Unexpected Rule Processing in Coraza Proxy WASM on APISIX

[azolfagharj]

Unexpected Rule Processing in Coraza Proxy WASM on APISIX

Hello team,

I am currently using Coraza Proxy WASM within Apache APISIX, and I've encountered an issue where a request from a specific IP is not being excluded from rule processing as expected.

🔧 Configuration Overview

Here is the relevant part of my configuration:

SecDebugLogLevel 9
SecRuleEngine On
SecDefaultAction "phase:2,log,deny,status:403"

# IP exclusion rule
SecRule REMOTE_ADDR "@contains X.X.X.X" "id:1236,phase:1,nolog,allow,ctl:ruleEngine=Off"
or
SecRule REMOTE_ADDR "@ipMatch X.X.X.X" "id:1236,phase:1,nolog,allow,ctl:ruleEngine=Off"

# Example blocking rule
SecRule REQUEST_URI "\.php\?.*=(https?|ftp)\:/.*(cmd|command)=" \
    "id:20508013,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,\
    phase:2,msg:'(Access denied with code 403)',\
    logdata:Matched on: %{MATCHED_VAR}"

❗ Expected Behavior

I expect that any request coming from X.X.X.X would be:

• Allowed due to the allow,ctl:ruleEngine=Off directive.
• Skipped from further rule evaluation (e.g., the rule with ID 20508013 should not be executed).

🚨 Actual Behavior

Unfortunately, this is not happening. The rule 20508013 is still being evaluated for the IP X.X.X.X, and access is being denied.

Here’s a log excerpt:

Coraza: Access denied (phase 2). (Access denied with code 403) [file ""] [line "51"] [id "20508013"] [rev ""] [msg "(Access denied with code 403)"] [data "Matched on: /waf/ip.php?url=http://example.com/cmd=something"] [severity "emergency"] [ver ""] [maturity "0"] [accuracy "0"] [hostname ""] [uri "/waf/ip.php?url=http://example.com/cmd=something"] [unique_id "aWvKAemfFFQtuoQJBkl"], client: X.X.X.X, server: _, request: "GET /waf/ip.php?url=http://example.com/cmd=something HTTP/1.1"

🤔 Question

Is there something I’m missing about how ctl:ruleEngine=Off should behave within Coraza Proxy WASM in APISIX?

I would greatly appreciate any guidance or clarification on how to achieve this behavior properly.

Thank you very much in advance for your support!

Best regards,
[Your Name]

[azolfagharj]

Hey, ctl:ruleEngine=Off is indeed expected to work as you wrote. I see that you are currently running with the most verbose log level (SecDebugLogLevel 9). Could you please look for a log line similar to the following to investigate why rule 1236 is not matching?

Evaluating operator: NO MATCH tx_id="jAdyveACzjEWANKTAII" rule_id=1236 variable="REMOTE_ADDR" operator_function="@ipMatch" operator_data="X.X.X.X" arg="Y.Y.Y.Y"

Otherwise, you could temporarily also add a rule like the following to print the REMOTE_ADDR variable:

SecRule REMOTE_ADDR "@unconditionalMatch" "id:1237,phase:1,pass,log,msg:'%{MATCHED_VAR_NAME} %{MATCHED_VAR}'"

Thanks for your reply!

I added the following rule:

SecRule REMOTE_ADDR "@unconditionalMatch" "id:1200,phase:1,pass,log,msg:'%{MATCHED_VAR_NAME} %{MATCHED_VAR}'"

And this was the result:

Coraza: Warning. REMOTE_ADDR  [file ""] [line "4"] [id "1200"] [rev ""] [msg "REMOTE_ADDR "] [data ""]

It seems like REMOTE_ADDR is not being detected, even though this parameter works fine generally in APISIX.

To be sure, I disabled all other plugins — but the result remained the same.

What do you suggest as the next step?

Thanks again for your time!

[azolfagharj]

For further investigation,
I added the file-log plugin with the following parameter:

"remote_address": "$remote_addr"

The result was as follows:

"status":403,
"user_agent":"PostmanRuntime/7.43.3",
"remote_address":"xx.xx.xx.xx",
"@timestamp":"2025-05-19T06:19:53+00:00",
"route_id":"realwaf"

This confirms that remote_address indeed exists and contains the correct value.

[M4tteoP]

Here is the code we are using to retrieve the destination address https://github.com/corazawaf/coraza-proxy-wasm/blob/main/wasmplugin/plugin.go#L735-L771. I think that the property names are not exactly the same as the ones used in Envoy. We are retrieving the addresses as:

proxywasm.GetProperty([]string{destination, "address"})

But in the apisix repo, I see something as

proxywasm.GetProperty([]string{"remote_addr"})

Related to #217.

[azolfagharj]

i,
Thanks for your time.
What do you think I should do as a user?
Is there anything I can do, or should your response be addressed by the plugin team?

[azolfagharj]

As far as I know,
in Envoy, when enabling the WASM plugin in the main config, we can specify which items to import.
But for this plugin, there is no such option mentioned in the APISIX config.

[azolfagharj]

For now, I solved the issue using Lua.
I added the address to the request header in the rewrite phase,
and I wrote and handled the rule using SecRule REQUEST_HEADERS.
However, I think it should be properly and officially fixed so that the remote address can be directly recognized in the rules.