coraza-proxy-wasm-0.5.0 and 0.3.0 cannot run on istio 1.26.1

[erictarrence]

my steps are as follow:

1.wget https://github.com/corazawaf/coraza-proxy-wasm/releases/download/0.5.0/coraza-proxy-wasm-0.5.0.zip

2.cat Dockerfile

# Copyright 2022 The OWASP Coraza contributors
# SPDX-License-Identifier: Apache-2.0

ARG BASE_IMAGE
FROM ${BASE_IMAGE:-scratch}

COPY coraza-proxy-wasm.wasm /plugin.wasm

3.podman build -f Dockerfile . -t docker.io/erictarrence/universal:coraza-5.0

4.podman push docker.io/erictarrence/universal:coraza-5.0

5.kubectl create -f coraza-waf-WasmPlugin.yaml

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: coraza-waf
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: oci://docker.io/erictarrence/universal:coraza-5.0
  imagePullPolicy: IfNotPresent
  phase: AUTHN
  pluginConfig:
    rules:
      - "SecDebugLogLevel 3"
      - "SecRuleEngine On"
      - "SecAuditEngine On"
      - "SecAuditLogParts ABIJDEFHZ"
      - "SecAuditLogType Concurrent"
      - "SecDefaultAction \"phase:3,log,auditlog,deny,status:403\""
      - "SecDefaultAction \"phase:4,log,auditlog,deny,status:403\""
      - "SecDefaultAction \"phase:5,log,auditlog,deny,status:403\""
      - "SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$"
      - "Include @crs-setup-demo-conf"
      - "Include crs/*.conf"

6.watched istiod and ingressgateway logs

there is no wasm log in ingressgateway pod

If coraza-proxy-wasm is working properly, then the ingressgateway pod should show the wasm logs

there are a few logs about coraza-waf in istiod pod

2025-06-27T10:48:24.206129Z	info	ads	Push debounce stable[42] 1 for config WasmPlugin/istio-system/coraza-waf: 100.251343ms since last change, 100.251192ms since last push, full=true
2025-06-27T10:48:24.206368Z	info	ads	XDS: Pushing Services:25 ConnectedEndpoints:2 Version:2025-06-27T10:48:24Z/25
2025-06-27T10:48:24.206533Z	info	delta	LDS: PUSH for node:istio-ingressgateway-6fcf48f7d4-n2snm.istio-system resources:0 removed:0 size:0B
2025-06-27T10:48:24.206767Z	info	delta	LDS: PUSH for node:gateway-istio-6bdc78d4d-ph75d.istio-ingress resources:2 removed:0 size:4.8kB

[M4tteoP]

Hi, by any chance could you try with the just released 0.6.0 version?

[erictarrence]

there is same error with 0.6.0 version

there is no wasm log in ingressgateway pod

there are a few logs about coraza-waf in istiod pod

2025-07-22T09:27:17.180759Z	info	ads	Push debounce stable[49] 1 for config WasmPlugin/istio-system/coraza-waf: 100.111576ms since last change, 100.111506ms since last push, full=true
2025-07-22T09:27:17.180987Z	info	ads	XDS: Pushing Services:25 ConnectedEndpoints:2 Version:2025-07-22T09:27:17Z/32
2025-07-22T09:27:17.181114Z	info	delta	LDS: PUSH for node:istio-ingressgateway-6fcf48f7d4-n2snm.istio-system resources:0 removed:0 size:0B
2025-07-22T09:27:17.181235Z	info	delta	LDS: PUSH for node:gateway-istio-6bdc78d4d-ph75d.istio-ingress resources:2 removed:0 size:4.6kB

kubectl  -n istio-system get pod -l istio=ingressgateway
NAME                                    READY   STATUS    RESTARTS   AGE
istio-ingressgateway-6fcf48f7d4-n2snm   1/1     Running   0          39d

cat coraza-waf-WasmPlugin.yaml

apiVersion: extensions.istio.io/v1alpha1
kind: WasmPlugin
metadata:
  name: coraza-waf
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  url: oci://docker.io/erictarrence/universal:coraza-6.0
  imagePullPolicy: IfNotPresent
  phase: AUTHN
  pluginConfig:
    rules:
      - "SecDebugLogLevel 3"
      - "SecRuleEngine On"
      - "SecAuditEngine On"
      - "SecAuditLogParts ABIJDEFHZ"
      - "SecAuditLogType Concurrent"
      - "SecDefaultAction \"phase:3,log,auditlog,deny,status:403\""
      - "SecDefaultAction \"phase:4,log,auditlog,deny,status:403\""
      - "SecDefaultAction \"phase:5,log,auditlog,deny,status:403\""
      - "SecAuditLogRelevantStatus ^(1[0-9]{2}|2[0-9]{2}|3[0-8][0-9]|39[0-9]|40[0-3]|405|5[0-9]{2})$"
      - "Include @crs-setup-demo-conf"
      - "Include crs/*.conf"

Hi, by any chance could you try with the just released 0.6.0 version?