DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deploy GitHub Pages

Browse source
This commit is contained in:
aledbf 2020-04-22 21:43:01 +00:00
parent ffee701d0e
commit bc47db072c
3 changed files with 1 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
search/search_index.json
View file

File diff suppressed because one or more lines are too long

BIN
sitemap.xml.gz
View file

Binary file not shown.

79
user-guide/nginx-configuration/annotations/index.html
View file

@ -881,13 +881,6 @@
X-Forwarded-Prefix Header X-Forwarded-Prefix Header
</a> </a>
</li>
<li class="md-nav__item">
<a href="#lua-resty-waf" class="md-nav__link">
Lua Resty WAF
</a>
</li> </li>
<li class="md-nav__item"> <li class="md-nav__item">
@ -1876,13 +1869,6 @@
X-Forwarded-Prefix Header X-Forwarded-Prefix Header
</a> </a>
</li>
<li class="md-nav__item">
<a href="#lua-resty-waf" class="md-nav__link">
Lua Resty WAF
</a>
</li> </li>
<li class="md-nav__item"> <li class="md-nav__item">
@ -2323,34 +2309,6 @@ table below.</p>
<td>"true" or "false"</td> <td>"true" or "false"</td>
</tr> </tr>
<tr> <tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf</a></td>
<td>string</td>
</tr>
<tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf-debug</a></td>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</a></td>
<td>string</td>
</tr>
<tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</a></td>
<td>string</td>
</tr>
<tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf-allow-unknown-content-types</a></td>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf-score-threshold</a></td>
<td>number</td>
</tr>
<tr>
<td><a href="#lua-resty-waf">nginx.ingress.kubernetes.io/lua-resty-waf-process-multipart-body</a></td>
<td>"true" or "false"</td>
</tr>
<tr>
<td><a href="#influxdb">nginx.ingress.kubernetes.io/enable-influxdb</a></td> <td><a href="#influxdb">nginx.ingress.kubernetes.io/enable-influxdb</a></td>
<td>"true" or "false"</td> <td>"true" or "false"</td>
</tr> </tr>
@ -2869,43 +2827,6 @@ to enable it or disable it for a specific ingress (e.g. to turn off tracing of e
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/x-forwarded-prefix</span><span class="p">:</span> <span class="s">&quot;/path&quot;</span> <div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/x-forwarded-prefix</span><span class="p">:</span> <span class="s">&quot;/path&quot;</span>
</code></pre></div> </code></pre></div>
<h3 id="lua-resty-waf">Lua Resty WAF<a class="headerlink" href="#lua-resty-waf" title="Permanent link"></a></h3>
<p>Using <code>lua-resty-waf-*</code> annotations we can enable and control the <a href="https://github.com/p0pr0ck5/lua-resty-waf">lua-resty-waf</a>
Web Application Firewall per location.</p>
<p>Following configuration will enable the WAF for the paths defined in the corresponding ingress:</p>
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/lua-resty-waf</span><span class="p">:</span> <span class="s">&quot;active&quot;</span>
</code></pre></div>
<p>In order to run it in debugging mode you can set <code>nginx.ingress.kubernetes.io/lua-resty-waf-debug</code> to <code>"true"</code> in addition to the above configuration.
The other possible values for <code>nginx.ingress.kubernetes.io/lua-resty-waf</code> are <code>inactive</code> and <code>simulate</code>.
In <code>inactive</code> mode WAF won't do anything, whereas in <code>simulate</code> mode it will log a warning message if there's a matching WAF rule for given request. This is useful to debug a rule and eliminate possible false positives before fully deploying it.</p>
<p><code>lua-resty-waf</code> comes with predefined set of rules <a href="https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules">https://github.com/p0pr0ck5/lua-resty-waf/tree/84b4f40362500dd0cb98b9e71b5875cb1a40f1ad/rules</a> that covers ModSecurity CRS.
You can use <code>nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</code> to ignore a subset of those rulesets. For an example:</p>
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets</span><span class="p">:</span> <span class="s">&quot;41000_sqli,</span><span class="nv"> </span><span class="s">42000_xss&quot;</span>
</code></pre></div>
<p>will ignore the two mentioned rulesets.</p>
<p>It is also possible to configure custom WAF rules per ingress using the <code>nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</code> annotation. For an example the following snippet will configure a WAF rule to deny requests with query string value that contains word <code>foo</code>:</p>
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules</span><span class="p">:</span> <span class="s">&#39;[=[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;access&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;actions&quot;:</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;disrupt&quot;</span><span class="nv"> </span><span class="s">:</span><span class="nv"> </span><span class="s">&quot;DENY&quot;</span><span class="nv"> </span><span class="s">},</span><span class="nv"> </span><span class="s">&quot;id&quot;:</span><span class="nv"> </span><span class="s">10001,</span><span class="nv"> </span><span class="s">&quot;msg&quot;:</span><span class="nv"> </span><span class="s">&quot;my</span><span class="nv"> </span><span class="s">custom</span><span class="nv"> </span><span class="s">rule&quot;,</span><span class="nv"> </span><span class="s">&quot;operator&quot;:</span><span class="nv"> </span><span class="s">&quot;STR_CONTAINS&quot;,</span><span class="nv"> </span><span class="s">&quot;pattern&quot;:</span><span class="nv"> </span><span class="s">&quot;foo&quot;,</span><span class="nv"> </span><span class="s">&quot;vars&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">{</span><span class="nv"> </span><span class="s">&quot;parse&quot;:</span><span class="nv"> </span><span class="s">[</span><span class="nv"> </span><span class="s">&quot;values&quot;,</span><span class="nv"> </span><span class="s">1</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;type&quot;:</span><span class="nv"> </span><span class="s">&quot;REQUEST_ARGS&quot;</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">],</span><span class="nv"> </span><span class="s">&quot;body_filter&quot;:</span><span class="nv"> </span><span class="s">[],</span><span class="nv"> </span><span class="s">&quot;header_filter&quot;:[]</span><span class="nv"> </span><span class="s">}</span><span class="nv"> </span><span class="s">]=]&#39;</span>
</code></pre></div>
<p>Since the default allowed contents were <code>"text/html", "text/json", "application/json"</code>
We can enable the following annotation for allow all contents type:</p>
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/lua-resty-waf-allow-unknown-content-types</span><span class="p">:</span> <span class="s">&quot;true&quot;</span>
</code></pre></div>
<p>The default score of lua-resty-waf is 5, which usually triggered if hitting 2 default rules, you can modify the score threshold with following annotation:</p>
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/lua-resty-waf-score-threshold</span><span class="p">:</span> <span class="s">&quot;10&quot;</span>
</code></pre></div>
<p>When you enabled HTTPS in the endpoint and since resty-lua will return 500 error when processing "multipart" contents
Reference for this <a href="https://github.com/p0pr0ck5/lua-resty-waf/issues/166">issue</a></p>
<p>By default, it will be "true"</p>
<p>You may enable the following annotation for work around:</p>
<div class="highlight"><pre><span></span><code><span class="nt">nginx.ingress.kubernetes.io/lua-resty-waf-process-multipart-body</span><span class="p">:</span> <span class="s">&quot;false&quot;</span>
</code></pre></div>
<p>For details on how to write WAF rules, please refer to <a href="https://github.com/p0pr0ck5/lua-resty-waf">https://github.com/p0pr0ck5/lua-resty-waf</a>.</p>
<h3 id="modsecurity">ModSecurity<a class="headerlink" href="#modsecurity" title="Permanent link"></a></h3> <h3 id="modsecurity">ModSecurity<a class="headerlink" href="#modsecurity" title="Permanent link"></a></h3>
<p><a href="http://modsecurity.org/">ModSecurity</a> is an OpenSource Web Application firewall. It can be enabled for a particular set <p><a href="http://modsecurity.org/">ModSecurity</a> is an OpenSource Web Application firewall. It can be enabled for a particular set
of ingress locations. The ModSecurity module must first be enabled by enabling ModSecurity in the of ingress locations. The ModSecurity module must first be enabled by enabling ModSecurity in the