Skip to content

Commit

Permalink
Add examples for app protect waf v5 (nginx#5784)
Browse files Browse the repository at this point in the history
  • Loading branch information
shaun-nx authored and ssrahul96 committed Jun 20, 2024
1 parent b39c033 commit 49762f8
Show file tree
Hide file tree
Showing 5 changed files with 188 additions and 0 deletions.
96 changes: 96 additions & 0 deletions examples/custom-resources/app-protect-waf-v5/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
# WAF

In this example we deploy the NGINX Plus Ingress Controller with [NGINX App
Protect WAF version 5](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing
and WAF protection for that application using the VirtualServer resource.

Before applying a policy and security log configuration, a WAF v5 policy and logconf bundle must be created, then copied to a volume mounted to `/etc/app_protect/bundles`.

## Prerequisites

1. Follow the installation [instructions](https://docs.nginx.com/nginx-ingress-controller/installation) to deploy the
Ingress Controller with NGINX App Protect version 5.

1. Save the public IP address of the Ingress Controller into a shell variable:

```console
IC_IP=XXX.YYY.ZZZ.III
```

1. Save the HTTP port of the Ingress Controller into a shell variable:

```console
IC_HTTP_PORT=<port number>
```

## Step 1. Deploy a Web Application

Create the application deployment and service:

```console
kubectl apply -f webapp.yaml
```

## Step 2 - Create and Deploy the WAF Policy Bundle

1. Create a WAF v5 policy bundle (`<your_policy_bundle.tgz>`) and copy the bundle to a volume mounted to `/etc/app_protect/bundles`.

## Step 3 - Create and Deploy the WAF Policy

1. Create the syslog service and pod for the App Protect security logs:

```console
kubectl apply -f syslog.yaml
```

1. Create the WAF policy

```console
kubectl apply -f waf.yaml
```

## Step 4 - Configure Load Balancing

1. Create the VirtualServer Resource:

```console
kubectl apply -f virtual-server.yaml
```

Note that the VirtualServer references the policy `waf-policy` created in Step 3.

## Step 5 - Test the Application

To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header
of a request with `webapp.example.com`

1. Send a request to the application:

```console
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/
```

```text
Server address: 10.12.0.18:80
Server name: webapp-7586895968-r26zn
...
```

1. Now, let's try to send a request with a suspicious URL:

```console
curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/<script>"
```

```text
<html><head><title>Request Rejected</title></head><body>
...
```

1. To check the security logs in the syslog pod:

Note that this step applies only if the `syslog.yaml` was created (Step 2).

```console
kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages
```
32 changes: 32 additions & 0 deletions examples/custom-resources/app-protect-waf-v5/syslog.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: syslog
spec:
replicas: 1
selector:
matchLabels:
app: syslog
template:
metadata:
labels:
app: syslog
spec:
containers:
- name: syslog
image: balabit/syslog-ng:4.3.0
ports:
- containerPort: 514
- containerPort: 601
---
apiVersion: v1
kind: Service
metadata:
name: syslog-svc
spec:
ports:
- port: 514
targetPort: 514
protocol: TCP
selector:
app: syslog
16 changes: 16 additions & 0 deletions examples/custom-resources/app-protect-waf-v5/virtual-server.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: webapp
spec:
host: webapp.example.com
policies:
- name: waf-policy
upstreams:
- name: webapp
service: webapp-svc
port: 80
routes:
- path: /
action:
pass: webapp
12 changes: 12 additions & 0 deletions examples/custom-resources/app-protect-waf-v5/waf.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
name: waf-policy
spec:
waf:
enable: true
apPolicy: "<your_policy_bundle_name.tgz>"
securityLogs:
- enable: true
apLogConf: "<your_bundle_name>.tgz"
logDest: "syslog:server=syslog-svc.default:514"
32 changes: 32 additions & 0 deletions examples/custom-resources/app-protect-waf-v5/webapp.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: webapp
spec:
replicas: 1
selector:
matchLabels:
app: webapp
template:
metadata:
labels:
app: webapp
spec:
containers:
- name: webapp
image: nginxdemos/nginx-hello:plain-text
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: webapp-svc
spec:
ports:
- port: 80
targetPort: 8080
protocol: TCP
name: http
selector:
app: webapp

0 comments on commit 49762f8

Please sign in to comment.