fake-waf-on-ec2-forwarding-https.md

title	description	chapter	created	last_modified	tags
fake-waf-on-ec2-forwarding-https	使用 NGINX 模拟 WAF 转发 HTTPS 请求	true	2023-07-17 09:02:12 -0700	2023-10-21 04:54:26 -0700	aws/security/waf aws/serverless/api-gateway nginx

title: This is a github note

fake-waf-on-ec2-forwarding-https

• Diagram
• Layer 7 forwarding with NGINX (prefer)
• Layer 4 forwarding with iptables

Diagram

In blog's diagram, we mentioned when you expose private API, need using ALB + WAF to keep it security. But we do not include this part in lab, we added API gateway endpoint's IP addresses to ALB directly.

If you try to simulate WAF component in this scenario, follow one of next two chapters to create fake WAF (the "Layer 7 forwarding with NGINX" is prefer) and then add fake WAF's IP address to ALB instead of endpoint's IP addresses.

Layer 7 forwarding with NGINX (prefer)

• amazon linux 2
• download nginx (link)

wget http://nginx.org/download/nginx-1.23.4.tar.gz

• get http_connect patch based on your nginx version (link)

yum install -y git pcre2 pcre2-devel openssl-devel
git clone https://github.com/chobits/ngx_http_proxy_connect_module.git

• re-compile

yum groupinstall -y 'Development Tools'
tar xf nginx-1.23.4.tar.gz
cd nginx-1.23.4
patch -p1 < ../ngx_http_proxy_connect_module/patch/proxy_connect_rewrite_102101.patch
./configure \
--user=www \
--group=www \
--prefix=/usr/local/nginx \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-http_realip_module \
--with-threads \
--add-module=../ngx_http_proxy_connect_module
make && make install

• create cerntificate in /usr/local/nginx/conf ([[../git-ghpages/eks/eks-infra/network/self-signed-certificates#2. no certificate chain]] or link)

mkdir ~/cert
cd ~/cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
###
# setup Common name to *.panlm.xyz
###
openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout
openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in certificate.crt > public.pem

ln -sf ~/cert/public.pem /usr/local/nginx/conf/cert.pem
ln -sf ~/cert/private.pem /usr/local/nginx/conf/cert.key

• edit /usr/local/nginx/conf/nginx.conf

...
  server {
    listen  443 ssl;

    ssl_certificate    cert.pem;
    ssl_certificate_key  cert.key;

    ssl_session_cache  shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    # dns resolver used by forward proxying
    # resolver  172.31.80.2;

    # forward proxy for CONNECT request
    proxy_connect;
    proxy_connect_allow      443;
    proxy_connect_connect_timeout  10s;
    proxy_connect_read_timeout   10s;
    proxy_connect_send_timeout   10s;

    # forward proxy for non-CONNECT request
    location / {
      proxy_pass "https://vpce-xxx-xxx.execute-api.us-east-1.vpce.amazonaws.com";
      proxy_set_header Host "poc.api0413.aws.panlm.xyz";
    }
  }
...

• start nginx

groupadd www
useradd -g www www
/usr/local/nginx/sbin/nginx

• check access log for alb health check

172.31.3.235 - - [17/Jul/2023:08:39:45 +0000] "GET / HTTP/1.1" 403 23 "-" "ELB-HealthChecker/2.0"
172.31.46.247 - - [17/Jul/2023:08:39:46 +0000] "GET / HTTP/1.1" 403 23 "-" "ELB-HealthChecker/2.0"

• put the fake WAF in the AZ in which your ALB enabled if your ALB not enabled in every AZ

Layer 4 forwarding with iptables

• if you have multiple endpoint ip addresses to forward, using random or round robin balancing (refer link)

• need ip_forward=1 in OS

# Enable IP Forwarding and persist across reboot:
# sysctl -w net.ipv4.ip_forward=1;
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.d/00-defaults.conf
sysctl -p /etc/sysctl.d/00-defaults.conf 

• need stop source/dest check in EC2
• install and flush iptables

yum install -y iptables-services
systemctl enable iptables;
systemctl start iptables;

# Configuration below allows allows all traffic:
# Set the default policies for each of the built-in chains to ACCEPT:
iptables -P INPUT ACCEPT;
iptables -P FORWARD ACCEPT;
iptables -P OUTPUT ACCEPT;

# Flush the nat and mangle tables, flush all chains (-F), and delete all non-default chains (-X):
iptables -t nat -F;
iptables -t mangle -F;
iptables -F;
iptables -X;

• configure

instance_ip=172.31.17.223 # instance internal ip address
next_ip=3.15.136.123 # one ip address of vpce domain name

# get alb/nlb internal ip addresses
for i in 172.31.20.112 172.31.33.21; do
  iptables -t nat -A PREROUTING -p tcp -s $i -d $instance_ip -i eth0 -j DNAT --to-destination $next_ip:443;
done

iptables -t nat -A POSTROUTING -p tcp --dport 443 -s 172.31.0.0/16 -d $next_ip -o eth0 -j MASQUERADE;

refer

• https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
• https://www.alibabacloud.com/blog/how-to-use-nginx-as-an-https-forward-proxy-server_595799
• https://scalingo.com/blog/iptables