From 9319d75c49bbeeae439c00bae5ad229c3035149d Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Wed, 19 Jun 2024 09:43:14 +0100
Subject: [PATCH 1/2] Add examples for app protect waf v5

---
 .../app-protect-waf-v5/README.md              | 109 ++++++++++++++++++
 .../app-protect-waf-v5/syslog.yaml            |  32 +++++
 .../app-protect-waf-v5/virtual-server.yaml    |  16 +++
 .../app-protect-waf-v5/waf.yaml               |  12 ++
 .../app-protect-waf-v5/webapp.yaml            |  32 +++++
 5 files changed, 201 insertions(+)
 create mode 100644 examples/custom-resources/app-protect-waf-v5/README.md
 create mode 100644 examples/custom-resources/app-protect-waf-v5/syslog.yaml
 create mode 100644 examples/custom-resources/app-protect-waf-v5/virtual-server.yaml
 create mode 100644 examples/custom-resources/app-protect-waf-v5/waf.yaml
 create mode 100644 examples/custom-resources/app-protect-waf-v5/webapp.yaml

diff --git a/examples/custom-resources/app-protect-waf-v5/README.md b/examples/custom-resources/app-protect-waf-v5/README.md
new file mode 100644
index 0000000000..d1e4004dcc
--- /dev/null
+++ b/examples/custom-resources/app-protect-waf-v5/README.md
@@ -0,0 +1,109 @@
+# WAF
+
+In this example we deploy the NGINX Plus Ingress Controller with [NGINX App
+Protect WAF version 5](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing
+and WAF protection for that application using the VirtualServer resource.
+
+Before applying a policy, a WAF v5 policy bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.
+
+## Prerequisites
+
+1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy the
+   Ingress Controller with NGINX App Protect version 5.
+
+1. Save the public IP address of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_IP=XXX.YYY.ZZZ.III
+    ```
+
+1. Save the HTTP port of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_HTTP_PORT=<port number>
+    ```
+
+## Step 1. Deploy a Web Application
+
+Create the application deployment and service:
+
+```console
+kubectl apply -f webapp.yaml
+```
+
+## Step 2 - Create and Deploy the WAF Policy Bundle
+
+1. Create a WAF v5 policy bundle (`<your_policy_bundle.tgz>`) and copy the bundle to a volume mounted to `/etc/app_protect/bundles`.
+
+## Step 3 - Create and Deploy the WAF Policy
+
+1. Create the syslog service and pod for the App Protect security logs:
+
+    ```console
+    kubectl apply -f syslog.yaml
+    ```
+
+1. Create the WAF policy
+
+    ```console
+    kubectl apply -f waf.yaml
+    ```
+
+## Step 4 - Configure Load Balancing
+
+1. Create the VirtualServer Resource:
+
+    ```console
+    kubectl apply -f virtual-server.yaml
+    ```
+
+Note that the VirtualServer references the policy `waf-policy` created in Step 3.
+
+## Step 5 - Test the Application
+
+To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header
+of a request with `webapp.example.com`
+
+1. Send a request to the application:
+
+    ```console
+    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/
+    ```
+
+    ```text
+    Server address: 10.12.0.18:80
+    Server name: webapp-7586895968-r26zn
+    ...
+    ```
+
+1. Now, let's try to send a request with a suspicious URL:
+
+    ```console
+    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/<script>"
+    ```
+
+    ```text
+    <html><head><title>Request Rejected</title></head><body>
+    ...
+    ```
+
+1. Lastly, let's try to send some suspicious data that matches the user defined signature.
+
+    ```console
+    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP -X POST -d "apple" http://webapp.example.com:$IC_HTTP_PORT/
+    ```
+
+    ```text
+    <html><head><title>Request Rejected</title></head><body>
+    ...
+    ```
+
+    As you can see, the suspicious requests were blocked by App Protect
+
+1. To check the security logs in the syslog pod:
+
+    Note that this step applies only if the `syslog.yaml` was created (Step 2).
+
+    ```console
+    kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages
+    ```
diff --git a/examples/custom-resources/app-protect-waf-v5/syslog.yaml b/examples/custom-resources/app-protect-waf-v5/syslog.yaml
new file mode 100644
index 0000000000..99bb4dc558
--- /dev/null
+++ b/examples/custom-resources/app-protect-waf-v5/syslog.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: syslog
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: syslog
+  template:
+    metadata:
+      labels:
+        app: syslog
+    spec:
+      containers:
+        - name: syslog
+          image: balabit/syslog-ng:4.3.0
+          ports:
+            - containerPort: 514
+            - containerPort: 601
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: syslog-svc
+spec:
+  ports:
+    - port: 514
+      targetPort: 514
+      protocol: TCP
+  selector:
+    app: syslog
diff --git a/examples/custom-resources/app-protect-waf-v5/virtual-server.yaml b/examples/custom-resources/app-protect-waf-v5/virtual-server.yaml
new file mode 100644
index 0000000000..787eb3b9bf
--- /dev/null
+++ b/examples/custom-resources/app-protect-waf-v5/virtual-server.yaml
@@ -0,0 +1,16 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: webapp
+spec:
+  host: webapp.example.com
+  policies:
+  - name: waf-policy
+  upstreams:
+  - name: webapp
+    service: webapp-svc
+    port: 80
+  routes:
+  - path: /
+    action:
+      pass: webapp
diff --git a/examples/custom-resources/app-protect-waf-v5/waf.yaml b/examples/custom-resources/app-protect-waf-v5/waf.yaml
new file mode 100644
index 0000000000..a52a1adac2
--- /dev/null
+++ b/examples/custom-resources/app-protect-waf-v5/waf.yaml
@@ -0,0 +1,12 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: waf-policy
+spec:
+  waf:
+    enable: true
+    apPolicy: "<your_policy_bundle_name.tgz>"
+    securityLogs:
+    - enable: true
+      apLogConf: "<your_bundle_name>.tgz"
+      logDest: "syslog:server=syslog-svc.default:514"
diff --git a/examples/custom-resources/app-protect-waf-v5/webapp.yaml b/examples/custom-resources/app-protect-waf-v5/webapp.yaml
new file mode 100644
index 0000000000..31fde92a6e
--- /dev/null
+++ b/examples/custom-resources/app-protect-waf-v5/webapp.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webapp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webapp
+  template:
+    metadata:
+      labels:
+        app: webapp
+    spec:
+      containers:
+      - name: webapp
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webapp-svc
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: webapp

From 3e1b470fe3fa978bdfd4b6cc0472306738caac77 Mon Sep 17 00:00:00 2001
From: shaun-nx <s.odonovan@f5.com>
Date: Wed, 19 Jun 2024 10:05:32 +0100
Subject: [PATCH 2/2] Review updates

---
 .../custom-resources/app-protect-waf-v5/README.md | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/examples/custom-resources/app-protect-waf-v5/README.md b/examples/custom-resources/app-protect-waf-v5/README.md
index d1e4004dcc..1fc6a3dc5e 100644
--- a/examples/custom-resources/app-protect-waf-v5/README.md
+++ b/examples/custom-resources/app-protect-waf-v5/README.md
@@ -4,7 +4,7 @@ In this example we deploy the NGINX Plus Ingress Controller with [NGINX App
 Protect WAF version 5](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing
 and WAF protection for that application using the VirtualServer resource.
 
-Before applying a policy, a WAF v5 policy bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.
+Before applying a policy and security log configuration, a WAF v5 policy and logconf bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.
 
 ## Prerequisites
 
@@ -87,19 +87,6 @@ of a request with `webapp.example.com`
     ...
     ```
 
-1. Lastly, let's try to send some suspicious data that matches the user defined signature.
-
-    ```console
-    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP -X POST -d "apple" http://webapp.example.com:$IC_HTTP_PORT/
-    ```
-
-    ```text
-    <html><head><title>Request Rejected</title></head><body>
-    ...
-    ```
-
-    As you can see, the suspicious requests were blocked by App Protect
-
 1. To check the security logs in the syslog pod:
 
     Note that this step applies only if the `syslog.yaml` was created (Step 2).