NGINX WAF
1 TopicExample NGINX App Protect deployed on Kubernetes Ingress Controller
Problem this snippet solves: This code offers a couple of examples of deploying NGINX App Protect on Kubernetes Ingress Controller, showing one instance protecting traditional Web applications and one protecting API applications. How to use this snippet: The code can be applied manually through kubectl commands or as a part of a CI/CD pipeline. Code : #### Deploy NGINX Plus Ingress for WebApp from Gitlab.com ##### --- apiVersion: apps/v1 kind: Deployment metadata: name: webapp-nginx-ingress namespace: nginx-ingress spec: replicas: 1 selector: matchLabels: app: webapp-nginx-ingress template: metadata: labels: app: webapp-nginx-ingress #annotations: #prometheus.io/scrape: "true" #prometheus.io/port: "9113" spec: serviceAccountName: nginx-ingress imagePullSecrets: - name: containers: - image: name: webapp-nginx-plus-ingress imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 - name: https containerPort: 443 #- name: prometheus #containerPort: 9113 securityContext: allowPrivilegeEscalation: true runAsUser: 101 #nginx capabilities: drop: - ALL add: - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - -nginx-plus - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret - -enable-app-protect - -ingress-class=webapp-arcadia-ingress-class #- -v=3 # Enables extensive logging. Useful for troubleshooting. #- -report-ingress-status #- -external-service=nginx-ingress #- -enable-leader-election #- -enable-prometheus-metrics #### WebApp Protect Policy ### --- apiVersion: appprotect.f5.com/v1beta1 kind: APPolicy metadata: name: webapp-dataguard-blocking spec: policy: name: webapp-dataguard-blocking template: name: POLICY_TEMPLATE_NGINX_BASE applicationLanguage: utf-8 enforcementMode: blocking blocking-settings: violations: - name: VIOL_DATA_GUARD alarm: true block: true data-guard: enabled: true maskData: true creditCardNumbers: true usSocialSecurityNumbers: true enforcementMode: ignore-urls-in-list enforcementUrls: [] ### App Protect Logs ### --- apiVersion: appprotect.f5.com/v1beta1 kind: APLogConf metadata: name: logconf spec: filter: request_type: all content: format: default max_request_size: any max_message_size: 5k ### Create Ingress Service #### --- apiVersion: v1 kind: Service metadata: name: webapp-nginx-ingress namespace: nginx-ingress spec: type: NodePort ports: - port: 80 targetPort: 80 nodePort: 30274 protocol: TCP name: http - port: 443 targetPort: 443 nodePort: 30275 protocol: TCP name: https selector: app: webapp-nginx-ingress ### Deploy Arcadia Ingress Service ##### --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: webapp-arcadia-ingress annotations: kubernetes.io/ingress.class: "webapp-arcadia-ingress-class" appprotect.f5.com/app-protect-policy: "default/webapp-dataguard-blocking" appprotect.f5.com/app-protect-enable: "True" appprotect.f5.com/app-protect-security-log-enable: "True" appprotect.f5.com/app-protect-security-log: "default/logconf" appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.1.20.6:5144" spec: rules: - host: k8s.arcadia-finance.io http: paths: - path: / backend: serviceName: main servicePort: 80 - path: /files backend: serviceName: backend servicePort: 80 - path: /api backend: serviceName: app2 servicePort: 80 - path: /app3 backend: serviceName: app3 servicePort: 80 #### Deploy WebAPI NGINX Plus Ingress for WebAPI from Gitlab.com ##### --- apiVersion: apps/v1 kind: Deployment metadata: name: webapi-nginx-ingress namespace: nginx-ingress spec: replicas: 1 selector: matchLabels: app: webapi-nginx-ingress template: metadata: labels: app: webapi-nginx-ingress #annotations: #prometheus.io/scrape: "true" #prometheus.io/port: "9113" spec: serviceAccountName: nginx-ingress imagePullSecrets: - name: containers: - image: name: webapi-nginx-plus-ingress imagePullPolicy: IfNotPresent ports: - name: http containerPort: 80 - name: https containerPort: 443 #- name: prometheus #containerPort: 9113 securityContext: allowPrivilegeEscalation: true runAsUser: 101 #nginx capabilities: drop: - ALL add: - NET_BIND_SERVICE env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name args: - -nginx-plus - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret - -enable-app-protect - -ingress-class=webapi-arcadia-ingress-class #- -v=3 # Enables extensive logging. Useful for troubleshooting. #- -report-ingress-status #- -external-service=nginx-ingress #- -enable-leader-election #- -enable-prometheus-metrics #### App Protect Policy ### --- apiVersion: appprotect.f5.com/v1beta1 kind: APPolicy metadata: name: webapi-blocking spec: policy: name: webapi-blocking template: name: POLICY_TEMPLATE_NGINX_BASE open-api-files: - link: "http://10.1.20.4/root/nap_kic_openapi/-/raw/master/App/openapi3-arcadia-kic.json" applicationLanguage: utf-8 enforcementMode: blocking blocking-settings: violations: - name: VIOL_MANDATORY_REQUEST_BODY alarm: true block: true - name: VIOL_PARAMETER_LOCATION alarm: true block: true - name: VIOL_MANDATORY_PARAMETER alarm: true block: true - name: VIOL_JSON_SCHEMA alarm: true block: true - name: VIOL_PARAMETER_ARRAY_VALUE alarm: true block: true - name: VIOL_PARAMETER_VALUE_BASE64 alarm: true block: true - name: VIOL_FILE_UPLOAD alarm: true block: true - name: VIOL_URL_CONTENT_TYPE alarm: true block: true - name: VIOL_PARAMETER_STATIC_VALUE alarm: true block: true - name: VIOL_PARAMETER_VALUE_LENGTH alarm: true block: true - name: VIOL_PARAMETER_DATA_TYPE alarm: true block: true - name: VIOL_PARAMETER_NUMERIC_VALUE alarm: true block: true - name: VIOL_PARAMETER_VALUE_REGEXP alarm: true block: true - name: VIOL_URL alarm: true block: true - name: VIOL_PARAMETER alarm: true block: true - name: VIOL_PARAMETER_EMPTY_VALUE alarm: true block: true - name: VIOL_PARAMETER_REPEATED alarm: true block: true ### Create Ingress Service #### --- apiVersion: v1 kind: Service metadata: name: webapi-nginx-ingress namespace: nginx-ingress spec: type: NodePort ports: - port: 80 targetPort: 80 nodePort: 30276 protocol: TCP name: http - port: 443 targetPort: 443 nodePort: 30277 protocol: TCP name: https selector: app: webapi-nginx-ingress ### Deploy Arcadia Ingress Service ##### --- apiVersion: extensions/v1beta1 kind: Ingress metadata: name: webapi-arcadia-ingress annotations: kubernetes.io/ingress.class: "webapi-arcadia-ingress-class" appprotect.f5.com/app-protect-policy: "default/webapi-blocking" appprotect.f5.com/app-protect-enable: "True" appprotect.f5.com/app-protect-security-log-enable: "True" appprotect.f5.com/app-protect-security-log: "default/logconf" appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.1.20.25:5144" spec: rules: - host: k8s.arcadia-finance.io http: paths: - path: /trading backend: serviceName: main servicePort: 80 - path: /api backend: serviceName: app2 servicePort: 80 Tested this on version: No Version Found904Views1like0Comments