feat(setup-waf): [INFRA-1167] create WAF for firefox-api-proxy#42
feat(setup-waf): [INFRA-1167] create WAF for firefox-api-proxy#42hyperparabolic merged 3 commits intomainfrom
Conversation
Going with a relatively permissive initial setup here. Traffic originating from the CDN is all permitted, and a fairly loose rate limit is in place for direct requests. This change requires a newer version of @pocket-tools/terraform-modules, so updated that to the latest version. The loosely coupled version of cdktf dependencies are also updated with that change. This includes breaking changes to this package around imports. Changing all imports to use deep imports as the index files have been deprecated. I think we should also consider replicating some of the dotcom gateway rules that are provided by AWS here as well (these rules include blocks for well known abuse), but I'd like to export those from terraform-modules rather than copy pasting them all over the place.
| - `x-source`: `mozilla` | ||
| - `x-forwarded-for`: <end client IP address> | ||
|
|
||
| For now, allow all traffic with `x-source`: `mozilla` to bypass the WAF. |
There was a problem hiding this comment.
hi, making sure i understand the intent right
we want only mozilla client to use this firefox proxy and any unknown client would be rejected and not served
There was a problem hiding this comment.
This PR is really just getting the WAF in place so we can start iterating with smaller changes if and when they are needed.
As of right now, this first rule allows any traffic coming from the CDN (identified by the x-source header) to bypass rate limiting entirely. We could add another condition to this rule to apply rate limiting to this rather than allowing bypass. We could also change this value to be a shared secret instead if we find that sources other than the VPN start setting this header. Plenty of options to move forward if we need it.
| action: { block: {} }, | ||
| statement: { | ||
| rateBasedStatement: { | ||
| limit: 1000, |
There was a problem hiding this comment.
is this 1000 req per hour from the same IP?
There was a problem hiding this comment.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
Per 5 minutes it seems actually. This could definitely be pretty aggressively throttled down.
sri-kirsh
left a comment
sri-kirsh
left a comment
There was a problem hiding this comment.
how do we usually test/QA waf rules?
This is entirely unclear to me, and this is also the primary reason I'm going with relatively loose limits for this first pass. I think we could test in the dev environment, but I don't think we have a corresponding dev CDN in GCP. |
efixler
left a comment
efixler
left a comment
There was a problem hiding this comment.
lgtm.
It would be good to add some comments in the file, or in the README noting the thinking around the WAF settings; you mention that these are starting points and we'll look to home them (which is totally reasonable) and it'd be good to put a little bit of that along with the how-to-check info in case the person who is checking is not you :)
Also I'm sure that this was discussed with SRE, but it'd be good to have SRE 👀 specifically on the PR too.
|
Also, just want to mention, newtab is how the largest number of people interact with Pocket and now we make most of our money! Thanks for taking good care with this! |
I tried to already leave some next steps hints. I should probably just also say that I expect this to need some iteration as we move into stable and get data on reasonable limits. I'm going to follow up with some info on the WAF on the service page once this is deployed and I know where the metrics live. I've got a few TODOs waiting for me there.
Yeah, I've been talking with Brett through all of this, but good call. I'll give them an explicit heads up after updating the top level comment. |
|
Couple notes here:
|
|
Thanks for the feedback @bkochendorfer
I kind of got lost in the weeds here and forgot this change was made 😅. Done.
Good call. |
| const globalRateLimitRule = <Wafv2WebAclRule>{ | ||
| name: 'GlobalRateLimit', | ||
| priority: 1, | ||
| action: { block: {} }, |
There was a problem hiding this comment.
I think you probably meant to change this one to count and the other one to allow?
There was a problem hiding this comment.
I might have misunderstood your intent, but this is what I intended.
Nobody should be using this service directly other than for cache debugging imo. This limit is sky high for that requirement.
I turned on a count for the other rule so we could get visibility into the request volume from the CDN, and potentially enable rate limiting based on x-forwarded-for.
4 participants
Goal
Set up a preliminary WAF implementation for firefox-api-proxy.
Going with a relatively permissive initial setup here. Traffic originating from the CDN is all permitted, and a fairly loose rate limit is in place for direct requests.
This change requires a newer version of @pocket-tools/terraform-modules, so updated that to the latest version. The loosely coupled version of cdktf dependencies are also updated with that change. This includes breaking changes to this package around imports. Changing all imports to use deep imports as the index files have been deprecated.
I think we should also consider replicating some of the dotcom gateway rules that are provided by AWS here as well (these rules include blocks for well known abuse), but I'd like to export those from terraform-modules rather than copy pasting them all over the place.
I'd love feedback/perspectives on:
Implementation Decisions
Deployment steps
References
JIRA ticket:
https://getpocket.atlassian.net/browse/INFRA-1167