From 7632465ce3bddf86e97217c2451ae082970c413f Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Sun, 8 Oct 2017 11:52:02 -0300 Subject: [PATCH] Enable modsecurity feature --- Makefile | 2 +- README.md | 16 +++++++++++++++- configuration.md | 6 ++++++ pkg/nginx/config/config.go | 8 ++++++++ rootfs/etc/nginx/template/nginx.tmpl | 18 +++++++++++++++--- 5 files changed, 45 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index fc29c88859..c26e488d6e 100644 --- a/Makefile +++ b/Makefile @@ -35,7 +35,7 @@ IMAGE = $(REGISTRY)/$(IMGNAME) MULTI_ARCH_IMG = $(IMAGE)-$(ARCH) # Set default base image dynamically for each arch -BASEIMAGE?=gcr.io/google_containers/nginx-slim-$(ARCH):0.25 +BASEIMAGE?=gcr.io/google_containers/nginx-slim-$(ARCH):0.26 ifeq ($(ARCH),arm) QEMUARCH=arm diff --git a/README.md b/README.md index b36e469fb2..afc8ca919c 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ An Ingress Controller is a daemon, deployed as a Kubernetes Pod, that watches th * [TCP Services](#exposing-tcp-services) * [UDP Services](#exposing-udp-services) * [Proxy Protocol](#proxy-protocol) +* [ModSecurity Web Application Firewall](#modsecurity-web-application-firewall) * [Opentracing](#opentracing) * [NGINX customization](configuration.md) * [Custom errors](#custom-errors) @@ -403,7 +404,20 @@ Amongst others [ELBs in AWS](http://docs.aws.amazon.com/ElasticLoadBalancing/lat Please check the [proxy-protocol](examples/proxy-protocol/) example -### Opentracing +## ModSecurity Web Application Firewall + +ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analys… https://www.modsecurity.org + +The [ModSecurity-nginx](https://github.com/SpiderLabs/ModSecurity-nginx) connector is the connection point between NGINX and libmodsecurity (ModSecurity v3). + +The default modsecurity configuration file is located in `/etc/nginx/modsecurity/modsecurity.conf`. This is the only file located in this directory and it contains the default recommended configuration. Using a volume we can replace this file with the desired configuration. +To enable the modsecurity feature we need to specify `enable-modsecurity: "true"` in the configuration configmap. + +The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls. The CRS aims to protect web applications from a wide range of attacks, including the OWASP Top Ten, with a minimum of false alerts. +The directory `/etc/nginx/owasp-modsecurity-crs` contains the https://github.com/SpiderLabs/owasp-modsecurity-crs repository. +Using `enable-owasp-modsecurity-crs: "true"` we enable the use of the this rules. + +## Opentracing Using the third party module [rnburn/nginx-opentracing](https://github.com/rnburn/nginx-opentracing) the NGINX ingress controller can configure NGINX to enable [OpenTracing](http://opentracing.io) instrumentation. By default this feature is disabled. diff --git a/configuration.md b/configuration.md index fd0edaa78c..caf718ec6d 100644 --- a/configuration.md +++ b/configuration.md @@ -384,6 +384,12 @@ Example usage: `custom-http-errors: 404,415` **error-log-path:** Error log path. Goes to '/var/log/nginx/error.log' by default. http://nginx.org/en/docs/ngx_core_module.html#error_log +**enable-modsecurity:** enables the modsecurity module for NGINX +By default this is disabled + +**enable-owasp-modsecurity-crs:** enables the OWASP ModSecurity Core Rule Set (CRS) +By default this is disabled + **disable-ipv6:** Disable listening on IPV6. This is 'false' by default. **enable-dynamic-tls-records:** Enables dynamically sized TLS records to improve time-to-first-byte. Enabled by default. See [CloudFlare's blog](https://blog.cloudflare.com/optimizing-tls-over-tcp-to-reduce-latency) for more information. diff --git a/pkg/nginx/config/config.go b/pkg/nginx/config/config.go index 0d9a6f165d..7fc777e06d 100644 --- a/pkg/nginx/config/config.go +++ b/pkg/nginx/config/config.go @@ -109,6 +109,14 @@ type Configuration struct { // By default this is enabled EnableDynamicTLSRecords bool `json:"enable-dynamic-tls-records"` + // EnableModsecurity enables the modsecurity module for NGINX + // By default this is disabled + EnableModsecurity bool `json:"enable-modsecurity"` + + // EnableModsecurity enables the OWASP ModSecurity Core Rule Set (CRS) + // By default this is disabled + EnableOWASPCoreRules bool `json:"enable-owasp-modsecurity-crs"` + // ClientHeaderBufferSize allows to configure a custom buffer // size for reading client request header // http://nginx.org/en/docs/http/ngx_http_core_module.html#client_header_buffer_size diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 02b85a0596..6f101aa842 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -6,6 +6,11 @@ {{ $backends := .Backends }} {{ $proxyHeaders := .ProxySetHeaders }} {{ $addHeaders := .AddHeaders }} + +{{ if $cfg.EnableModsecurity }} +load_module /etc/nginx/modules/ngx_http_modsecurity_module.so; +{{ end }} + daemon off; worker_processes {{ $cfg.WorkerProcesses }}; @@ -655,10 +660,7 @@ stream { set $target {{ $location.ExternalAuth.URL }}; proxy_pass $target; } - {{ end }} - - location {{ $path }} { {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }} @@ -677,6 +679,15 @@ stream { } {{ end }} + {{ if $all.Cfg.EnableModsecurity }} + modsecurity on; + + modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf; + {{ if $all.Cfg.EnableOWASPCoreRules }} + modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf; + {{ end }} + {{ end }} + {{ if isLocationAllowed $location }} {{ if gt (len $location.Whitelist.CIDR) 0 }} if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) { @@ -821,6 +832,7 @@ stream { return 503; {{ end }} } + {{ end }} {{ if eq $server.Hostname "_" }}