:sparkles: Add ability to customize WAF ruleset configuration (!14) · Merge requests · DIGIT-C4 / rps / waf · GitLab

Code development platform for open source projects from the European Union institutions 🔵 EU Login authentication by SMS has been phased out. To see alternatives please check here

🎄 Happy Holidays! Our team is taking a Christmas break between 24.12.2025-04.01.2026. We’ll catch up on requests when we return.

Decision record

We need to be able to customize the WAF ruleset configuration for a specific Docker instance at runtime.

To do so, we add a few environment variables:

EC_RPS_WAF_USE_CRS:
- if true (the default), the behavior will be the same as before: we include only the CoreRuleSet included in the Docker image
- if false, we check for the following environment variables:
  - EC_RPS_WAF_USE_CRS_*: include a specific .conf file from the CoreRuleSet
  - EC_RPS_WAF_USE_CUSTOM_*: include a specific .conf file from our custom ruleset
  - EC_RPS_WAF_USE_RULE_*: the value of this variable is a ModSecurity directive (ie: SecRule ...)

Changes

✨ Configure WAF ruleset via environment variables at startup
🔧 🚧 Add (empty) custom ruleset for Docker Registry
🔖 v0.18.0

For further information about the platform and support, please see https://code.europa.eu/info/about