Skip to content

Commit

Permalink
Enable modsecurity feature
Browse files Browse the repository at this point in the history
  • Loading branch information
aledbf committed Oct 10, 2017
1 parent 63155ee commit 7632465
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 5 deletions.
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ IMAGE = $(REGISTRY)/$(IMGNAME)
MULTI_ARCH_IMG = $(IMAGE)-$(ARCH)

# Set default base image dynamically for each arch
BASEIMAGE?=gcr.io/google_containers/nginx-slim-$(ARCH):0.25
BASEIMAGE?=gcr.io/google_containers/nginx-slim-$(ARCH):0.26

ifeq ($(ARCH),arm)
QEMUARCH=arm
Expand Down
16 changes: 15 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ An Ingress Controller is a daemon, deployed as a Kubernetes Pod, that watches th
* [TCP Services](#exposing-tcp-services)
* [UDP Services](#exposing-udp-services)
* [Proxy Protocol](#proxy-protocol)
* [ModSecurity Web Application Firewall](#modsecurity-web-application-firewall)
* [Opentracing](#opentracing)
* [NGINX customization](configuration.md)
* [Custom errors](#custom-errors)
Expand Down Expand Up @@ -403,7 +404,20 @@ Amongst others [ELBs in AWS](http://docs.aws.amazon.com/ElasticLoadBalancing/lat

Please check the [proxy-protocol](examples/proxy-protocol/) example

### Opentracing
## ModSecurity Web Application Firewall

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys… https://www.modsecurity.org

The [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3).

The default modsecurity configuration file is located in `/etc/nginx/modsecurity/modsecurity.conf`. This is the only file located in this directory and it contains the default recommended configuration. Using a volume we can replace this file with the desired configuration.
To enable the modsecurity feature we need to specify `enable-modsecurity: "true"` in the configuration configmap.
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts.
The directory `/etc/nginx/owasp-modsecurity-crs` contains the https://github.com/SpiderLabs/owasp-modsecurity-crs repository.
Using `enable-owasp-modsecurity-crs: "true"` we enable the use of the this rules.
## Opentracing
Using the third party module [rnburn/nginx-opentracing](https://github.com/rnburn/nginx-opentracing) the NGINX ingress controller can configure NGINX to enable [OpenTracing](http://opentracing.io) instrumentation.
By default this feature is disabled.
Expand Down
6 changes: 6 additions & 0 deletions configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,12 @@ Example usage: `custom-http-errors: 404,415`

**error-log-path:** Error log path. Goes to '/var/log/nginx/error.log' by default. http://nginx.org/en/docs/ngx_core_module.html#error_log

**enable-modsecurity:** enables the modsecurity module for NGINX
By default this is disabled

**enable-owasp-modsecurity-crs:** enables the OWASP ModSecurity Core Rule Set (CRS)
By default this is disabled

**disable-ipv6:** Disable listening on IPV6. This is 'false' by default.

**enable-dynamic-tls-records:** Enables dynamically sized TLS records to improve time-to-first-byte. Enabled by default. See [CloudFlare's blog](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency) for more information.
Expand Down
8 changes: 8 additions & 0 deletions pkg/nginx/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,14 @@ type Configuration struct {
// By default this is enabled
EnableDynamicTLSRecords bool `json:"enable-dynamic-tls-records"`

// EnableModsecurity enables the modsecurity module for NGINX
// By default this is disabled
EnableModsecurity bool `json:"enable-modsecurity"`

// EnableModsecurity enables the OWASP ModSecurity Core Rule Set (CRS)
// By default this is disabled
EnableOWASPCoreRules bool `json:"enable-owasp-modsecurity-crs"`

// ClientHeaderBufferSize allows to configure a custom buffer
// size for reading client request header
// http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size
Expand Down
18 changes: 15 additions & 3 deletions rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,11 @@
{{ $backends := .Backends }}
{{ $proxyHeaders := .ProxySetHeaders }}
{{ $addHeaders := .AddHeaders }}

{{ if $cfg.EnableModsecurity }}
load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;
{{ end }}

daemon off;

worker_processes {{ $cfg.WorkerProcesses }};
Expand Down Expand Up @@ -655,10 +660,7 @@ stream {
set $target {{ $location.ExternalAuth.URL }};
proxy_pass $target;
}

{{ end }}


location {{ $path }} {
{{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }}

Expand All @@ -677,6 +679,15 @@ stream {
}
{{ end }}

{{ if $all.Cfg.EnableModsecurity }}
modsecurity on;

modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf;
{{ if $all.Cfg.EnableOWASPCoreRules }}
modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf;
{{ end }}
{{ end }}

{{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }}
if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) {
Expand Down Expand Up @@ -821,6 +832,7 @@ stream {
return 503;
{{ end }}
}

{{ end }}

{{ if eq $server.Hostname "_" }}
Expand Down

0 comments on commit 7632465

Please sign in to comment.