github.com/nginxinc/kubernetes-ingress@v1.12.5/examples/appprotect/README.md (about) 1 # NGINX App Protect Support 2 3 In this example we deploy the NGINX Plus Ingress controller with [NGINX App Protect](https://www.nginx.com/products/nginx-app-protect/), a simple web application and then configure load balancing and WAF protection for that application using the Ingress resource. 4 5 ## Running the Example 6 7 ## 1. Deploy the Ingress Controller 8 9 1. Follow the installation [instructions](../../docs/installation.md) to deploy the Ingress controller with NGINX App Protect. 10 11 2. Save the public IP address of the Ingress controller into a shell variable: 12 ``` 13 $ IC_IP=XXX.YYY.ZZZ.III 14 ``` 15 3. Save the HTTPS port of the Ingress controller into a shell variable: 16 ``` 17 $ IC_HTTPS_PORT=<port number> 18 ``` 19 20 ## 2. Deploy the Cafe Application 21 22 Create the coffee and the tea deployments and services: 23 ``` 24 $ kubectl create -f cafe.yaml 25 ``` 26 27 ## 3. Configure Load Balancing 28 1. Create the syslog service and pod for the App Protect security logs: 29 ``` 30 $ kubectl create -f syslog.yaml 31 ``` 32 2. Create a secret with an SSL certificate and a key: 33 ``` 34 $ kubectl create -f cafe-secret.yaml 35 ``` 36 3. Create the App Protect policy, log configuration and user defined signature: 37 ``` 38 $ kubectl create -f ap-dataguard-alarm-policy.yaml 39 $ kubectl create -f ap-logconf.yaml 40 $ kubectl create -f ap-apple-uds.yaml 41 ``` 42 4. Create an Ingress Resource: 43 44 Update the `appprotect.f5.com/app-protect-security-log-destination` annotation from `cafe-ingress.yaml` with the ClusterIP of the syslog service. For example, if the IP is `10.101.21.110`: 45 ```yaml 46 . . . 47 appprotect.f5.com/app-protect-security-log-destination: "syslog:server=10.101.21.110:514" 48 ``` 49 Create the Ingress Resource: 50 ``` 51 $ kubectl create -f cafe-ingress.yaml 52 ``` 53 Note the App Protect annotations in the Ingress resource. They enable WAF protection by configuring App Protect with the policy and log configuration created in the previous step. 54 55 ## 4. Test the Application 56 57 1. To access the application, curl the coffee and the tea services. We'll use `curl`'s --insecure option to turn off certificate verification of our self-signed 58 certificate and the --resolve option to set the Host header of a request with `cafe.example.com` 59 60 To get coffee: 61 ``` 62 $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/coffee --insecure 63 Server address: 10.12.0.18:80 64 Server name: coffee-7586895968-r26zn 65 ... 66 ``` 67 If your prefer tea: 68 ``` 69 $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP https://cafe.example.com:$IC_HTTPS_PORT/tea --insecure 70 Server address: 10.12.0.19:80 71 Server name: tea-7cd44fcb4d-xfw2x 72 ... 73 ``` 74 Now, let's try to send a request with a suspicious URL: 75 ``` 76 $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP "https://cafe.example.com:$IC_HTTPS_PORT/tea/<script>" --insecure 77 <html><head><title>Request Rejected</title></head><body> 78 ... 79 ``` 80 Lastly, let's try to send some suspicious data that matches the user defined signature. 81 ``` 82 $ curl --resolve cafe.example.com:$IC_HTTPS_PORT:$IC_IP -X POST -d "apple" "https://cafe.example.com:$IC_HTTPS_PORT/tea/" --insecure 83 <html><head><title>Request Rejected</title></head><body> 84 ... 85 ``` 86 As you can see, the suspicious requests were blocked by App Protect 87 88 1. To check the security logs in the syslog pod: 89 ``` 90 $ kubectl exec -it <SYSLOG_POD> -- cat /var/log/messages 91 ```