 Next topic is from Zofan, he is from Indonesia. His topic is still web application firewall with Wazem and Cora. Okay, cool. Okay, thank you everyone for joining the session. Thank you for inviting me to Shanghai. It's a very beautiful city. Anyway, let's not waste time. So I want to introduce about web application firewall with WebAssembly and Cora. So just to give you a context, right? There are actually few open source solutions related to WAF or web application firewall in the market, for example, more security. But when you take a look into the solution, integration is very hard. For example, you need to build your own proxy image rather than using the vanilla one from these deals, right? And if you decide to not using open source, probably using enterprise WAF, I mean, not our company is actually able to pay enterprise WAF. And just if you already use mode security, just be aware that this mode security will be end-of-life or deprecated in 1 July 2024. So I want to introduce you about Cora. It's an open source project. It's from OASAP, and it's actually dropped in alternative replacement for mode security. And it supports all sec language from... Anyway, you can directly check, but it supports the sec language from mode security. And it's actually compatible, 100% compatible with CoralSet from OWISP. This CoralSet is actually library at Escore. It's a Golang library. So you can try to integrate this library with your web server and anything else. So you can try to... It's extensible by default. And in CoralSet, there are projects it's integrated with Istio. It's actually seamless. Let me show you. Okay, this CoralSet has WebAssembly integration. You can open it, which is CoralSet proxy OSM. And in Istio, integration is pretty seamless. You can just create this one object, which is WebAssembly plugins. You put it on the gateway, and then you have firewall. You have web... web application firewall. So this is the one that you need to create. So... Oops. Anyway. So the specification selector URL image policies actually default from the WebAssembly plugins. And you need only two things, which is plug-in config. So first, you define directive, one map, which is iCrit, which is CoralSet. And it's enabling CoralSet, and you can set the default directive. So Istio public gateway, which is a deployment, which is gateway deployment, all traffic that via this gateway will be protected by WebAssembly. I mean by WAF. But how to roll out it seamlessly? For example, gateway has multiple domains, right? This gateway can host multiple domains. So the easiest way is to create two rules. The first is actually detection only. The second is actually to enforce the CoralSet. You put default directive, which is okay. I want all traffic to be detected, if any attack. And if I want to enforce it, I will put the domains in per-autorative domain. So I can roll out the firewall seamlessly for each domain that flew to the gateway. In our test, we tried to test this setup with 15,000 requests per second. And with full CoralSet, it's increased the latency around 57 milliseconds, which is anyway awesome. Cool. Let's have a demo. So in here, I create the WebAssembly plugin. Same thing, right? I try to curl. It's return 200, and I try to curl it again. When we check the locks, it shows the detail. But it's still return 200, because it's still blocking only. So I try to create a CoralSet and implement this domain, which is WAF demo 0.2, and enforce to block it. When I try to apply the code, and let's see. And Coral again, it's return 403, which is already blocked by the WebAssembly plugin itself. Yep. I think that's all. Where is that? Okay. Yep. I think that's all. Thank you very much. Oh, is there any Q&A? Yes, please. Thank you for the presentation. So I got one question. So the rule, I mean the WAF rule, is built inside the wasn't, or it can fake a file and be loaded into the wasn't? Actually, the rule itself it should be stay under the WebAssembly plugin. So you can just modify the rules in there. Let me... You can modify the rule on the fly. You can. You can try to modify the WebAssembly plugins and it will try to update the... It makes sense, it makes sense. I'm just wondering. So yeah, something like this. You can just, if you want to apply something, update the rules, you can just update the plugins config, which is it's specific roles rather to CoralSet, right? For example, adding CoralSet. So like the... there are configuration include, blah, blah, blah, so that's a file somewhere? Yes, yes. I think... This one is a little bit hard because it's actually hard coded, the file. Okay. But if you go to the CoralSet documentation, there is a way to actually... Okay, this CoralSet is actually... we have a lot of rules, right? Like security rules in CoralSet. We can actually select, for example, only HTTP, only Java attack things. We can actually select that, rather than including all of the CoralSet rules. So you can create a lot of directive maps, depends on the application. For example, Java. And okay, because this, for example, foo.gotofinancial.com is actually a Java app, you can enable... enable the subset of the CoralSet itself. So, for example, maybe the... I have a simple rule, like I want to restrict the range of the client IP. And the IP might change, you know? Yes, okay. So I should compile the Watson or I should just change some file? To block an IP, I think... Just a sample, just an example. Yeah, for example, to block an IP, you can just use the mode security rules. I think it's already available. You can try to go to the, where is that, mode security configuration. Put it inside this, because this is actually inside this create another directive and put the role in here, in that and enable it. Okay, thank you. Cool. Anything else? Yeah. So, for example, if you want to include other roles, you can just clone it, build it by yourself. It's for megabytes and put it in here. So you can custom it. You can customize it. Thank you. Cool. Okay. Okay. Okay. Thank you. Cool. Do we still have time? Okay. Hi there. I got a question about Kuzaro Watson module. I want to know if this respects the proxy Watson in standards in mobile proxy. If it is respect this room. I mean, if I want to know if this can be used in other if I could way build a world proxy other than this too. Okay. That's quite interesting. So, basically, this Corazer proxy wasm is actually built with it's Golang and it's built with Corazer implementation and you can follow the proxy wasm specifications. So I think you can try to integrate this with another for example engine X or something. I think there are discussion on the Corazer slack that some engine X contributor, they want to integrate this product with the engine X because engine X is a very complicated solution, so they are actually searching for alternative solution. So, it can natively run in mobile proxy, right? Yes. As long as the proxy, for example engine X, I mean support the proxy specification. It should be run. Okay. Thank you everyone. Have a nice day. Bye-bye.