Navigation :
Getting Started
What is Gloo Gateway?
Setup
Guides
Operations
Reference
-
Open Source Attribution
-
API Reference
-- address.proto
-- address.proto
-- advanced_http.proto
-- advanced_http.proto
-- ai.proto
-- als.proto
-- annotations.proto
-- any.proto
-- api.proto
-- apple_dns_resolver.proto
-- artifact.proto
-- authority.proto
-- aws.proto
-- aws_ec2.proto
-- azure.proto
-- backoff.proto
-- base.proto
-- base.proto
-- buffer.proto
-- caching.proto
-- cares_dns_resolver.proto
-- cidr.proto
-- cipher_detection_input.proto
-- circuit_breaker.proto
-- cluster.proto
-- config.proto
-- config.proto
-- connection.proto
-- connection_limit.proto
-- consul.proto
-- context_params.proto
-- core.proto
-- cors.proto
-- csrf.proto
-- custom_tag.proto
-- datadog.proto
-- deprecation.proto
-- descriptor.proto
-- discovery.proto
-- dlp.proto
-- domain.proto
-- duration.proto
-- dynamic_forward_proxy.proto
-- empty.proto
-- endpoint.proto
-- envoy.glooe.solo.io.project
-- envoy_glooe_solo_io.project
-- event_service_config.proto
-- ext.proto
-- extauth.proto
-- extension.proto
-- extension.proto
-- extensions.proto
-- external_options.proto
-- external_processor.proto
-- extproc.proto
-- failover.proto
-- failover.proto
-- fault.proto
-- field_mask.proto
-- filter.proto
-- gateway.proto
-- gateway.solo.io.project
-- gateway_solo_io.project
-- gcp.proto
-- gloo.solo.io.project
-- gloo_solo_io.project
-- gloo_validation.proto
-- glooe.solo.io.project
-- glooe_solo_io.project
-- graphql.proto
-- graphql.proto
-- graphql.proto
-- grpc.proto
-- grpc_json.proto
-- grpc_output_sink.proto
-- grpc_service.proto
-- grpc_web.proto
-- gzip.proto
-- hcm.proto
-- header_validation.proto
-- headers.proto
-- health_check.proto
-- health_check.proto
-- healthcheck.proto
-- http.proto
-- http.proto
-- http_gateway.proto
-- http_inputs.proto
-- http_output_sink.proto
-- http_path.proto
-- http_status.proto
-- http_uri.proto
-- http_uri.proto
-- ingress.proto
-- instance.proto
-- ip.proto
-- jwt.proto
-- kubernetes.proto
-- lbhash.proto
-- load_balancer.proto
-- local_ratelimit.proto
-- matchable_http_gateway.proto
-- matchable_tcp_gateway.proto
-- matcher.proto
-- matchers.proto
-- metadata.proto
-- metadata.proto
-- metrics.proto
-- migrate.proto
-- migrate.proto
-- mutation_rules.proto
-- opencensus.proto
-- opentelemetry.proto
-- options.proto
-- orca.proto
-- outlier_detection.proto
-- parameters.proto
-- percent.proto
-- percent.proto
-- pipe.proto
-- placement.proto
-- processing_mode.proto
-- protocol.proto
-- protocol_upgrade.proto
-- proxy.proto
-- proxy_endpoint.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxylatency.proto
-- proxyprotocol.proto
-- query_options.proto
-- query_options.proto
-- range.proto
-- range.proto
-- range.proto
-- range.proto
-- ratelimit.proto
-- ratelimit.proto
-- ratelimit.proto
-- rbac.proto
-- ref.proto
-- regex.proto
-- regex.proto
-- resolver.proto
-- resource.proto
-- resource_locator.proto
-- resource_name.proto
-- rest.proto
-- retries.proto
-- route.proto
-- route_components.proto
-- route_table.proto
-- router.proto
-- sanitize.proto
-- secret.proto
-- security.proto
-- selectors.proto
-- semantic_version.proto
-- semantic_version.proto
-- sensitive.proto
-- sensitive.proto
-- server_name_matcher.proto
-- service.proto
-- service_spec.proto
-- settings.proto
-- shadowing.proto
-- snap.proto
-- socket_option.proto
-- socket_option.proto
-- solo-discovery-service.proto
-- solo-kit.proto
-- solo_jwt_authn.proto
-- solo_xff_offset_filter.proto
-- source_context.proto
-- ssl.proto
-- ssl.proto
-- stages.proto
-- stateful_session.proto
-- statefulsession.proto
-- statefulsession.proto
-- static.proto
-- stats.proto
-- status.proto
-- status.proto
-- status.proto
-- status.proto
-- stitching.proto
-- string.proto
-- string.proto
-- struct.proto
-- subset.proto
-- subset_spec.proto
-- tap.proto
-- tap.proto
-- tcp.proto
-- timestamp.proto
-- tls_cipher_inspector.proto
-- trace.proto
-- tracing.proto
-- transformation.proto
-- transformation.proto
-- transformation.proto
-- type.proto
-- typed_struct.proto
-- upstream.proto
-- upstream_proxy_protocol.proto
-- upstream_wait_filter.proto
-- version.proto
-- versioning.proto
-- versioning.proto
-- virtual_service.proto
-- waf.proto
-- waf.proto
-- wasm.proto
-- wasm.proto
-- wasm.proto
-- wrappers.proto
-- xslt_transformer.proto
-- zipkin.proto
-
Command Line Reference
-
Changelog
-
Helm Chart Values
-
Security Updates
- Security Posture
- Gloo Gateway Port Reference
- Release Support
-
Cheatsheets
Contribution Guide
Get help and support
waf.proto
Package: envoy.config.filter.http.modsecurity.v2
Types:
AuditLogging
"action": .envoy.config.filter.http.modsecurity.v2.AuditLogging.AuditLogAction
"location": .envoy.config.filter.http.modsecurity.v2.AuditLogging.AuditLogLocation
AuditLogAction
Name
Description
NEVER
Never generate audit logs.
RELEVANT_ONLY
When set to RELEVANT_ONLY, this will have similar behavior to SecAuditEngine RelevantOnly
.
ALWAYS
Always generate an audit log entry (as long as the filter is not disabled).
AuditLogLocation
Name
Description
FILTER_STATE
Add the audit log to the filter state. it will be under the key “io.solo.modsecurity.audit_log”. You can use this formatter in the access log: %FILTER_STATE(io.solo.modsecurity.audit_log)%
DYNAMIC_METADATA
Add the audit log to the dynamic metadata. it will be under the filter name “io.solo.filters.http.modsecurity”. with “audit_log” as the key. You can use this formatter in the access log: %DYNAMIC_METADATA(“io.solo.filters.http.modsecurity:audit_log”)%
ModSecurity
"disabled": bool
"ruleSets": [] envoy.config.filter.http.modsecurity.v2.RuleSet
"customInterventionMessage": string
"auditLogging": .envoy.config.filter.http.modsecurity.v2.AuditLogging
"requestHeadersOnly": bool
"responseHeadersOnly": bool
"regressionLogs": bool
"dlpTransformation": .envoy.config.filter.http.transformation_ee.v2.DlpTransformation
Field
Type
Description
disabled
bool
Disable all rules on the current route.
ruleSets
[]envoy.config.filter.http.modsecurity.v2.RuleSet
Global rule sets for the current http connection manager.
customInterventionMessage
string
Custom message to display when an intervention occurs.
auditLogging
.envoy.config.filter.http.modsecurity.v2.AuditLogging
This instructs the filter what to do with the transaction’s audit log.
requestHeadersOnly
bool
If set, the body will not be buffered and fed to ModSecurity. Only the headers will. This can help improve performance.
responseHeadersOnly
bool
regressionLogs
bool
log in a format suited for the OWASP regression tests. this format is a multiline log format, so it is disabled for regular use. do not enable this in production!.
dlpTransformation
.envoy.config.filter.http.transformation_ee.v2.DlpTransformation
RuleSet
"ruleStr": string
"files": [] string
"directory": string
Field
Type
Description
ruleStr
string
String of rules which are added directly.
files
[]string
Array of files with rules to include. Any subsequent changes to the rules in these files are not automatically updated. To update rules from files, version and update the file name. If you want dynamically updated rules, use the configMapRuleSets
option instead.
directory
string
A directory to include. all *.conf files in this directory will be included. sub directories will NOT be checked.
ModSecurityPerRoute
"disabled": bool
"ruleSets": [] envoy.config.filter.http.modsecurity.v2.RuleSet
"customInterventionMessage": string
"auditLogging": .envoy.config.filter.http.modsecurity.v2.AuditLogging
"requestHeadersOnly": bool
"responseHeadersOnly": bool
"dlpTransformation": .envoy.config.filter.http.transformation_ee.v2.DlpTransformation