# Frequently Asked Questions

If you don't find your answer here, feel free to use the DevSecOps Community forum (opens new window).

# Is there a way to enable a debug mode to help understanding what is happening?

Yes! You can configure the log_level of your applications. The container logs will be much more verbose

Possible values are: debug, info, warn, error

apiVersion: core/v1beta
kind: App
metadata:
  name: my-web
spec:
  name: myweb.com
  log_level: debug
1
2
3
4
5
6
7

If you are defining your own wokflow as code, you can setup debug traces with following call.

ActionUserLog(Args{"log_message": "MY  CUSTOM MESSAGE", "log_level": "NOTICE", "expend_newline": "true", "log_attributes": "true"})
1

# Why does TAF image stop after one hour of uptime?

This might be related to your license. The TAF can be used without license but it will stop itself after one hour.

If you have purchased a license verify your container is well configured.

# I'm having trouble managing my yaml file because it's getting too big

Yes, you can split you yaml configuration into different files. And when you want to push/apply configuration you can make several calls or one single call with multiple files (use -f for each yaml)

# I get the error bind: address already in use when running TAF container

ERROR: for devsecops_waf_1 Cannot start service waf: driver failed programming external connectivity on endpoint devsecops_waf_1 (890d1e0ecec6b5fdf2539734710b4416bc0d6c622d54b74b236d18d05c5f80cc): Error starting userland proxy: listen tcp4 0.0.0.0:80: bind: address already in use

Be sure you have no service/web application/website running on port 80. You can either:

  1. Stop the service

    OR

  2. Change port mapping in your TAF's docker-compose yaml configuration file:

    ports:
      - "81:8080" # for example 81
1
2

# As a WAF user, I would like to transform a TAF workflow into an XML workflow usable in the WAF.

You can use the wkf function of appsecctl command with -P option: it will display the XML workflow on standard output.

appsecctl -f ./mywkf.yml -k -H TAF_IP -P

# My CI pipeline keeps failing and returning a security event which is a false positive. How I can get rid of the log and make the pipeline pass?

If you are sure the event is a false positive, you should add the --hints options to the "logs" command you run at the end of the tests:

appsecctl -h appsec logs --hints

This will generate a suggested exception rule next time the pipeline fails. You can then add this exception in the securityException part of your yaml configuration:

---
apiVersion: core/v1beta
kind: SecurityException
metadata:
  name: my-exception-configuration
spec:
  rules:
    - name: "Exception for ICX Engine: Cross-Site Scripting (XSS) in Var_GET 'content'"
      filters:
        - uri == "/webmail/message"
        - token.matchingParts.Contains(token.part == "Var_GET" && token.partKey == "content" && token.partValuePatternName == "Html Injection")
1
2
3
4
5
6
7
8
9
10
11

# Can I protect more than one application with TAF? How?

For each application you want to protect you must have a section in your yaml conf:

---
apiVersion: core/v1beta
kind: App
metadata:
  name: my-application
spec:
  name: my-application.com
  alias: my-application.com:8080
  workflow: Default
  workflow_params:
    exceptions: my-exceptions
  backend: mybackend.com
  log_level: info
1
2
3
4
5
6
7
8
9
10
11
12
13

Note that you can use different workflows for each application

# How can I manipulate HTTP elements of the request like cookies, headers, etc?

Using workflow-as-code, some functions are meant to manipulate Cookies. Here are some examples:

ActionCookieAdd(Args : {"cookie-name" : "myCookie", "cookie-value" : "myValue"})
ActionCookieSet(Args : {"cookie-name" : "myCookie", "cookie-value" : "myValue"})

ActionRequestHeaderSet(Args : {"key" : "myKey", "value" : "myValue"})
ActionRequestHeaderUnset(Args:{"key" : "myKey"))
ActionRequestHeaderSet(Args:{"key" : "myKey", "value":"myValue"})
1
2
3
4
5
6

# Can I manipulate the HTTP response returned by the backend before returning it to the client?

Yes. Any instruction following an "ActionProxyRequest" instruction will be executed after the response is received from the backend. Some response attributes are then provided:

  • http.response.body: Character string type. Contains the body of the server’s response or a response supplied by the i-Box in case of error.
  • http.response.cookies: Table of cookies returned by the server
  • http.response.headers: Table of headers returned by the server.
  • http.response.host: IP address or the name of the server
  • http.response.port: Listening port of the server for the HTTP protocol. Example: 80 (the standard port)
  • http.response.protocol: The version of the HTTP protocol used in the response. Example: HTTP/1.1
  • http.response.status: Server return code; indicates the status of the request or service. Example: 404 not found, 200 OK,
  • proxy.response.failed: Set to True if the response does not come from the backend.
  • proxy.response.failed.body: Contains the server’s response, if available.
  • proxy.response.failed.headers: Contains all or part of the table of cookies returned by the server, if available.
  • proxy.response.failed.host: Contains all or part of the table of headers returned by the server, if available.
  • proxy.response.failed.port: The server listening port for the HTTP protocol, if available.
  • proxy.response.failed.protocol: the version of the HTTP protocol used in the response.
  • proxy.response.failed.status: Server return code; indicates the type of failure. Example: 503

# I'm getting this error while applying my configuration, why?

2021/03/09 15:27:48 Unmarshal: error converting YAML to JSON: yaml: line 15: found character that cannot start any token
Failure: Unable to decode object (error converting YAML to JSON: yaml: line 15: found character that cannot start any token)
CRITICAL: apply process interrupted
appsecclt: error: error converting YAML to JSON: yaml: line 15: found character that cannot start any token

One of your yaml files contains some tabulations chars. They are not allowed in yaml

# How can I get every access log written on stdout? What will be the format?

Use APP_LOG_DEST environment variable APP_LOG_DEST=stdout Two different formats are available: CLF (Common Log Format), or JSON (RS®WAF json format). Can be set using APP_LOG_FORMAT environment variable.

# How can I enable "block unknown hostname" feature?

Use APP_BLOCK_UNKNOWN_HOST environment variable. Environment variable APP_BLOCK_UNKNOWN_HOST=true enable the "block unknown hostname" feature.

Last Updated: 3/14/2022, 1:40:36 PM