From 322a0a81e5b0a4e6cba8eae502bdf21facad985a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Piotr=20Domaga=C5=82a?= Date: Wed, 4 Sep 2019 20:34:53 +0200 Subject: [PATCH 1/2] chore(nginx): upgrading nginx to latest stable release v1.16.1 --- rootfs/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index 9aeafa6..0204596 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -52,7 +52,7 @@ RUN set -x && \ apt-get install -y --no-install-recommends \ $buildDeps \ $runtimeDeps && \ - export NGINX_VERSION=1.14.2 SIGNING_KEY=A1C052F8 \ + export NGINX_VERSION=1.16.1 SIGNING_KEY=A1C052F8 \ VTS_VERSION=0.1.18 GEOIP2_VERSION=3.2 \ MOD_SECURITY_NGINX_VERSION=d7101e13685efd7e7c9f808871b202656a969f4b \ OWASP_MOD_SECURITY_CRS_VERSION=46171c0ef335f92b26787ce269e397c480286155 \ From d253929ac61764cb1f02b843355b23c565ffe0b0 Mon Sep 17 00:00:00 2001 From: Cryptophobia Date: Tue, 10 Sep 2019 17:57:46 -0400 Subject: [PATCH 2/2] ref(tcell): DEPRECATION - removing Tcell module security option in nginx We no longer have access to pre-compiled nginx Tcell.io modules so we are deprecating this feature. Modsecurity open source module is the default suported option now for WAF security on the router. --- README.md | 5 +---- model/model.go | 4 ---- nginx/config.go | 18 ++---------------- 3 files changed, 3 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 1a4eca9..62c8e40 100644 --- a/README.md +++ b/README.md @@ -248,9 +248,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`. A | deis-router | deployment | [router.deis.io/nginx.disableServerTokens](#disable-server-tokens) | `"false"` | Enables or disables emitting nginx version in error messages and in the “Server” response header field. | | deis-router | deployment | [router.deis.io/nginx.enforceWhitelists](#enforce-whitelists) | `"false"` | Whether to _require_ application-level whitelists that explicitly enumerate allowed clients by IP / CIDR range. With this enabled, each app will drop _all_ requests unless a whitelist has been defined. | | deis-router | deployment | [router.deis.io/nginx.enableRegexDomains](#enable-regex-domains) | `"false"` | Whether to _enable_ application-level regex domain that can be explicitly defined for specific applications. With this option enabled, each app can have its own regex domain in server_name blocks of the nginx config. This allows for useful domains like `store-number-\d*.example.com`. | -| deis-router | deployment | [router.deis.io/nginx.loadTcellModule](#load-tcell-module) | `"false"` | Whether to _enable_ the dynamic security nginx module provided by [Tcell](https://tcell.io/) as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. Note this requires that you purchase a Tcell account and have application configured in the Tcell UI. The tcell_agent.config is passed through a configMap object through k8s. Example of the configMap can be found in this [gist](https://gist.github.com/Cryptophobia/648b23f234eeb9538c87b478de401a53). The open source alternative for this is Modsecurity dynamic module. | -| deis-router | deployment | [router.deis.io/nginx.globalTcellAppID](#global-tcell-app-id) | N/A | This is the global app id to insert for the Tcell module in the top-most http{} block of the nginx config. To configure an individual app id for each application, you need to use the application annotation below. The application specific app id will take precedence over the global one. | -| deis-router | deployment | [router.deis.io/nginx.loadModsecurityModule](#load-modsecurity-module) | `"false"` | Whether to _enable_ the open source dynamic security nginx module [Modsecurity](https://github.com/SpiderLabs/ModSecurity/tree/v3/master) globally for all apps as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. The rule set that Modsecurity will use by default is the [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) and Modsecurity will be turned on to block malicious traffic on all apps if this annotation is enabled. This core rule set can be overwritten by configMap like in the example above for the Tcell module. | +| deis-router | deployment | [router.deis.io/nginx.loadModsecurityModule](#load-modsecurity-module) | `"false"` | Whether to _enable_ the open source dynamic security nginx module [Modsecurity](https://github.com/SpiderLabs/ModSecurity/tree/v3/master) globally for all apps as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. The rule set that Modsecurity will use by default is the [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) and Modsecurity will be turned on to block malicious traffic on all apps if this annotation is enabled. This core rule set can be overwritten by configMap and mounted as a volumeMount. | | deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as a comma-delimited list of addresses (using IP or CIDR notation). Application-specific whitelists can either extend or override this default. | | deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined). Valid values are `"extend"` and `"override"`. | | deis-router | deployment | [router.deis.io/nginx.defaultServiceEnabled](#default-service-enabled) | `"false"` | Enables default back-end service for traffic hitting /. In order to work correctly both `defaultServiceIP` and `DefaultAppName` MUST also be set. | @@ -280,7 +278,6 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`. A | deis-builder | service | [router.deis.io/nginx.tcpTimeout](#builder-tcp-timeout) | `"1200s"` | nginx `proxy_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. | | routable application | service | [router.deis.io/domains](#app-domains) | N/A | Comma-delimited list of domains for which traffic should be routed to the application. These may be fully qualified (e.g. `foo.example.com`) or, if not containing any `.` character, will be considered subdomains of the router's domain, if that is defined. | | routable application | service | [router.deis.io/regexDomain](#app-regex-domain) | N/A | A string that represents the regex domain for which traffic should be routed to the application. This is the regex domain (e.g. `foo-store-\d*`) if not containing any `.` character and will be considered a subdomain of the router's domain, if that is defined. The regex domain cannot be a fully qualified name (e.g. `foo-store-\d*.example.com`) for safety and security right now. This feature must be enabled on the router via enable-regex-domain annotation above. | -| routable application | service | [router.deis.io/tcellAppID](#app-tcell-app-id) | N/A | This is the individual app id to insert for the Tcell module in the server{} block of the nginx config for each app. The application specific app id will take precedence over the global one if defined. | | routable application | service | [router.deis.io/certificates](#app-certificates) | N/A | Comma delimited list of mappings between domain names (see `router.deis.io/domains`) and the certificate to be used for each. The domain name and certificate name must be separated by a colon. See the [SSL section](#ssl) below for further details. | | routable application | service | [router.deis.io/whitelist](#app-whitelist) | N/A | Comma-delimited list of addresses permitted to access the application (using IP or CIDR notation). These may either extend or override the router-wide default whitelist (if defined). Requests from all other addresses are denied. | | routable application | service | [router.deis.io/connectTimeout](#app-connect-timeout) | `"30s"` | nginx `proxy_connect_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. | diff --git a/model/model.go b/model/model.go index 671294b..ffbd0bf 100644 --- a/model/model.go +++ b/model/model.go @@ -57,8 +57,6 @@ type RouterConfig struct { DefaultWhitelist []string `key:"defaultWhitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"` WhitelistMode string `key:"whitelistMode" constraint:"^(extend|override)$"` EnableRegexDomains bool `key:"enableRegexDomains" constraint:"(?i)^(true|false)$"` - LoadTcellModule bool `key:"loadTcellModule" constraint:"(?i)^(true|false)$"` - GlobalTcellAppID string `key:"globalTcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"` LoadModsecurityModule bool `key:"loadModsecurityModule" constraint:"(?i)^(true|false)$"` DefaultServiceIP string `key:"defaultServiceIP"` DefaultAppName string `key:"defaultAppName"` @@ -99,7 +97,6 @@ func newRouterConfig() (*RouterConfig, error) { EnforceWhitelists: false, WhitelistMode: "extend", EnableRegexDomains: false, - LoadTcellModule: false, LoadModsecurityModule: false, RequestIDs: false, SSLConfig: newSSLConfig(), @@ -145,7 +142,6 @@ type AppConfig struct { Name string Domains []string `key:"domains" constraint:"(?i)^((([a-z0-9]+(-*[a-z0-9]+)*)|((\\*\\.)?[a-z0-9]+(-*[a-z0-9]+)*\\.)+[a-z0-9]+(-*[a-z0-9]+)+)(\\s*,\\s*)?)+$"` RegexDomain string `key:"regexDomain"` - TcellAppID string `key:"tcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"` Whitelist []string `key:"whitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"` ConnectTimeout string `key:"connectTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"` TCPTimeout string `key:"tcpTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"` diff --git a/nginx/config.go b/nginx/config.go index a4f3626..fba0deb 100644 --- a/nginx/config.go +++ b/nginx/config.go @@ -16,11 +16,6 @@ const ( pid /tmp/nginx.pid; worker_processes {{ $routerConfig.WorkerProcesses }}; -{{ if $routerConfig.LoadTcellModule -}} -# Loading the Tcell nginx dynamic module -load_module modules/ngx_http_tcell_agent_module.so; -{{- end }} - {{ if $routerConfig.LoadModsecurityModule -}} # Loading the Modsecurity connector nginx dynamic module load_module modules/ngx_http_modsecurity_module.so; @@ -39,11 +34,6 @@ http { vhost_traffic_status_zone shared:vhost_traffic_status:{{ $routerConfig.TrafficStatusZoneSize }}; - {{ if and $routerConfig.LoadTcellModule $routerConfig.GlobalTcellAppID -}} - # Including the global Tcell AppID - tcell_app_id {{ $routerConfig.GlobalTcellAppID }}; - {{- end }} - # The timeout value must be greater than the front facing load balancers timeout value. # Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra. keepalive_timeout {{ $routerConfig.DefaultTimeout }}; @@ -191,7 +181,7 @@ http { # set header size limits {{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }} {{ if $routerConfig.HTTP2Enabled }} http2_max_field_size {{ $routerConfig.HTTP2MaxFieldSize }}; {{ end }} - + set $app_name "router-default-vhost"; ssl_protocols {{ $sslConfig.Protocols }}; {{ if ne $sslConfig.Ciphers "" }}ssl_ciphers {{ $sslConfig.Ciphers }};{{ end }} @@ -256,10 +246,6 @@ http { port_in_redirect off; set $app_name "{{ $appConfig.Name }}"; - {{ if and $routerConfig.LoadTcellModule $appConfig.TcellAppID -}} - tcell_app_id {{ $appConfig.TcellAppID }}; - {{- end }} - {{ if $routerConfig.LoadModsecurityModule -}} # Turning on modsecurity if modsecurity module loaded modsecurity on; @@ -269,7 +255,7 @@ http { # set header size limits {{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }} {{ if $routerConfig.HTTP2Enabled }} http2_max_field_size {{ $routerConfig.HTTP2MaxFieldSize }}; {{ end }} - + {{ if index $appConfig.Certificates $domain }} listen 6443 ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }}; ssl_protocols {{ $sslConfig.Protocols }};