#envoy #bulwark #security #processor #external #waf #processing

bulwark-ext-processor

An Envoy external processor for the Bulwark security engine

6 releases (breaking)

0.6.0 Jun 27, 2024
0.5.0 Apr 7, 2024
0.4.0 Nov 23, 2023
0.3.0 Aug 3, 2023
0.1.0 May 19, 2023

#1087 in WebAssembly


Used in bulwark-cli

Apache-2.0 WITH LLVM-exception

10MB
169K SLoC

Bazel 135K SLoC // 0.1% comments Go 25K SLoC // 0.1% comments Rust 5.5K SLoC // 0.0% comments Java 2K SLoC // 0.2% comments C++ 808 SLoC // 0.1% comments Python 615 SLoC // 0.6% comments Shell 463 SLoC // 0.2% comments Forge Config 32 SLoC // 0.2% comments PowerShell 4 SLoC // 0.3% comments

Bulwark Logo


Crates.io Version msrv 1.76.0 Crates.io Total Downloads GitHub Actions Workflow Status docs.rs

Automated security decision-making under uncertainty.

🧩 Envoy External Processor

The bulwark-ext-processor crate is responsible for exposing a service that implements the Envoy external processing API. It connects Envoy to Bulwark's WebAssembly host environment.

This crate is primarily a dependency of bulwark-cli.

🏰 What is Bulwark?

Bulwark is a fast, modern, open-source web application firewall (WAF) and API security gateway. It simplifies the implementation of detective security controls while offering comprehensive visibility into your web services. Bulwark's detection-as-code approach to rule definition offers security teams higher confidence in their response to persistent and adaptive threats. Bulwark plugins offer a wide range of capabilities, enabling security teams to define and evolve detections rapidly, without making changes to the underlying application.

🚀 Quickstart

In a Bulwark deployment, there are several pieces working together. In the current version of Bulwark, Envoy handles the initial HTTP request processing. Bulwark uses Envoy's external processing API to hook that processing and perform security decision-making on the traffic. In most configurations, there will be an interior service that handles the actual business logic of the web application and Envoy will be configured to send the traffic onwards once Bulwark has made its decision.

An example Envoy configuration file is provided as a starting point for the typical deployment setup just described. The Envoy server would be launched with the following command:

envoy -c envoy.yaml

Bulwark's own configuration file is a TOML file that defines which detection plugins should be used to process a request, as well as details like the listening port and the address for the Redis server. The listening port in Bulwark's configuration must match the port number given for the corresponding external processing filter section in Envoy's configuration. Bulwark is launched with the following command (after installing the CLI with cargo install bulwark-cli):

bulwark-cli ext-processor -c bulwark.toml

💪 Contributing

Check out the list of open issues. We actively maintain a list of issues suitable for new contributors to the project. Alternatively, detection plugins may be contributed to the community ruleset.

We do not require contributors to sign a license agreement (CLA) because we want users of Bulwark to be confident that the software will remain available under its current license.

🤝 License

This project is licensed under the Apache 2.0 license with the LLVM exception. See LICENSE for more details.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the Apache 2.0 license, shall be licensed as above, without any additional terms or conditions.

🛟 Getting Help

To start, check if the answer to your question can be found in any of the guides or API documentation. If you aren't able to find an answer there, check the Bulwark project's discussion forum. We are happy to help answer your questions and provide guidance through our community forum.

Dependencies

~47–64MB
~1M SLoC