ModSecurity WAF
ModSecurity is a popular, open-source web application firewall. In this section, you will learn how to manage ModSecurity in HAProxy Enterprise Kubernetes Ingress Controller to protect your container-based apps.
Enable ModSecurity for all Ingress routes
To enable ModSecurity with the Core Rule Set for all routes handled by the ingress controller:
-
Download the latest version of the source code from the ModSecurity Core Rule Set GitHub page. The Core Rule Set contains a broad set of rules for detecting suspicious HTTP requests and is a good starting point for populating ModSecurity with sensible defaults. Later, you can customize these rules.
The source code comes archived as a zip file or a tar, gzipped file. After downloading the archive, extract the files.
-
Inside the extracted folder, rename the file
crs-setup.conf.example
tocrs-setup.conf
. -
Download two files from the SpiderLabs ModSecurity GitHub page:
unicode.mapping
modsecurity.conf-recommended
(rename it tomodsecurity.conf
)
You can use the following
wget
commands:$ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/unicode.mapping \ -o unicode.mapping $ wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended \ -o modsecurity.conf
-
Copy
crs-setup.conf
,unicode.mapping
, andmodsecurity.conf
to therules
folder inside the Core Rule Set folder. -
From inside the
rules
folder, use the commandkubectl create secret generic
to add all of the files in the folder to your Kubernetes cluster as a Secret object. The Secret will be named modsecuritycrs.$ kubectl create secret generic modsecuritycrs --namespace haproxy-controller --from-file .
-
Edit the ingress controller’s ConfigMap:
$ kubectl edit configmap haproxy-kubernetes-ingress --namespace haproxy-controller
Add the
modsecurity
key under thedata
section, setting it to the namespace and name of the secret you just created. After making your changes, save and close the file.apiVersion: v1 kind: ConfigMap metadata: annotations: ... data: modsecurity: haproxy-controller/modsecuritycrs
This will enable ModSecurity for all applications behind the ingress controller.
Important By default, ModSecurity is in detection-only mode and will not block threats. See the section Enable blocking mode.
Enable blocking mode
By default, ModSecurity is in detection-only mode and will log, but not block, suspicious requests. To enable blocking of suspicious requests:
-
Edit the file
modsecurity.conf
. -
Change the line
SecRuleEngine DetectionOnly
toSecRuleEngine On
. -
Delete and recreate the modsecuritycrs Secret.
$ kubectl delete secret modsecuritycrs --namespace haproxy-controller $ kubectl create secret generic modsecuritycrs --namespace haproxy-controller --from-file .
-
Test to see if the rules are working. Make a request that violates a rule and verify that the response is Forbidden. Note that in this case, the NodePort for the ingress controller service is 30000.
$ http://localhost:30000/?load=../../../../etc/passwd
Next up
Concepts and usage