG > ./config.toml.
The default config listens on 0.0.0.0:8080, forwards to 127.0.0.1:3000, in
mode = "detection-only" (logs but does not block). Set mode = "blocking" to enforce.
Invalid or missing config → message on stderr + exit code 2 (fail-fast).
Quick check (with a backend on :3000):
Capabilities (summary)
- Detection — SQLi, XSS, RCE/cmd-injection (incl. in the URL path), LFI/RFI, SSRF, LDAP, NoSQL, Mail, SSTI, SSI, XXE, path traversal, CRLF header injection, request smuggling (CL/TE), GraphQL & gRPC structural caps, scanner/tool fingerprinting, L7 rate limiting.
- Anti-evasion — double-encoding-aware percent-decode + NFKC + overlong-collapse + a multi-transform derived channel (base64, HTML-entity, tag/control strip, VBScript-concat).
- TLS termination — rustls, cert-from-file; one port serves HTTP/1.1 and HTTP/2 via
ALPN/
auto; opt-in[tls], fail-closed (no cleartext downgrade). - Extensibility (default-off) — WASM plugins (
waf-wasm), OWASP CRS / ModSecurity import, and aProxy::builder()to inject your own modules,StateStore, orTlsCertSourcewithout forking the core. - Observability — structured JSON logs; opt-in Prometheus
/metricson a separate loopback listener ([metrics]).
Part of Light WAF
| Crate | Role |
|---|---|
waf-core |
Base types: Config, Decision, RequestContext, the WafModule contract, the StateStore seam |
waf-normalizer |
Request normalization: decode + NFKC + body/query/cookie parsing + limits |
waf-pipeline |
Phased orchestrator + cumulative anomaly scoring |
waf-detection |
Detection modules (SQLi/XSS/RCE/…) + fast-path prefilter |
waf-wasm |
Proxy-Wasm runtime (wasmi) loading .wasm filters as modules |
| waf-proxy | The waf binary: hyper/tokio reverse proxy |
Full architecture, configuration schema, and the open-source/enterprise boundary are in the
repository (ARCHITECTURE.md, BOUNDARY.md).