DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/user-guide/third-party-addons/modsecurity/index.html
Gacko c1fc43640e Deploy GitHub Pages
2024-09-15 15:04:08 +00:00

79 lines
No EOL
34 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><link href=https://kubernetes.github.io/ingress-nginx/user-guide/third-party-addons/modsecurity/ rel=canonical><link href=../../tls/ rel=prev><link href=../opentelemetry/ rel=next><link rel=icon href=../../../assets/images/favicon.png><meta name=generator content="mkdocs-1.5.3, mkdocs-material-9.4.5"><title>ModSecurity Web Application Firewall - Ingress-Nginx Controller</title><link rel=stylesheet href=../../../assets/stylesheets/main.6a10b989.min.css><link rel=stylesheet href=../../../assets/stylesheets/palette.356b1318.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><link rel=stylesheet href=../../../extra.css><script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=teal data-md-color-accent=green> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#modsecurity-web-application-firewall class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <header class="md-header md-header--shadow md-header--lifted" data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../../.. title="Ingress-Nginx Controller" class="md-header__button md-logo" aria-label="Ingress-Nginx Controller" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Ingress-Nginx Controller </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> ModSecurity Web Application Firewall </span> </div> </div> </div> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class=md-search__options aria-label=Search> <button type=reset class="md-search__icon md-icon" title=Clear aria-label=Clear tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class=md-search__output> <div class=md-search__scrollwrap data-md-scrollfix> <div class=md-search-result data-md-component=search-result> <div class=md-search-result__meta> Initializing search </div> <ol class=md-search-result__list role=presentation></ol> </div> </div> </div> </div> </div> <div class=md-header__source> <a href=https://github.com/kubernetes/ingress-nginx title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.4.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class=md-source__repository> kubernetes/ingress-nginx </div> </a> </div> </nav> <nav class=md-tabs aria-label=Tabs data-md-component=tabs> <div class=md-grid> <ul class=md-tabs__list> <li class=md-tabs__item> <a href=../../.. class=md-tabs__link> Welcome </a> </li> <li class=md-tabs__item> <a href=../../../deploy/ class=md-tabs__link> Deployment </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href=../../nginx-configuration/ class=md-tabs__link> User Guide </a> </li> <li class=md-tabs__item> <a href=../../../examples/ class=md-tabs__link> Examples </a> </li> <li class=md-tabs__item> <a href=../../../developer-guide/getting-started/ class=md-tabs__link> Developer Guide </a> </li> <li class=md-tabs__item> <a href=../../../faq/ class=md-tabs__link> FAQ </a> </li> </ul> </div> </nav> </header> <div class=md-container data-md-component=container> <main class=md-main data-md-component=main> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component=sidebar data-md-type=navigation> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label=Navigation data-md-level=0> <label class=md-nav__title for=__drawer> <a href=../../.. title="Ingress-Nginx Controller" class="md-nav__button md-logo" aria-label="Ingress-Nginx Controller" data-md-component=logo> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Ingress-Nginx Controller </label> <div class=md-nav__source> <a href=https://github.com/kubernetes/ingress-nginx title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.4.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class=md-source__repository> kubernetes/ingress-nginx </div> </a> </div> <ul class=md-nav__list data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_1> <label class=md-nav__link for=__nav_1 id=__nav_1_label tabindex> <span class=md-ellipsis> Welcome </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_1_label aria-expanded=false> <label class=md-nav__title for=__nav_1> <span class="md-nav__icon md-icon"></span> Welcome </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../.. class=md-nav__link> <span class=md-ellipsis> Welcome </span> </a> </li> <li class=md-nav__item> <a href=../../../how-it-works/ class=md-nav__link> <span class=md-ellipsis> How it works </span> </a> </li> <li class=md-nav__item> <a href=../../../troubleshooting/ class=md-nav__link> <span class=md-ellipsis> Troubleshooting </span> </a> </li> <li class=md-nav__item> <a href=../../../kubectl-plugin/ class=md-nav__link> <span class=md-ellipsis> kubectl plugin </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2> <label class=md-nav__link for=__nav_2 id=__nav_2_label tabindex> <span class=md-ellipsis> Deployment </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_2_label aria-expanded=false> <label class=md-nav__title for=__nav_2> <span class="md-nav__icon md-icon"></span> Deployment </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../../deploy/ class=md-nav__link> <span class=md-ellipsis> Installation Guide </span> </a> </li> <li class=md-nav__item> <a href=../../../deploy/baremetal/ class=md-nav__link> <span class=md-ellipsis> Bare-metal considerations </span> </a> </li> <li class=md-nav__item> <a href=../../../deploy/rbac/ class=md-nav__link> <span class=md-ellipsis> Role Based Access Control (RBAC) </span> </a> </li> <li class=md-nav__item> <a href=../../../deploy/upgrade/ class=md-nav__link> <span class=md-ellipsis> Upgrade </span> </a> </li> <li class=md-nav__item> <a href=../../../deploy/hardening-guide/ class=md-nav__link> <span class=md-ellipsis> Hardening guide </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3 checked> <label class=md-nav__link for=__nav_3 id=__nav_3_label tabindex> <span class=md-ellipsis> User Guide </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_3_label aria-expanded=true> <label class=md-nav__title for=__nav_3> <span class="md-nav__icon md-icon"></span> User Guide </label> <ul class=md-nav__list data-md-scrollfix> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3_1> <label class=md-nav__link for=__nav_3_1 id=__nav_3_1_label tabindex> <span class=md-ellipsis> NGINX Configuration </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_3_1_label aria-expanded=false> <label class=md-nav__title for=__nav_3_1> <span class="md-nav__icon md-icon"></span> NGINX Configuration </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../nginx-configuration/ class=md-nav__link> <span class=md-ellipsis> Introduction </span> </a> </li> <li class=md-nav__item> <a href=../../basic-usage/ class=md-nav__link> <span class=md-ellipsis> Basic usage </span> </a> </li> <li class=md-nav__item> <a href=../../nginx-configuration/annotations/ class=md-nav__link> <span class=md-ellipsis> Annotations </span> </a> </li> <li class=md-nav__item> <a href=../../nginx-configuration/annotations-risk/ class=md-nav__link> <span class=md-ellipsis> Annotations Risks </span> </a> </li> <li class=md-nav__item> <a href=../../nginx-configuration/configmap/ class=md-nav__link> <span class=md-ellipsis> ConfigMap </span> </a> </li> <li class=md-nav__item> <a href=../../nginx-configuration/custom-template/ class=md-nav__link> <span class=md-ellipsis> Custom NGINX template </span> </a> </li> <li class=md-nav__item> <a href=../../nginx-configuration/log-format/ class=md-nav__link> <span class=md-ellipsis> Log format </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../cli-arguments/ class=md-nav__link> <span class=md-ellipsis> Command line arguments </span> </a> </li> <li class=md-nav__item> <a href=../../custom-errors/ class=md-nav__link> <span class=md-ellipsis> Custom errors </span> </a> </li> <li class=md-nav__item> <a href=../../default-backend/ class=md-nav__link> <span class=md-ellipsis> Default backend </span> </a> </li> <li class=md-nav__item> <a href=../../exposing-tcp-udp-services/ class=md-nav__link> <span class=md-ellipsis> Exposing TCP and UDP services </span> </a> </li> <li class=md-nav__item> <a href=../../fcgi-services/ class=md-nav__link> <span class=md-ellipsis> Exposing FCGI services </span> </a> </li> <li class=md-nav__item> <a href=../../ingress-path-matching/ class=md-nav__link> <span class=md-ellipsis> Regular expressions in paths </span> </a> </li> <li class=md-nav__item> <a href=../../external-articles/ class=md-nav__link> <span class=md-ellipsis> External Articles </span> </a> </li> <li class=md-nav__item> <a href=../../miscellaneous/ class=md-nav__link> <span class=md-ellipsis> Miscellaneous </span> </a> </li> <li class=md-nav__item> <a href=../../monitoring/ class=md-nav__link> <span class=md-ellipsis> Prometheus and Grafana installation </span> </a> </li> <li class=md-nav__item> <a href=../../multiple-ingress/ class=md-nav__link> <span class=md-ellipsis> Multiple Ingress controllers </span> </a> </li> <li class=md-nav__item> <a href=../../tls/ class=md-nav__link> <span class=md-ellipsis> TLS/HTTPS </span> </a> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3_13 checked> <label class=md-nav__link for=__nav_3_13 id=__nav_3_13_label tabindex> <span class=md-ellipsis> Third party addons </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_3_13_label aria-expanded=true> <label class=md-nav__title for=__nav_3_13> <span class="md-nav__icon md-icon"></span> Third party addons </label> <ul class=md-nav__list data-md-scrollfix> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type=checkbox id=__toc> <label class="md-nav__link md-nav__link--active" for=__toc> <span class=md-ellipsis> ModSecurity Web Application Firewall </span> <span class="md-nav__icon md-icon"></span> </label> <a href=./ class="md-nav__link md-nav__link--active"> <span class=md-ellipsis> ModSecurity Web Application Firewall </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#supported-annotations class=md-nav__link> Supported annotations </a> </li> <li class=md-nav__item> <a href=#example-of-using-modsecurity-with-plugins-via-the-helm-chart class=md-nav__link> Example of using ModSecurity with plugins via the helm chart </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../opentelemetry/ class=md-nav__link> <span class=md-ellipsis> OpenTelemetry </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4> <label class=md-nav__link for=__nav_4 id=__nav_4_label tabindex> <span class=md-ellipsis> Examples </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4> <span class="md-nav__icon md-icon"></span> Examples </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../../examples/ class=md-nav__link> <span class=md-ellipsis> Introduction </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/PREREQUISITES/ class=md-nav__link> <span class=md-ellipsis> Prerequisites </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/affinity/cookie/ class=md-nav__link> <span class=md-ellipsis> Sticky Sessions </span> </a> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4_4> <label class=md-nav__link for=__nav_4_4 id=__nav_4_4_label tabindex> <span class=md-ellipsis> Auth </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_4_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4_4> <span class="md-nav__icon md-icon"></span> Auth </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../../examples/auth/basic/ class=md-nav__link> <span class=md-ellipsis> Basic Authentication </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/auth/client-certs/ class=md-nav__link> <span class=md-ellipsis> Client Certificate Authentication </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/auth/external-auth/ class=md-nav__link> <span class=md-ellipsis> External Basic Authentication </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/auth/oauth-external-auth/ class=md-nav__link> <span class=md-ellipsis> External OAUTH Authentication </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4_5> <label class=md-nav__link for=__nav_4_5 id=__nav_4_5_label tabindex> <span class=md-ellipsis> Customization </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_4_5_label aria-expanded=false> <label class=md-nav__title for=__nav_4_5> <span class="md-nav__icon md-icon"></span> Customization </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../../examples/customization/configuration-snippets/ class=md-nav__link> <span class=md-ellipsis> Configuration Snippets </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/customization/custom-configuration/ class=md-nav__link> <span class=md-ellipsis> Custom Configuration </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/customization/custom-errors/ class=md-nav__link> <span class=md-ellipsis> Custom Errors </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/customization/custom-headers/ class=md-nav__link> <span class=md-ellipsis> Custom Headers </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/customization/external-auth-headers/ class=md-nav__link> <span class=md-ellipsis> External authentication </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/customization/ssl-dh-param/ class=md-nav__link> <span class=md-ellipsis> Custom DH parameters for perfect forward secrecy </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/customization/sysctl/ class=md-nav__link> <span class=md-ellipsis> Sysctl tuning </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../../examples/docker-registry/ class=md-nav__link> <span class=md-ellipsis> Docker registry </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/grpc/ class=md-nav__link> <span class=md-ellipsis> gRPC </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/multi-tls/ class=md-nav__link> <span class=md-ellipsis> Multi TLS certificate termination </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/rewrite/ class=md-nav__link> <span class=md-ellipsis> Rewrite </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/static-ip/ class=md-nav__link> <span class=md-ellipsis> Static IPs </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/tls-termination/ class=md-nav__link> <span class=md-ellipsis> TLS termination </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/openpolicyagent/ class=md-nav__link> <span class=md-ellipsis> Open Policy Agent rules </span> </a> </li> <li class=md-nav__item> <a href=../../../examples/canary/ class=md-nav__link> <span class=md-ellipsis> Canary Deployments </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5> <label class=md-nav__link for=__nav_5 id=__nav_5_label tabindex> <span class=md-ellipsis> Developer Guide </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_5_label aria-expanded=false> <label class=md-nav__title for=__nav_5> <span class="md-nav__icon md-icon"></span> Developer Guide </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../../developer-guide/getting-started/ class=md-nav__link> <span class=md-ellipsis> Getting Started </span> </a> </li> <li class=md-nav__item> <a href=../../../developer-guide/code-overview/ class=md-nav__link> <span class=md-ellipsis> Code Overview </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../../faq/ class=md-nav__link> <span class=md-ellipsis> FAQ </span> </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component=sidebar data-md-type=toc> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#supported-annotations class=md-nav__link> Supported annotations </a> </li> <li class=md-nav__item> <a href=#example-of-using-modsecurity-with-plugins-via-the-helm-chart class=md-nav__link> Example of using ModSecurity with plugins via the helm chart </a> </li> </ul> </nav> </div> </div> </div> <div class=md-content data-md-component=content> <article class="md-content__inner md-typeset"> <h1 id=modsecurity-web-application-firewall>ModSecurity Web Application Firewall<a class=headerlink href=#modsecurity-web-application-firewall title="Permanent link"></a></h1> <p>ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis - <a href=https://www.modsecurity.org>https://www.modsecurity.org</a></p> <p>The <a href=https://github.com/SpiderLabs/ModSecurity-nginx>ModSecurity-nginx</a> connector is the connection point between NGINX and libmodsecurity (ModSecurity v3).</p> <p>The default ModSecurity configuration file is located in <code>/etc/nginx/modsecurity/modsecurity.conf</code>. This is the only file located in this directory and contains the default recommended configuration. Using a volume we can replace this file with the desired configuration. To enable the ModSecurity feature we need to specify <code>enable-modsecurity: "true"</code> in the configuration configmap.</p> <blockquote> <p><strong>Note:</strong> the default configuration use detection only, because that minimizes the chances of post-installation disruption. Due to the value of the setting <a href=https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secauditlogtype>SecAuditLogType=Concurrent</a> the ModSecurity log is stored in multiple files inside the directory <code>/var/log/audit</code>. The default <code>Serial</code> value in SecAuditLogType can impact performance.</p> </blockquote> <p>The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. The directory <code>/etc/nginx/owasp-modsecurity-crs</code> contains the <a href=https://github.com/coreruleset/coreruleset>OWASP ModSecurity Core Rule Set repository</a>. Using <code>enable-owasp-modsecurity-crs: "true"</code> we enable the use of the rules.</p> <h2 id=supported-annotations>Supported annotations<a class=headerlink href=#supported-annotations title="Permanent link"></a></h2> <p>For more info on supported annotations, please see <a href=https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity>annotations/#modsecurity</a></p> <h2 id=example-of-using-modsecurity-with-plugins-via-the-helm-chart>Example of using ModSecurity with plugins via the helm chart<a class=headerlink href=#example-of-using-modsecurity-with-plugins-via-the-helm-chart title="Permanent link"></a></h2> <p>Suppose you have a ConfigMap that contains the contents of the <a href=https://github.com/coreruleset/nextcloud-rule-exclusions-plugin/blob/main/plugins/nextcloud-rule-exclusions-before.conf>nextcloud-rule-exclusions plugin</a> like this:</p> <div class=highlight><pre><span></span><code><span class=nt>apiVersion</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class=nt>kind</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
<span class=nt>metadata</span><span class=p>:</span>
<span class=w> </span><span class=nt>name</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">modsecurity-plugins</span>
<span class=nt>data</span><span class=p>:</span>
<span class=w> </span><span class=nt>empty-after.conf</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">|</span>
<span class=w> </span><span class=no># no data</span>
<span class=w> </span><span class=nt>empty-before.conf</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">|</span>
<span class=w> </span><span class=no># no data</span>
<span class=w> </span><span class=nt>empty-config.conf</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">|</span>
<span class=w> </span><span class=no># no data</span>
<span class=w> </span><span class=nt>nextcloud-rule-exclusions-before.conf</span><span class=p>:</span>
<span class=w> </span><span class=c1># this is just a snippet</span>
<span class=w> </span><span class=c1># find the full file at https://github.com/coreruleset/nextcloud-rule-exclusions-plugin</span>
<span class=w> </span><span class=c1>#</span>
<span class=w> </span><span class=c1># [ File Manager ]</span>
<span class=w> </span><span class=c1># The web interface uploads files, and interacts with the user.</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">SecRule REQUEST_FILENAME &quot;@contains /remote.php/webdav&quot; \</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">&quot;id:9508102,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">phase:1,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">pass,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">t:none,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">nolog,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ver:&#39;nextcloud-rule-exclusions-plugin/1.2.0&#39;,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ctl:ruleRemoveById=920420,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ctl:ruleRemoveById=920440,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ctl:ruleRemoveById=941000-942999,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ctl:ruleRemoveById=951000-951999,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ctl:ruleRemoveById=953100-953130,\</span>
<span class=w> </span><span class="l l-Scalar l-Scalar-Plain">ctl:ruleRemoveByTag=attack-injection-php&quot;</span>
</code></pre></div> <p>If you're using the helm chart, you can pass in the following parameters in your <code>values.yaml</code>:</p> <div class=highlight><pre><span></span><code><span class=nt>controller</span><span class=p>:</span>
<span class=w> </span><span class=nt>config</span><span class=p>:</span>
<span class=w> </span><span class=c1># Enables Modsecurity</span>
<span class=w> </span><span class=nt>enable-modsecurity</span><span class=p>:</span><span class=w> </span><span class=s>&quot;true&quot;</span>
<span class=w> </span><span class=c1># Update ModSecurity config and rules</span>
<span class=w> </span><span class=nt>modsecurity-snippet</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">|</span>
<span class=w> </span><span class=no># this enables the mod security nextcloud plugin</span>
<span class=w> </span><span class=no>Include /etc/nginx/owasp-modsecurity-crs/plugins/nextcloud-rule-exclusions-before.conf</span>
<span class=w> </span><span class=no># this enables the default OWASP Core Rule Set</span>
<span class=w> </span><span class=no>Include /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf</span>
<span class=w> </span><span class=no># Enable prevention mode. Options: DetectionOnly,On,Off (default is DetectionOnly)</span>
<span class=w> </span><span class=no>SecRuleEngine On</span>
<span class=w> </span><span class=no># Enable scanning of the request body</span>
<span class=w> </span><span class=no>SecRequestBodyAccess On</span>
<span class=w> </span><span class=no># Enable XML and JSON parsing</span>
<span class=w> </span><span class=no>SecRule REQUEST_HEADERS:Content-Type &quot;(?:text|application(?:/soap\+|/)|application/xml)/&quot; \</span>
<span class=w> </span><span class=no>&quot;id:200000,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML&quot;</span>
<span class=w> </span><span class=no>SecRule REQUEST_HEADERS:Content-Type &quot;application/json&quot; \</span>
<span class=w> </span><span class=no>&quot;id:200001,phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON&quot;</span>
<span class=w> </span><span class=no># Reject if larger (we could also let it pass with ProcessPartial)</span>
<span class=w> </span><span class=no>SecRequestBodyLimitAction Reject</span>
<span class=w> </span><span class=no># Send ModSecurity audit logs to the stdout (only for rejected requests)</span>
<span class=w> </span><span class=no>SecAuditLog /dev/stdout</span>
<span class=w> </span><span class=no># format the logs in JSON</span>
<span class=w> </span><span class=no>SecAuditLogFormat JSON</span>
<span class=w> </span><span class=no># could be On/Off/RelevantOnly</span>
<span class=w> </span><span class=no>SecAuditEngine RelevantOnly</span>
<span class=w> </span><span class=c1># Add a volume for the plugins directory</span>
<span class=w> </span><span class=nt>extraVolumes</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>name</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">plugins</span>
<span class=w> </span><span class=nt>configMap</span><span class=p>:</span>
<span class=w> </span><span class=nt>name</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">modsecurity-plugins</span>
<span class=w> </span><span class=c1># override the /etc/nginx/enable-owasp-modsecurity-crs/plugins with your ConfigMap</span>
<span class=w> </span><span class=nt>extraVolumeMounts</span><span class=p>:</span>
<span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=nt>name</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">plugins</span>
<span class=w> </span><span class=nt>mountPath</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">/etc/nginx/owasp-modsecurity-crs/plugins</span>
</code></pre></div> </article> </div> </div> </main> <footer class=md-footer> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../../..", "features": ["navigation.tabs", "navigation.tabs.sticky", "navigation.instant", "navigation.sections"], "search": "../../../assets/javascripts/workers/search.f886a092.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script> <script src=../../../assets/javascripts/bundle.aecac24b.min.js></script> </body> </html>
Reference in a new issue View git blame Copy permalink