This is a reference configuration for running a web application firewall (WAF) on Kubernetes. It is a container build of ModSecurity+Nginx running the ModSecurity Core Rule Set along with a Go helper.
The Ironclad container runs as a sidecar for your application. It proxies inbound requests to your application over localhost within the confines of a single Kubernetes Pod.
The Go helper helps the process integrate more nicely in a Kubernetes environment:
-
Supports live-reload of rule configuration from a ConfigMap.
-
Has useful liveness and readiness hooks to enable safe deploys.
-
Emits JSON-formatted logs.
-
Emits Prometheus metrics.
This code is a work in progress and is meant as a simple proof of concept. File an issue or talk to @mattmoyer if you have ideas or want to help.
# If true, ModSecurity will not block requests it thinks are malicious.
detectionOnly: false
# The TCP port on which Nginx should listen for requests.
listenPort: 80
# The TCP port to which Nginx should forward requests.
# Your application should be configured to listen on 127.0.0.1:8080.
backendPort: 8080
# Emit logs in JSON format (default is a text-based format)
logFormat: json
# Log at INFO level (includes alerts).
logLevel: info
# Prepend zero or more rules to the ModSecurity Core Rule Set.
prependRules: []
# Append zero or more rules to the ModSecurity Core Rule Set.
appendRules:
# For example, change the default "block" action to a redirect:
- SecDefaultAction "phase:1,nolog,auditlog,redirect:https://bit.ly/2GtuuDZ"
- SecDefaultAction "phase:2,nolog,auditlog,redirect:https://bit.ly/2GtuuDZ"This product includes GeoLite2 data created by MaxMind, available from https://maxmind.com.