HAProxy Kubernetes Ingress Controller Documentation 1.4

ModSecurity WAF

ModSecurity is a popular, open-source web application firewall. In this section, you will learn how to manage ModSecurity in HAProxy Enterprise Kubernetes Ingress Controller to protect your container-based apps.

Enable ModSecurity for all Ingress routes

To enable ModSecurity with the Core Rule Set for all routes handled by the ingress controller:

  1. Download the latest version of the source code from the ModSecurity Core Rule Set GitHub page. The Core Rule Set contains a broad set of rules for detecting suspicious HTTP requests and is a good starting point for populating ModSecurity with sensible defaults. Later, you can customize these rules.

    The source code comes archived as a zip file or a tar, gzipped file. After downloading the archive, extract the files.

  2. Inside the extracted folder, rename the file crs-setup.conf.example to crs-setup.conf.

  3. Download two files from the SpiderLabs ModSecurity GitHub page:

    • unicode.mapping
    • modsecurity.conf-recommended (rename it to modsecurity.conf)

    You can use the following wget commands:

    $ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping \
        -o unicode.mapping
    
    $ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \
        -o modsecurity.conf
  4. Copy crs-setup.conf, unicode.mapping, and modsecurity.conf to the rules folder inside the Core Rule Set folder.

  5. From inside the rules folder, use the command kubectl create secret generic to add all of the files in the folder to your Kubernetes cluster as a Secret object. The Secret will be named modsecuritycrs.

    $ kubectl create secret generic modsecuritycrs --namespace haproxy-controller --from-file .
  6. Edit the ingress controller’s ConfigMap:

    $ kubectl edit configmap haproxy-kubernetes-ingress --namespace haproxy-controller

    Add the modsecurity key under the data section, setting it to the namespace and name of the secret you just created. After making your changes, save and close the file.

    apiVersion: v1
    kind: ConfigMap
    metadata:
      annotations:
        ...
    data:
      modsecurity: haproxy-controller/modsecuritycrs

    This will enable ModSecurity for all applications behind the ingress controller.

    Important By default, ModSecurity is in detection-only mode and will not block threats. See the section Enable blocking mode.

Enable blocking mode

By default, ModSecurity is in detection-only mode and will log, but not block, suspicious requests. To enable blocking of suspicious requests:

  1. Edit the file modsecurity.conf.

  2. Change the line SecRuleEngine DetectionOnly to SecRuleEngine On.

  3. Delete and recreate the modsecuritycrs Secret.

    $ kubectl delete secret modsecuritycrs --namespace haproxy-controller 
    $ kubectl create secret generic modsecuritycrs --namespace haproxy-controller --from-file .
  4. Test to see if the rules are working. Make a request that violates a rule and verify that the response is Forbidden. Note that in this case, the NodePort for the ingress controller service is 30000.

    $ curl http://localhost:30000/?load=../../../../etc/passwd

Next up

Concepts and usage