6 releases (breaking)
0.6.0 | Jun 27, 2024 |
---|---|
0.5.0 | Apr 7, 2024 |
0.4.0 | Nov 23, 2023 |
0.3.0 | Aug 3, 2023 |
0.1.0 | May 19, 2023 |
#1087 in WebAssembly
Used in bulwark-cli
10MB
169K
SLoC
Automated security decision-making under uncertainty.
🧩 Envoy External Processor
The bulwark-ext-processor
crate is responsible for exposing a service that implements the
Envoy external processing API.
It connects Envoy to Bulwark's WebAssembly host environment.
This crate is primarily a dependency of bulwark-cli
.
🏰 What is Bulwark?
Bulwark is a fast, modern, open-source web application firewall (WAF) and API security gateway. It simplifies the implementation of detective security controls while offering comprehensive visibility into your web services. Bulwark's detection-as-code approach to rule definition offers security teams higher confidence in their response to persistent and adaptive threats. Bulwark plugins offer a wide range of capabilities, enabling security teams to define and evolve detections rapidly, without making changes to the underlying application.
🚀 Quickstart
In a Bulwark deployment, there are several pieces working together. In the current version of Bulwark, Envoy handles the initial HTTP request processing. Bulwark uses Envoy's external processing API to hook that processing and perform security decision-making on the traffic. In most configurations, there will be an interior service that handles the actual business logic of the web application and Envoy will be configured to send the traffic onwards once Bulwark has made its decision.
An example Envoy configuration file is provided as a starting point for the typical deployment setup just described. The Envoy server would be launched with the following command:
envoy -c envoy.yaml
Bulwark's own configuration file is a TOML file that defines
which detection plugins should be used to process a request, as well as details like the listening port and the address
for the Redis server. The listening port in Bulwark's configuration must match the port number given for the
corresponding external processing filter section in Envoy's configuration. Bulwark is launched with the following
command (after installing the CLI with cargo install bulwark-cli
):
bulwark-cli ext-processor -c bulwark.toml
💪 Contributing
Check out the list of open issues. We actively maintain a list of issues suitable for new contributors to the project. Alternatively, detection plugins may be contributed to the community ruleset.
We do not require contributors to sign a license agreement (CLA) because we want users of Bulwark to be confident that the software will remain available under its current license.
🤝 License
This project is licensed under the Apache 2.0 license with the LLVM exception. See LICENSE for more details.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the Apache 2.0 license, shall be licensed as above, without any additional terms or conditions.
🛟 Getting Help
To start, check if the answer to your question can be found in any of the guides or API documentation. If you aren't able to find an answer there, check the Bulwark project's discussion forum. We are happy to help answer your questions and provide guidance through our community forum.
Dependencies
~47–64MB
~1M SLoC