Proposal: integrate nginx ingress controller with Modsecurity #116
Comments
|
@mqliang I've been following the new modsecuritty for a while. Once they release v3.0 I will add the option. |
|
@mqliang I was thinking about NAXSI (https://github.com/nbs-system/naxsi) as this is much simpler than mod_security. I think the bigger issue with mod_security would be the false positives, as mod_security even doesn't have a pretty way to visualize threats and so. Anyway, this is a great idea. Would add also a --modsecurity-rule-exclude to specify an array of excluded rules (that cause false positives and so), and an operation mode, so as SELinux we can put mod_security on enforcing, reporting only and disabled :) |
|
mod_security added json logging a while ago, so visualizing these logs is much easier using some SIEM or ELK stack nowadays. Edited to add: If we add this, we should take care not to introduce a false sense of safety as most of these WAF products don't play well with HTTP2 yet. (notably naxsi, but i'd bet the same goes for mod_security) |
|
Hum, this is new for me :) will take a look then :) |
|
@rikatz naxsi does not supports http2. Edit: I missed @pieterlange comment about it. |
|
3.0 has been out since November? Or am I missing something? |
|
cc @kdada |
|
+1 following |
|
@tomazzaman I think this is the Core Rule Set, not mod_security 3 itself. The code of this version is here: https://github.com/SpiderLabs/ModSecurity/tree/v3/master But it wasn't released yet. |
|
3.0.0 rc1 is now released. |
|
Any update about this? Would be really nice if ModSecurity would finally get implemented. |
|
This is a no go for now. Just adding the library and module to nginx increases the size in 220MB and also impacts nginx throughput https://github.com/defanator/modsecurity-performance/wiki#2017-08-28 |
|
@aledbf For this feature, I'm thinking about this:
This will create libs only, and the libraries necessary for mod_security to work are ngx_http_modsecurity_module.so (215kb) and libmodsecurity.so.3.0.0 (30M) So, we're going to have an 'init' container, with a shared volume containing only those libraries. This could allow us to make a different deployment file, being one with mod_security (a POD with an initContainer and the ingress-controller itself) and one without it (nginx-ingress-controller only)
Also, this boolean could be used latelly in the feature implementation itself, like enabling mod_security per ingress/location and also in directives that disables ModSecurity rules.
Is that a good approach? I was doing some experiments here (using CentOS, not alpine) and this works fine. If this is ok I'll start a PoC with alpine and a different deployment, not changing anything in Ingress Controller code, but only in deployment itself. And then we can start thinking about nice features that we could have in ingress controller. Thanks |
|
This should be re-opened pending owasp-modsecurity/ModSecurity#1590 |
|
Any update on this? Would be nice to see waf functionality in the nginx controller. |
|
@bramvdklinkenberg the modsecurity module is available. Please check https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/modsecurity.md |
|
Hi @aledbf, I saw.. I realized I need to ask the question at the kubernetes helm project :). |
It would be wonderful if nginx ingress controller could integrate Modsecurity to provide web application firewall (WAF) functionality, and the repository owasp-modsecurity-crs contains a collection of rules that works out of the box.
We could add two knobs to nginx-ingress controller:
@aledbf @bprashanth
The text was updated successfully, but these errors were encountered: