Skip to content

Comments

Add built-in WAF and OpenTelemetry tracing#9

Closed
Copilot wants to merge 1 commit intowaffrom
copilot/sub-pr-6-another-one
Closed

Add built-in WAF and OpenTelemetry tracing#9
Copilot wants to merge 1 commit intowaffrom
copilot/sub-pr-6-another-one

Conversation

Copy link

Copilot AI commented Dec 27, 2025
edited
Loading

Adds lock-free Web Application Firewall with rate limiting, burst detection, and request validation. Integrates OpenTelemetry for distributed tracing with Jaeger.

WAF Implementation

  • Lock-free rate limiting — Token bucket with atomic CAS operations (TigerBeetle-inspired)
  • Burst detection — EMA-based anomaly detection for traffic spikes (configurable threshold)
  • Request validation — URI length, body size, JSON depth limits with per-endpoint overrides
  • Slowloris protection — Per-IP connection tracking
  • Shadow mode — Test rules without blocking (log_only mode)
  • Shared memory state — 4MB WafState with cache-line aligned structures, multi-process safe
// src/waf/mod.zig - Zero allocation on hot path
var engine = waf.WafEngine.init(&state, &config);
const result = engine.check(&request);  // allow | block | log_only

OpenTelemetry Integration

  • Batched span export — OTLP/HTTP protobuf to Jaeger (512 spans/batch, 5s interval)
  • WAF decision tracking — Every request gets span with waf.decision, waf.reason, waf.rule
  • Backend latencybackend.host, backend.latency_ms attributes
./load_balancer -b api:8001 --waf-config waf.json --otel-endpoint localhost:4318

Key Design Decisions

  • Fail-open — CAS exhaustion allows request (availability over security)
  • Fixed-size structures — No allocation, predictable memory (~4MB)
  • Open addressing — Linear probing for bucket collisions (16 probe limit)
  • 64-byte alignment — Prevents false sharing between worker processes

Configuration

{
  "rate_limits": [{
    "name": "login_bruteforce",
    "path": "/api/auth/login",
    "limit": {"requests": 10, "period_sec": 60},
    "burst": 3,
    "action": "block"
  }],
  "burst_detection_enabled": true,
  "burst_threshold": 10
}

Testing

  • 129 unit tests (atomic ops, EMA, JSON streaming validation)
  • Integration tests with mock OTLP collector
  • waf_test.json config for manual testing

Files

  • src/waf/*.zig — 6 modules (~5,600 lines)
  • src/telemetry/mod.zig — OTLP exporter enhancements
  • src/proxy/handler.zig — WAF check + span attributes
  • docs/WAF_ARCHITECTURE.md — Request flow diagrams, memory layout
  • tests/suites/{waf,otel}.zig — Integration tests

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Dec 27, 2025
Open
@ejpir ejpir closed this Dec 27, 2025
@ejpir ejpir deleted the copilot/sub-pr-6-another-one branch December 27, 2025 00:47
Copilot AI changed the title [WIP] Fix build issues in Waf integration Add built-in WAF and OpenTelemetry tracing Dec 27, 2025
Copilot AI requested a review from ejpir December 27, 2025 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ejpir ejpir Awaiting requested review from ejpir

Assignees

@ejpir ejpir

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ejpir