{"id":48644075,"url":"https://github.com/corazawaf/coraza-apache","last_synced_at":"2026-04-17T00:02:03.863Z","repository":{"id":344817712,"uuid":"1182716752","full_name":"corazawaf/coraza-apache","owner":"corazawaf","description":"Coraza Apache experimental integration","archived":false,"fork":false,"pushed_at":"2026-04-09T22:32:27.000Z","size":70,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-10T00:26:45.525Z","etag":null,"topics":["coraza","nginx","owasp","waf"],"latest_commit_sha":null,"homepage":"https://www.coraza.io","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/corazawaf.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-15T21:57:56.000Z","updated_at":"2026-04-09T22:32:20.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/corazawaf/coraza-apache","commit_stats":null,"previous_names":["corazawaf/coraza-apache"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/corazawaf/coraza-apache","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-apache","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-apache/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-apache/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-apache/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/corazawaf","download_url":"https://codeload.github.com/corazawaf/coraza-apache/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/corazawaf%2Fcoraza-apache/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31909235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-16T18:22:33.417Z","status":"ssl_error","status_checked_at":"2026-04-16T18:21:47.142Z","response_time":69,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["coraza","nginx","owasp","waf"],"created_at":"2026-04-10T00:18:13.228Z","updated_at":"2026-04-17T00:02:03.855Z","avatar_url":"https://github.com/corazawaf.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Coraza Apache Connector\n\n**Experimental** -- not production ready.\n\nApache HTTPD module for the Coraza WAF engine, using libcoraza (C bindings).\n\nSame dependency chain as coraza-nginx: coraza (Go) -\u003e libcoraza (C bindings) -\u003e this module.\n\n## Build\n\nRequires libcoraza \u003e= 1.4.0 headers at compile time and the shared library at runtime.\nThe module is not linked against libcoraza -- it loads it via dlopen()\nafter fork to avoid Go runtime deadlocks.\n\n```\nmake\nmake install\n```\n\nOr with a custom apxs path:\n\n```\nmake APXS=/path/to/apxs\n```\n\n## Docker\n\nBuilds everything from source (libcoraza + module):\n\n```\ndocker build --no-cache -t coraza-apache-test .\ndocker run --rm -d --name coraza-apache-test -p 8888:80 coraza-apache-test\n./test.sh http://localhost:8888\ndocker stop coraza-apache-test\n```\n\nTo test with a specific MPM (default is event):\n\n```\ndocker build --no-cache --build-arg MPM=prefork -t coraza-test-prefork .\ndocker run --rm -d --name coraza-test-prefork -p 8889:80 coraza-test-prefork\n./test.sh http://localhost:8889 --mpm=prefork\ndocker stop coraza-test-prefork\n```\n\nThe `--mpm` flag verifies the server is running the expected MPM via the\n`server-info` endpoint.\n\n## Configuration example\n\nAll standard modsecurity `Sec*` directives are registered natively, so existing\nmodsecurity configs (including CRS) can be used directly via Apache's `Include`:\n\n```apache\nLoadModule coraza_module modules/mod_coraza.so\n\nCoraza On\nSecRuleEngine On\nSecRequestBodyAccess On\nSecResponseBodyAccess Off\n\n# OWASP CRS — use CorazaRulesFile so that relative data file paths\n# (e.g. @pmFromFile scanners-user-agents.data) resolve correctly\nCorazaRulesFile /etc/coraza/coraza-waf.conf\n\n# Custom exclusions for a specific path\n\u003cLocation /api/upload\u003e\n    SecRuleRemoveById 920420\n    SecRequestBodyLimit 52428800\n\u003c/Location\u003e\n\n# Disable inspection entirely for health checks\n\u003cLocation /health\u003e\n    Coraza Off\n\u003c/Location\u003e\n\n# Directory-based custom rule\n\u003cDirectory /var/www/uploads\u003e\n    SecRule FILES_NAMES \"\\.php$\" \"id:10001,phase:2,deny,status:403\"\n\u003c/Directory\u003e\n\n# Disable via .htaccess (requires AllowOverride All)\n# In .htaccess: Coraza Off\n```\n\n### Directives\n\n**Sec\\*** -- all standard modsecurity directives (`SecRuleEngine`, `SecRule`,\n`SecAction`, `SecRequestBodyAccess`, `SecAuditEngine`, etc.) are registered\nnatively and can be used directly in Apache config files. Context: server config, `\u003cVirtualHost\u003e`, `\u003cLocation\u003e`, `\u003cDirectory\u003e`, `.htaccess`.\n\n**Coraza** On|Off -- enable or disable the module. Context: server config, `\u003cVirtualHost\u003e`, `\u003cLocation\u003e`, `\u003cDirectory\u003e`, `.htaccess`.\n\n**CorazaRules** \"...\" -- inline rule or directive. Context: server config, `\u003cVirtualHost\u003e`, `\u003cLocation\u003e`, `\u003cDirectory\u003e`, `.htaccess`.\n\n**CorazaRulesFile** /path -- load rules from file. Use this for CRS and other rule\nfiles that reference relative data file paths. Context: server config, `\u003cVirtualHost\u003e`, `\u003cLocation\u003e`, `\u003cDirectory\u003e`, `.htaccess`.\n\n**CorazaTransactionId** \"...\" -- custom transaction ID. Context: server config, `\u003cVirtualHost\u003e`, `\u003cLocation\u003e`, `\u003cDirectory\u003e`, `.htaccess`.\n\nRules defined at server level are inherited by `\u003cVirtualHost\u003e`, `\u003cLocation\u003e`, `\u003cDirectory\u003e`, and `.htaccess`.\nSetting `Coraza Off` in any context disables inspection for that scope.\n\n## How it works\n\nThe module hooks into Apache's request processing:\n\n- **Phase 1** (fixups hook): connection info, URI, request headers\n- **Phase 2** (fixups hook): request body -- read proactively via ap_get_client_block()\n- **Phase 3-4** (output filter): response headers and body, with header delay\n- **Phase 5** (log_transaction hook): audit logging\n\nRules are collected as strings during config parsing (master process)\nand replayed in each child process after dlopen. This is required because\nthe Go runtime inside libcoraza cannot be loaded before fork.\n\n## Limitations\n\n- Tested with prefork and event MPMs\n\n## License\n\nApache License 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorazawaf%2Fcoraza-apache","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcorazawaf%2Fcoraza-apache","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcorazawaf%2Fcoraza-apache/lists"}