github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/waf/README.md

github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/waf/README.md (about)

     1  # WAF
     2  
     3  In this example we deploy the NGINX Plus Ingress controller with [NGINX App Protect](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing and WAF protection for that application using the VirtualServer resource.
     4  
     5  ## Prerequisites
     6  
     7  1. Follow the installation [instructions](../../docs/installation.md) to deploy the Ingress controller with NGINX App Protect.
     8  1. Save the public IP address of the Ingress Controller into a shell variable:
     9      ```
    10      $ IC_IP=XXX.YYY.ZZZ.III
    11      ```
    12  1. Save the HTTP port of the Ingress Controller into a shell variable:
    13      ```
    14      $ IC_HTTP_PORT=<port number>
    15      ```
    16  
    17  ## Step 1. Deploy a Web Application
    18  
    19  Create the application deployment and service:
    20  ```
    21  $ kubectl apply -f webapp.yaml
    22  ```
    23  
    24  ## Step 2 - Deploy the AP Policy
    25  
    26  1. Create the syslog service and pod for the App Protect security logs:
    27      ```
    28      $ kubectl apply -f syslog.yaml
    29      ```
    30  1. Create the User Defined Signature, App Protect policy and log configuration:
    31      ```
    32      $ kubectl apply -f ap-apple-uds.yaml
    33      $ kubectl apply -f ap-dataguard-alarm-policy.yaml
    34      $ kubectl apply -f ap-logconf.yaml
    35      ```
    36  
    37  ## Step 3 - Deploy the WAF Policy
    38  
    39  1. Update the `logDest` field from `waf.yaml` with the ClusterIP of the syslog service. For example, if the IP is `10.101.21.110`:
    40      ```yaml
    41      waf:
    42          ...
    43          logDest: "syslog:server=10.101.21.110:514"
    44      ```
    45  
    46  1. Create the WAF policy
    47      ```
    48      $ kubectl apply -f waf.yaml
    49      ```
    50  
    51  Note the App Protect configuration settings in the Policy resource. They enable WAF protection by configuring App Protect with the policy and log configuration created in the previous step.
    52  
    53  ## Step 4 - Configure Load Balancing
    54  
    55  1. Create the VirtualServer Resource:
    56      ```
    57      $ kubectl apply -f virtual-server.yaml
    58      ```
    59  
    60  Note that the VirtualServer references the policy `waf-policy` created in Step 3.
    61  
    62  ## Step 5 - Test the Application
    63  
    64  To access the application, curl the coffee and the tea services. We'll use the --resolve option to set the Host header of a request with `webapp.example.com`
    65  
    66  1. Send a request to the application:
    67      ```
    68      $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP http://webapp.example.com:$IC_HTTP_PORT/
    69      Server address: 10.12.0.18:80
    70      Server name: webapp-7586895968-r26zn
    71      ...
    72      ```
    73  
    74  1. Now, let's try to send a request with a suspicious URL:
    75      ```
    76      $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP "http://webapp.example.com:$IC_HTTP_PORT/<script>"
    77      <html><head><title>Request Rejected</title></head><body>
    78      ...
    79      ```
    80  1. Lastly, let's try to send some suspicious data that matches the user defined signature.
    81      ```
    82      $ curl --resolve webapp.example.com:$IC_HTTP_PORT:$IC_IP -X POST -d "apple" http://webapp.example.com:$IC_HTTP_PORT/
    83      <html><head><title>Request Rejected</title></head><body>
    84      ...
    85      ```
    86      As you can see, the suspicious requests were blocked by App Protect
    87  
    88  1. To check the security logs in the syslog pod:
    89      ```
    90      $ kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages
    91      ```