I enabled modsecurity: "true" and enable-owasp-modsecurity-crs: "true" via the configmap of the nginx ingresss controller according to this link . In the annotation of the ingress I set SecRuleEngine On.
When I use nikto to do some scans and try to trigger the owasp rules I only see 400 responses in the ingress logging. I would expect 403 responses. Anyone any idea on what I am doing wrong or what to check?
Followed the instructions on:
https://karlstoney.com/2018/02/23/nginx-ingress-modsecurity-and-secchatops/
The only thing I had to change was "SecAuditLog /var/log/modsec/audit.log". Changed it to SecAuditLog /var/log/modsec_audit.log
Related
I'm trying to change an existing external HTTPS LBS configuration to apply advanced custom-header based routing rules on GCloud, but get the following error when updating the url-map
HTTPError 400: Invalid value for field 'resource.defaultService': ... Advanced routing rules are not supported for scheme EXTERNAL
The current setup is a Kubernetes workload (deployment) exposed as a service and has path-based ingress rules. FYI- Path-based LBS works.
Sample url-map
kind: compute#urlMap
name: k8s-um-development-lbs-test
defaultService: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-1
hostRules:
- hosts:
- '*'
pathMatcher: user-agent-matcher
pathMatchers:
- name: user-agent-matcher
routeRules:
- matchRules:
- prefixMatch: /
headerMatches:
- headerName: User-Agent
regexMatch: "*Pattern-1*"
priority: 0
service: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-1
- matchRules:
- prefixMatch: /
headerMatches:
- headerName: User-Agent
regexMatch: "*Pattern-2*"
priority: 1
service: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-2
defaultService: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/backendServices/backend-1
selfLink: https://www.googleapis.com/compute/v1/projects/beans-cloud/global/urlMaps/k8s-um-development-lbs-test
I want to confirm that is only possible to use it with HTTP(s) Load Balancer, So, if you wanted to rewrite or modify the URL, please review how to here.
Just to have more references, here is another reference, but please consider that this is only for Internal Load Balancer (Also HTTP(s)).
And as a last thing, I add information about that currently is not possible to custom the headers for external HTTP(s) Load Balancers, please put a comment here, in order to be informed about any update about it.
Regards and Happy New Year.
I want to read the request URI(excluding hostname and request params) and forward it in a custom header to an upstream server. I have been through several blogs where they have mentioned to use $request_uri but its not working.
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header RequestURI $request_uri
May I know which language is used to write scripts in annotation snippets? And is there is any list of variables which are by-default provided by ingress controller that we can use inside annotations?
Thanks
which language is used to write scripts in annotation snippets?
There are no special language, the format is the Nginx configuration format.
Everything you put there will be added to a location section related to your Ingress route in an Nginx configuration generated by Ingress controller.
is there is any list of variables which are by-default provided by ingress controller that we can use inside annotations?
Here is a list of embedded Nginx variables.
I am working on a kubernetes cluster and problem faced is:
From UI/browser, I can see it is sending a request header called "request_id" please refer to image:
But while checking on backend it is unavailable. While searching through internet, I could see that people are talking about adding following entry to Ingress object:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header request_id "$req_id";
But it is generating a new value for this and not passing value submitted by browser.
Any ideas, what might be missing here?
If you want to pass a custom header to your backend, you need to use this kind of annotation:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "Request-Id: $request_id
In your configuration you are using the variable $req_id, but you need to pass the variable sent by UI/browser.
Basically, ingress-nginx-controller drops any request headers that contains "_" in them. You can find various threads which discuss this issue like,
Why HTTP servers forbid underscores in HTTP header names
So, I just enabled ingress controller to pass such request headers. This can be done by adding following entry to configmap "nginx-configuration"
data:
enable-underscores-in-headers: "true"
IMO, this is a much clean solution as there could be many applications that might use "_" in request headers.
I'm trying to achieve the redirect configuration of Traefik on one of the containers in the docker-compose file. I found a similar configuration called merge_slashes in the Nginx service configuration. This is exactly the same behavior I want to achieve.
Tried the regex alternative approach for Nginx service described here: https://www.ctrl.blog/entry/relative-double-slashes-url.html
rewrite ^(.*)//(.*)$ $1/$2;
rewrite ^ $uri permanent;
But this approach not works for Traefik.
labels:
traefik.merge_slashes.frontend.rule: 'Host:${PROJECT_BASE_URL}'
traefik.merge_slashes.frontend.redirect.regex: '(.*)\\/\\/+(.*)'
traefik.merge_slashes.frontend.redirect.replacement: '$${1}/$${2}'
traefik.merge_slashes.frontend.redirect.permanent: 'true'
Something expected achieved by using following configurations:
labels:
traefik.merge_slashes.frontend.rule: 'Host:${PROJECT_BASE_URL}'
traefik.merge_slashes.frontend.redirect.regex: '(.*\\:\\/\\/.*)\\/\\/+(.*)'
traefik.merge_slashes.frontend.redirect.replacement: '$${1}/$${2}'
traefik.merge_slashes.frontend.redirect.permanent: 'true'
But this can follows for too many redirects issue with URL like:
http://localhost/some/////////////////////////////////////////////example///url
Is there a way to tell Traefik not overwrite the response body when the response code is > 400 ?
The goal is to keep the body of a 404 or a 401 response
The goal is not have a custom error page but the real error page from the backend.
The environment is a Kubernetes Cluster where Traefik is the ingress provider, the storage used by traefik is consul.
This answer my question : https://github.com/containous/traefik/issues/4114
this is not possible since the net/http golang lib is implementing the RFC 7230 sec. 3.1.2. hardly,
and does not plan to change it.