This is the source code of the modsecurity-wasm-filter for Istio/Envoy Mesh Http Filter.
We offer a Envoy WASM Plugin integrated with ModSecurity to implement the WAF functionality in the http filter chain. We containerd the WASM binary so users can easily deploy the filter in their istio/envoy mesh.
The plugin is the basic version and the modsecurity rule inside the plugin can be updated by the istio CR WasmPlugin
. And we support dynamic update of the wasm binary and modsecurity rules based on istio > 1.13. The rule server for OWASP rules and customer rules will be delivered in the future.
First, clone the repository and open into wasmplugin
folder :
git clone https://github.com/intel/modsecurity-wasm-filter.git
cd modsecurity-wasm-filter/wasmplugin
Run docker build
to build modsecurity wasm plugin. This will generate a docker image containing a single wasm binary.
docker build -t ${HUB}/${IMAGE_NAME}:${TAG} -f Dockerfile .
Run docker push
to push the binary to remote repository:
docker push ${HUB}/${IMAGE_NAME}:${TAG}
make sure istioctl
verison > 1.13
istioctl install --set meshConfig.defaultConfig.proxyMetadata.WASM_INSECURE_REGISTRIES=* -y
kubectl label namespace default istio-injection=enabled
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.14/samples/httpbin/httpbin.yaml
kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.14/samples/httpbin/httpbin-gateway.yaml
Build ruleserver docker image:
cd modsecurity-wasm-filter/ruleserver
make docker-build IMG=ruleserver:crd
Deploy controller on kubernetes:
make deploy IMG=ruleserver:crd
Install CRD on kubernetes:
make install
kubectl apply -f config/samples/
In another terminal, forward port 80 of istio ingressgateway to port 8080 of local machine
kubectl port-forward -n istio-system svc/istio-ingressgateway 8080:80
Send http request to see if the service is working as expected:
curl -X POST -i http://localhost:8080/post?param1=test
will return HTTP 200 response
curl -X POST -i http://localhost:8080/post?param1=attack
will return HTTP 400 response