Skip to content

Commit

Permalink
feat(router): adding modsecurity module with OWASP core rule set as s…
Browse files Browse the repository at this point in the history
…ec option
  • Loading branch information
Cryptophobia committed May 22, 2018
1 parent 7c8636d commit 59d5441
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 2 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`. A
| <a name="enable-regex-domains"></a>deis-router | deployment | [router.deis.io/nginx.enableRegexDomains](#enable-regex-domains) | `"false"` | Whether to _enable_ application-level regex domain that can be explicitly defined for specific applications. With this option enabled, each app can have its own regex domain in server_name blocks of the nginx config. This allows for useful domains like `store-number-\d*.example.com`. |
| <a name="load-tcell-module"></a>deis-router | deployment | [router.deis.io/nginx.loadTcellModule](#load-tcell-module) | `"false"` | Whether to _enable_ the dynamic security nginx module provided by [Tcell](https://tcell.io/) as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. Note this requires that you purchase a Tcell account and have application configured in the Tcell UI. The tcell_agent.config is passed through a configMap object through k8s. Example of the configMap can be found in this [gist](https://gist.github.com/Cryptophobia/648b23f234eeb9538c87b478de401a53). The open source alternative for this is Modsecurity dynamic module. |
| <a name="global-tcell-app-id"></a>deis-router | deployment | [router.deis.io/nginx.globalTcellAppID](#global-tcell-app-id) | N/A | This is the global app id to insert for the Tcell module in the top-most http{} block of the nginx config. To configure an individual app id for each application, you need to use the application annotation below. The application specific app id will take precedence over the global one. |
| <a name="load-modsecurity-module"></a>deis-router | deployment | [router.deis.io/nginx.loadModsecurityModule](#load-modsecurity-module) | `"false"` | Whether to _enable_ the open source dynamic security nginx module [Modsecurity](https://github.com/SpiderLabs/ModSecurity/tree/v3/master) globally for all apps as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. The rule set that Modsecurity will use by default is the [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) and Modsecurity will be turned on to block malicious traffic on all apps if this annotation is enabled. This core rule set can be overwritten by configMap like in the example above for the Tcell module. |
| <a name="default-whitelist"></a>deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as a comma-delimited list of addresses (using IP or CIDR notation). Application-specific whitelists can either extend or override this default. |
| <a name="whitelist-mode"></a>deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined). Valid values are `"extend"` and `"override"`. |
| <a name="default-service-enabled"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceEnabled](#default-service-enabled) | `"false"` | Enables default back-end service for traffic hitting /. In order to work correctly both `defaultServiceIP` and `DefaultAppName` MUST also be set. |
Expand Down
2 changes: 2 additions & 0 deletions model/model.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ type RouterConfig struct {
EnableRegexDomains bool `key:"enableRegexDomains" constraint:"(?i)^(true|false)$"`
LoadTcellModule bool `key:"loadTcellModule" constraint:"(?i)^(true|false)$"`
GlobalTcellAppID string `key:"globalTcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"`
LoadModsecurityModule bool `key:"loadModsecurityModule" constraint:"(?i)^(true|false)$"`
DefaultServiceIP string `key:"defaultServiceIP"`
DefaultAppName string `key:"defaultAppName"`
DefaultServiceEnabled bool `key:"defaultServiceEnabled" constraint:"(?i)^(true|false)$"`
Expand Down Expand Up @@ -96,6 +97,7 @@ func newRouterConfig() (*RouterConfig, error) {
WhitelistMode: "extend",
EnableRegexDomains: false,
LoadTcellModule: false,
LoadModsecurityModule: false,
RequestIDs: false,
SSLConfig: newSSLConfig(),
DefaultServiceEnabled: false,
Expand Down
11 changes: 11 additions & 0 deletions nginx/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ worker_processes {{ $routerConfig.WorkerProcesses }};
load_module modules/ngx_http_tcell_agent_module.so;
{{- end }}
{{ if $routerConfig.LoadModsecurityModule -}}
# Loading the Modsecurity connector nginx dynamic module
load_module modules/ngx_http_modsecurity_module.so;
{{- end }}
events {
worker_connections {{ $routerConfig.MaxWorkerConnections }};
# multi_accept on;
Expand Down Expand Up @@ -237,6 +242,12 @@ http {
tcell_app_id {{ $appConfig.TcellAppID }};
{{- end }}
{{ if $routerConfig.LoadModsecurityModule -}}
# Turning on modsecurity if modsecurity module loaded
modsecurity on;
modsecurity_rules_file /opt/router/conf/modsecurity.conf;
{{- end }}
{{ if index $appConfig.Certificates $domain }}
listen 6443 ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
ssl_protocols {{ $sslConfig.Protocols }};
Expand Down
20 changes: 18 additions & 2 deletions rootfs/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ RUN adduser --system \

COPY /bin /bin

RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
RUN buildDeps='gcc make apt-utils libgeoip-dev libssl-dev libpcre3-dev'; \
apt-get update && \
apt-get install -y --no-install-recommends \
$buildDeps \
Expand Down Expand Up @@ -51,6 +51,22 @@ RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
get_src 8c535a2e526a9684afca6c227dc2115eb06681c48103541b97c73716da9f0cf5 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64.tar.gz" && \
mv "$PREFIX/modules/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64/ubuntu/xenial/nginx-1.13.7-custom_flags_ssl_1.0.2g/ngx_http_tcell_agent_module.so" . && \
rm -rf "$PREFIX/modules/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64" && \
# include libmodsecurity3 and modsecurity connector dynamic module
modsecurityDeps='apt-utils git libcurl4-openssl-dev libyajl-dev libxml2 libxml2-dev' && \
apt-get install -y --no-install-recommends \
$modsecurityDeps && \
cd "$PREFIX/modules" && \
get_src 2dd0d6dc258da729a42a94ea5118a3b16b2f3f7f91c198342a67f19378656366 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/modsecurity-v3-ubuntu-16.04.tar.gz" && \
mv usr/local/modsecurity /usr/local/modsecurity && \
rm -rf usr && \
get_src_file c9fd4ddb69ba1ce0a3118e529c43f87c3ab216e20900e25863e58537399d2d19 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/ngx_http_modsecurity_module.so" && \
# setup the modsecurity config and OWASP rules
cd "$PREFIX/conf" && \
get_src_file 905d47245003204b338eb1760933ab48a12c6b1a29c6f7080860b6c5d9ad337b "https://s3.amazonaws.com/hephy-artifacts/hephy-router/modsecurity.conf" && \
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git && \
cp -R owasp-modsecurity-crs/rules/ $PREFIX/conf/ && \
cp $PREFIX/conf/owasp-modsecurity-crs/crs-setup.conf.example $PREFIX/conf/crs-setup.conf && \
rm -rf owasp-modsecurity-crs && \
# cleanup
apt-get purge -y --auto-remove $buildDeps && \
apt-get autoremove -y && \
Expand All @@ -76,7 +92,7 @@ RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
COPY . /

# Fix some permissions since we'll be running as a non-root user
RUN chown -R router:router /opt/router
RUN chown -R router:router /opt/router /var/log

USER router

Expand Down
8 changes: 8 additions & 0 deletions rootfs/bin/get_src_file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/usr/bin/env bash

hash="$1"
url="$2"
f=$(basename "$url")

curl -sSL "$url" -o "$f"
echo "$hash $f" | sha256sum -c - || exit 10

0 comments on commit 59d5441

Please sign in to comment.