Enable WAF with Modsecurity from Ingress Nginx

Export modsecurity.conf from ingress nginx controller

POD_NAME=$(kubectl get pods --namespace ingress-nginx -l "app.kubernetes.io/component=controller,app.kubernetes.io/name=ingress-nginx" -o jsonpath="{.items[0].metadata.name}")

kubectl exec -it $POD_NAME -n ingress-nginx -- cat /etc/nginx/modsecurity/modsecurity.conf > modsecurity.conf

Change configuration to support JSON and serial log

# SecAuditLogType Concurrent
# SecAuditLog /var/log/modsec_audit.log

SecAuditLogType Serial
SecAuditLog /dev/stdout
SecAuditLogFormat JSON

Create a configmap to use customized modsecurity.conf settings

kubectl create configmap modsecurity --from-file=modsecurity.conf=modsecurity.conf -n=ingress-nginx

Update ingress nginx helm values

  extraVolumeMounts:
  ## Additional volumeMounts to the controller main container.
    - name: modsecurity
      mountPath: /etc/nginx/modsecurity/modsecurity.conf
      subPath: modsecurity.conf
      readOnly: true

  extraVolumes:
  ## Additional volumes to the controller pod.
    - name: modsecurity
      configMap:
        name: modsecurity

helm upgrade <name> ingress-nginx/ingress-nginx -n ingress-nginx -f nginx_values.yaml

Create nginx ingress object and annotate it in below

    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      # SecRuleEngine DetectionOnly
      SecRuleEngine Off
      SecRuleRemoveById 920350

Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Unofficial Azure Club
Great! Next, complete checkout for full access to Unofficial Azure Club
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.