Skip to content

Comments

Add built-in WAF and OpenTelemetry tracing#9

Closed
Copilot wants to merge 1 commit intowaffrom
copilot/sub-pr-6-another-one
Closed

Add built-in WAF and OpenTelemetry tracing#9
Copilot wants to merge 1 commit intowaffrom
copilot/sub-pr-6-another-one

Conversation

Copy link

Copilot AI commented Dec 27, 2025

Adds lock-free Web Application Firewall with rate limiting, burst detection, and request validation. Integrates OpenTelemetry for distributed tracing with Jaeger.

WAF Implementation

  • Lock-free rate limiting — Token bucket with atomic CAS operations (TigerBeetle-inspired)
  • Burst detection — EMA-based anomaly detection for traffic spikes (configurable threshold)
  • Request validation — URI length, body size, JSON depth limits with per-endpoint overrides
  • Slowloris protection — Per-IP connection tracking
  • Shadow mode — Test rules without blocking (log_only mode)
  • Shared memory state — 4MB WafState with cache-line aligned structures, multi-process safe
// src/waf/mod.zig - Zero allocation on hot path
var engine = waf.WafEngine.init(&state, &config);
const result = engine.check(&request);  // allow | block | log_only

OpenTelemetry Integration

  • Batched span export — OTLP/HTTP protobuf to Jaeger (512 spans/batch, 5s interval)
  • WAF decision tracking — Every request gets span with waf.decision, waf.reason, waf.rule
  • Backend latencybackend.host, backend.latency_ms attributes
./load_balancer -b api:8001 --waf-config waf.json --otel-endpoint localhost:4318

Key Design Decisions

  • Fail-open — CAS exhaustion allows request (availability over security)
  • Fixed-size structures — No allocation, predictable memory (~4MB)
  • Open addressing — Linear probing for bucket collisions (16 probe limit)
  • 64-byte alignment — Prevents false sharing between worker processes

Configuration

{
  "rate_limits": [{
    "name": "login_bruteforce",
    "path": "/api/auth/login",
    "limit": {"requests": 10, "period_sec": 60},
    "burst": 3,
    "action": "block"
  }],
  "burst_detection_enabled": true,
  "burst_threshold": 10
}

Testing

  • 129 unit tests (atomic ops, EMA, JSON streaming validation)
  • Integration tests with mock OTLP collector
  • waf_test.json config for manual testing

Files

  • src/waf/*.zig — 6 modules (~5,600 lines)
  • src/telemetry/mod.zig — OTLP exporter enhancements
  • src/proxy/handler.zig — WAF check + span attributes
  • docs/WAF_ARCHITECTURE.md — Request flow diagrams, memory layout
  • tests/suites/{waf,otel}.zig — Integration tests

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@ejpir ejpir closed this Dec 27, 2025
@ejpir ejpir deleted the copilot/sub-pr-6-another-one branch December 27, 2025 00:47
Copilot AI changed the title [WIP] Fix build issues in Waf integration Add built-in WAF and OpenTelemetry tracing Dec 27, 2025
Copilot AI requested a review from ejpir December 27, 2025 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants