The WAF provides a REST API for managing and monitoring the firewall. This document covers API configuration (not the endpoints themselves - see API Endpoints).
The API allows you to:
- Check WAF health
- View banned IPs
- Manually unban IPs
- Monitor jail status
api:
enabled: true
auth:
enabled: true
username: "admin"
password: "your-secure-password"- enabled: Enable/disable the API
- auth.enabled: Enable/disable authentication
- auth.username: Username for Basic Auth
- auth.password: Password for Basic Auth
Important: These settings cannot be configured via environment variables (YAML only).
To enable the API:
api:
enabled: true
auth:
enabled: false # Not recommended for productionAccess without auth:
curl http://localhost:3000/waf/healthz
curl http://localhost:3000/waf/jail-manager/baned-usersAlways enable authentication in production:
api:
enabled: true
auth:
enabled: true
username: "admin"
password: "MySecurePassword123!"Access with auth:
curl -u admin:MySecurePassword123! http://localhost:3000/waf/healthz
curl -u admin:MySecurePassword123! http://localhost:3000/waf/jail-manager/baned-usersThe API uses HTTP Basic Authentication:
Authorization: Basic base64(username:password)
When auth.enabled: true, authentication is required for:
GET /waf/jail-manager/baned-usersDELETE /waf/jail-manager/baned-users
These endpoints never require authentication:
GET /waf/healthz
Important security considerations:
Use strong, unique passwords:
Bad:
api:
auth:
password: "admin" # Never use!
password: "password" # Never use!
password: "12345" # Never use!Good:
api:
auth:
password: "X7#mK9$pL2@nQ4vB" # Strong, randomGenerate secure passwords:
# Linux/Mac
openssl rand -base64 32
# Or
pwgen -s 32 1
# Or
head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32Don't commit passwords to git:
# Bad - password in git
api:
auth:
password: "MyPassword123"Better - use environment variable:
While the config itself can't use env vars for API auth, you can generate the config file dynamically:
# generate-config.sh
cat > config.yaml <<EOF
api:
enabled: true
auth:
enabled: true
username: "${API_USERNAME}"
password: "${API_PASSWORD}"
# ... rest of config
EOFBest - use secrets management:
Use tools like:
- HashiCorp Vault
- AWS Secrets Manager
- Kubernetes Secrets
- Docker Secrets
api:
enabled: true
auth:
enabled: falseUse for: Local development only. Never use in production.
api:
enabled: true
auth:
enabled: true
username: "waf-admin"
password: "X7#mK9$pL2@nQ4vB"Use for: Production environments.
api:
enabled: falseUse for: When API is not needed. Slightly more secure (smaller attack surface).
Best practice: Restrict API access at network level (firewall, security groups).
iptables example:
# Allow API access only from admin network
iptables -A INPUT -p tcp --dport 3000 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROPAWS Security Group example:
Type: Custom TCP
Port: 3000
Source: 10.0.1.0/24 (admin VPC)
Run WAF behind a reverse proxy that adds additional auth/restrictions:
# Nginx example
location /waf/ {
# Additional auth layer
auth_basic "WAF Admin";
auth_basic_user_file /etc/nginx/.htpasswd;
# IP whitelist
allow 192.168.1.0/24;
deny all;
proxy_pass http://waf:3000/waf/;
}curl http://localhost:3000/waf/healthzExpected response:
Hello from WAF server!
# Without auth (should fail if auth enabled)
curl http://localhost:3000/waf/jail-manager/baned-users
# Response: 401 Unauthorized
# With auth (should succeed)
curl -u admin:password http://localhost:3000/waf/jail-manager/baned-users
# Response: [ ... list of banned users ... ]curl -u admin:password http://localhost:3000/waf/jail-manager/baned-usershttp -a admin:password localhost:3000/waf/jail-manager/baned-usersimport requests
auth = ('admin', 'password')
response = requests.get('http://localhost:3000/waf/jail-manager/baned-users', auth=auth)
print(response.json())const fetch = require('node-fetch');
const auth = Buffer.from('admin:password').toString('base64');
fetch('http://localhost:3000/waf/jail-manager/baned-users', {
headers: {
'Authorization': `Basic ${auth}`
}
})
.then(res => res.json())
.then(data => console.log(data));- Create new request
- Set URL:
http://localhost:3000/waf/jail-manager/baned-users - Go to Authorization tab
- Type: Basic Auth
- Username:
admin - Password:
your-password
Enable logging to monitor API access:
Symptom: curl http://localhost:3000/waf/healthz fails
Causes:
- API disabled: Check
api.enabled: true - WAF not running: Check
ps aux | grep waf - Wrong port: Check
portin config - Firewall blocking: Check firewall rules
Symptom: Requests return 401
Causes:
- Wrong username/password
- Auth enabled but not providing credentials
- Incorrect Basic Auth format
Solution:
# Verify credentials in config
grep -A5 "api:" config.yaml
# Test with correct creds
curl -u admin:correct-password http://localhost:3000/waf/jail-manager/baned-usersCause: Firewall blocking external access
Solution:
- Check firewall rules
- Check Docker port mapping:
-p 3000:3000 - Check cloud security groups
- Always enable authentication in production
- Use strong passwords - At least 16 characters, random
- Don't commit passwords to version control
- Restrict network access - Firewall rules
- Use HTTPS - Run WAF behind TLS-terminating reverse proxy
- Monitor API usage - Log and alert on suspicious activity
- Rotate passwords - Periodically change API password
- Principle of least privilege - Only give API access to those who need it
- API Overview - Introduction to the API
- API Endpoints - Available endpoints
- API Examples - Usage examples
- Security Best Practices - Security hardening