Available 24×7

Mon → Sun : 00:01am-11:59pm

Email: [email protected]

Facebook

Twitter

LinkedIn

Youtube

Instagram


Enable ModSec WAF On RKE2 Ingress

ModSec / ModSecurity is a software package that creates a collection of regulations which can be employed as a Web Application Firewall (WAF) for the web server.

The WAF is responsible for managing access control, tracking usage, and observing incoming requests directed at specific web applications or web servers.

Having a WAF installed on the web server can reduce the risk of security threats, such as cross-site scripting, SQL injection, inclusion vulnerabilities, and brute force attacks.

Steps

Suppose you already have a Kubernetes cluster provisioned by RKE2.

  • Create a new helm chart config with the example value below
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        use-forwarder-headers: true
        enable-modsecurity: true
        enable-owasp-modsecurity-crs: true
        modsecurity-snippet: |
          Include /etc/nginx/owasp-modsecurity-crs/custom/custom-modsecurity.conf
      extraVolumeMounts:
        - name: modsecurity-config
          mountPath: /etc/nginx/owasp-modsecurity-crs/custom/
      extraVolumes:
        - name: modsecurity-config
          configMap:
            name: modsecurity-config

Explanation:

    controller:
      config:

# activate the x-forwarder nginx option
        use-forwarder-headers: true

# activate the modsec and owasp rule
        enable-modsecurity: true
        enable-owasp-modsecurity-crs: true

# include the custom modsec rule to the destination path
        modsecurity-snippet: |
          Include /etc/nginx/owasp-modsecurity-crs/custom/custom-modsecurity.conf

# add extra option to the chart with a configMap mounting point
      extraVolumeMounts:
        - name: modsecurity-config
          mountPath: /etc/nginx/owasp-modsecurity-crs/custom/
      extraVolumes:
        - name: modsecurity-config
          configMap:
            name: modsecurity-config

apply the helm chart config above using a kubectl command:

kubectl apply -f /path/to/the/helmchartconfig.yaml

  • Create a file for a custom ModSec rule, e.g custom-modsecrule.conf

# By default is DetectionOnly. Can be any of: DetectionOnly,On,Off
SecRuleEngine On

# Avoid sending status information about ModSecurity in response header
SecStatusEngine Off

# Send ModSecurity audit logs to the stdout (only for rejected requests)
SecAuditLog /dev/stdout
SecAuditLogFormat JSON
SecAuditEngine RelevantOnly # could be On/Off/RelevantOnly

# Max request sizes in bytes (with/without files) - Note NGINX Ingress has its own parameter/annotation that should be kept in sync
SecRequestBodyLimit 20971520 # 20Mb (default is 12.5Mb)
SecRequestBodyNoFilesLimit 262144 # 250Kb (default is 128Kb)
SecRequestBodyLimitAction Reject # Reject if larger (we could also let it pass with ProcessPartial)

# recommended limits for regular expression recursion. See https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/656#issuecomment-262780221
SecPcreMatchLimit 500000
SecPcreMatchLimitRecursion 500000    

# Include PUT/PATCH/DELETE in the allowed methods, otherwise those verbs will be rejected by rule 911100
SecAction "id:900200,phase:1,nolog,pass,t:none,\
   setvar:tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE"

Result

Helm chart config job log
OWASP Log on ingress controller Pod

References

Leave a Reply

Your email address will not be published. Required fields are marked *