Add config validate functionality without starting the server #110
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
September 27, 2024 15:09
…arting the server
Added a flag to validate the configuration without restarting the server
# Conflicts: # cmd/coraza-spoa/main.go
fionera
requested changes
Nov 15, 2024
| @@ -61,6 +63,11 @@ func main() { | |||
| globalLogger.Fatal().Err(err).Msg("Failed creating applications") | |||
| } | |||
|
|
|||
| if validateConfig == true { | |||
| globalLogger.Info().Bool("valid", true).Msg("Configuration is valid") | |||
There was a problem hiding this comment.
Printing valid=true implies that a invalid config would print false. Instead it would return with exit 1 and another error message. We should probably rework this to return false and not fatal when in check mode.
There was a problem hiding this comment.
Also this should be added to the CI/E2E test
| @@ -28,6 +28,13 @@ coraza-spoa -f /etc/coraza-spoa/coraza-spoa.yaml | |||
|
|
|||
| You will also want to download & extract the [OWASP Core Ruleset]( https://github.com/coreruleset/coreruleset/releases) (version 4+ supported) to the `/etc/coraza-spoa` directory. | |||
|
|
|||
| ### Validate Configuration | |||
| To validate the configuration, you can pass the `-validate` flag, which just loads the configuration and exits. | |||
There was a problem hiding this comment.
I really don't like our current flag names but because renaming would be a breaking change I left them as they are. I would really like to use haproxy like flags e.g. -c for check mode and supplying the config file as first argument to the process. What do you think about this?
fionera
reviewed
Nov 15, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New CLI-Flag
I have added the CLI flag
-validatewhich checks the configuration and exits before starting the SPOA server.Example call:
Why?
When modifying rules, there can happen errors like wrong syntax or duplicate ids.
If they are unnoticed and you restart the
coraza-spoait will crash and the WAF isn't handling any requests anymore.This flag enables you to check the configuration before running into such troubles.
This feature isn't solving the restart without downtime as in #19, but it minimizes the risk of bigger downtimes.
Other fixes
I fixed the systemd unit file with the wrong syntax
InaccessiblePaths=-/bin/findFixes #102