nginx · shaun-nx · Jun 19, 2024 · Jun 19, 2024 · Jun 19, 2024 · Jun 19, 2024
@@ -0,0 +1,109 @@
+# WAF
+
+In this example we deploy the NGINX Plus Ingress Controller with [NGINX App
+Protect WAF version 5](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing
+and WAF protection for that application using the VirtualServer resource.
+
+Before applying a policy, a WAF v5 policy bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.
+
+## Prerequisites
+
+1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy the
+   Ingress Controller with NGINX App Protect version 5.
+
+1. Save the public IP address of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_IP=XXX.YYY.ZZZ.III
+    ```
+
+1. Save the HTTP port of the Ingress Controller into a shell variable:
+
+    ```console
+    IC_HTTP_PORT=<port number>
+    ```
+
+## Step 1. Deploy a Web Application
+
+Create the application deployment and service:
+
+```console
+kubectl apply -f webapp.yaml
+```
+
+## Step 2 - Create and Deploy the WAF Policy Bundle
+
+1. Create a WAF v5 policy bundle (`<your_policy_bundle.tgz>`) and copy the bundle to a volume mounted to `/etc/app_protect/bundles`.
+
+## Step 3 - Create and Deploy the WAF Policy
+
+1. Create the syslog service and pod for the App Protect security logs:
+
+    ```console
+    kubectl apply -f syslog.yaml
+    ```
+
+1. Create the WAF policy
+
+    ```console
+    kubectl apply -f waf.yaml
+    ```
+
+## Step 4 - Configure Load Balancing
+
+1. Create the VirtualServer Resource:
+
+    ```console
+    kubectl apply -f virtual-server.yaml
+    ```
+
+Note that the VirtualServer references the policy `waf-policy` created in Step 3.
+
+## Step 5 - Test the Application
+
+To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header
+of a request with `webapp.example.com`
+
+1. Send a request to the application:
+
+    ```console
+    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/
+    ```
+
+    ```text
+    Server address: 10.12.0.18:80
+    Server name: webapp-7586895968-r26zn
+    ...
+    ```
+
+1. Now, let's try to send a request with a suspicious URL:
+
+    ```console
+    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/<script>"
+    ```
+
+    ```text
+    <html><head><title>Request Rejected</title></head><body>
+    ...
+    ```
+
+1. Lastly, let's try to send some suspicious data that matches the user defined signature.
+
+    ```console
+    curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP -X POST -d "apple" http://webapp.example.com:$IC_HTTP_PORT/
+    ```
+
+    ```text
+    <html><head><title>Request Rejected</title></head><body>
+    ...
+    ```
+
+    As you can see, the suspicious requests were blocked by App Protect
+
+1. To check the security logs in the syslog pod:
+
+    Note that this step applies only if the `syslog.yaml` was created (Step 2).
+
+    ```console
+    kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages
+    ```
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: syslog
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: syslog
+  template:
+    metadata:
+      labels:
+        app: syslog
+    spec:
+      containers:
+        - name: syslog
+          image: balabit/syslog-ng:4.3.0
+          ports:
+            - containerPort: 514
+            - containerPort: 601
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: syslog-svc
+spec:
+  ports:
+    - port: 514
+      targetPort: 514
+      protocol: TCP
+  selector:
+    app: syslog
@@ -0,0 +1,16 @@
+apiVersion: k8s.nginx.org/v1
+kind: VirtualServer
+metadata:
+  name: webapp
+spec:
+  host: webapp.example.com
+  policies:
+  - name: waf-policy
+  upstreams:
+  - name: webapp
+    service: webapp-svc
+    port: 80
+  routes:
+  - path: /
+    action:
+      pass: webapp
@@ -0,0 +1,12 @@
+apiVersion: k8s.nginx.org/v1
+kind: Policy
+metadata:
+  name: waf-policy
+spec:
+  waf:
+    enable: true
+    apPolicy: "<your_policy_bundle_name.tgz>"
+    securityLogs:
+    - enable: true
+      apLogConf: "<your_bundle_name>.tgz"
+      logDest: "syslog:server=syslog-svc.default:514"
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webapp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webapp
+  template:
+    metadata:
+      labels:
+        app: webapp
+    spec:
+      containers:
+      - name: webapp
+        image: nginxdemos/nginx-hello:plain-text
+        ports:
+        - containerPort: 8080
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: webapp-svc
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+    name: http
+  selector:
+    app: webapp