forked from nginx/kubernetes-ingress
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add examples for app protect waf v5 (nginx#5784)
- Loading branch information
Showing
5 changed files
with
188 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
# WAF | ||
|
||
In this example we deploy the NGINX Plus Ingress Controller with [NGINX App | ||
Protect WAF version 5](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing | ||
and WAF protection for that application using the VirtualServer resource. | ||
|
||
Before applying a policy and security log configuration, a WAF v5 policy and logconf bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`. | ||
|
||
## Prerequisites | ||
|
||
1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy the | ||
Ingress Controller with NGINX App Protect version 5. | ||
|
||
1. Save the public IP address of the Ingress Controller into a shell variable: | ||
|
||
```console | ||
IC_IP=XXX.YYY.ZZZ.III | ||
``` | ||
|
||
1. Save the HTTP port of the Ingress Controller into a shell variable: | ||
|
||
```console | ||
IC_HTTP_PORT=<port number> | ||
``` | ||
|
||
## Step 1. Deploy a Web Application | ||
|
||
Create the application deployment and service: | ||
|
||
```console | ||
kubectl apply -f webapp.yaml | ||
``` | ||
|
||
## Step 2 - Create and Deploy the WAF Policy Bundle | ||
|
||
1. Create a WAF v5 policy bundle (`<your_policy_bundle.tgz>`) and copy the bundle to a volume mounted to `/etc/app_protect/bundles`. | ||
|
||
## Step 3 - Create and Deploy the WAF Policy | ||
|
||
1. Create the syslog service and pod for the App Protect security logs: | ||
|
||
```console | ||
kubectl apply -f syslog.yaml | ||
``` | ||
|
||
1. Create the WAF policy | ||
|
||
```console | ||
kubectl apply -f waf.yaml | ||
``` | ||
|
||
## Step 4 - Configure Load Balancing | ||
|
||
1. Create the VirtualServer Resource: | ||
|
||
```console | ||
kubectl apply -f virtual-server.yaml | ||
``` | ||
|
||
Note that the VirtualServer references the policy `waf-policy` created in Step 3. | ||
|
||
## Step 5 - Test the Application | ||
|
||
To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header | ||
of a request with `webapp.example.com` | ||
|
||
1. Send a request to the application: | ||
|
||
```console | ||
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/ | ||
``` | ||
|
||
```text | ||
Server address: 10.12.0.18:80 | ||
Server name: webapp-7586895968-r26zn | ||
... | ||
``` | ||
|
||
1. Now, let's try to send a request with a suspicious URL: | ||
|
||
```console | ||
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/<script>" | ||
``` | ||
|
||
```text | ||
<html><head><title>Request Rejected</title></head><body> | ||
... | ||
``` | ||
|
||
1. To check the security logs in the syslog pod: | ||
|
||
Note that this step applies only if the `syslog.yaml` was created (Step 2). | ||
|
||
```console | ||
kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: syslog | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: syslog | ||
template: | ||
metadata: | ||
labels: | ||
app: syslog | ||
spec: | ||
containers: | ||
- name: syslog | ||
image: balabit/syslog-ng:4.3.0 | ||
ports: | ||
- containerPort: 514 | ||
- containerPort: 601 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: syslog-svc | ||
spec: | ||
ports: | ||
- port: 514 | ||
targetPort: 514 | ||
protocol: TCP | ||
selector: | ||
app: syslog |
16 changes: 16 additions & 0 deletions
16
examples/custom-resources/app-protect-waf-v5/virtual-server.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: k8s.nginx.org/v1 | ||
kind: VirtualServer | ||
metadata: | ||
name: webapp | ||
spec: | ||
host: webapp.example.com | ||
policies: | ||
- name: waf-policy | ||
upstreams: | ||
- name: webapp | ||
service: webapp-svc | ||
port: 80 | ||
routes: | ||
- path: / | ||
action: | ||
pass: webapp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: k8s.nginx.org/v1 | ||
kind: Policy | ||
metadata: | ||
name: waf-policy | ||
spec: | ||
waf: | ||
enable: true | ||
apPolicy: "<your_policy_bundle_name.tgz>" | ||
securityLogs: | ||
- enable: true | ||
apLogConf: "<your_bundle_name>.tgz" | ||
logDest: "syslog:server=syslog-svc.default:514" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: webapp | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: webapp | ||
template: | ||
metadata: | ||
labels: | ||
app: webapp | ||
spec: | ||
containers: | ||
- name: webapp | ||
image: nginxdemos/nginx-hello:plain-text | ||
ports: | ||
- containerPort: 8080 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: webapp-svc | ||
spec: | ||
ports: | ||
- port: 80 | ||
targetPort: 8080 | ||
protocol: TCP | ||
name: http | ||
selector: | ||
app: webapp |