Hello world protected by a WAF
Prerequisites
To run this onboarding tutorial, we should first have:
- a k8saas cluster deployed
To ask and set up your own cluster, look at the section Getting Started.
And downloaded the following file:
Tutorial
This tutorial is about deploying simple website application and simulate an attack to it.
Get your credentials
The cluster name and the resource group name are the same within k8saas.
az aks get-credentials --name "$K8SAAS_RESOURCE_NAME" --resource-group "$K8SAAS_RESOURCE_NAME"
kubelogin convert-kubeconfig -l azurecli
Update DNS zone
You will need to update the file pomerium-ingress.yaml with the right DNS zone and at the same time we will change the host to be sure it's unique and not interfering with another project.
Look and replace:
spec:
ingressClassName: pomerium
rules:
- host: <VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>
...
tls:
- hosts:
- <VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>
With the DNS zone information that was in the onboarding email sent to you. If you do not have this information you can always run this:
kubectl get ingress -n monitoring
It should return something like this:
NAME CLASS HOSTS ADDRESS PORTS AGE
prometheus-operator-grafana nginx grafana.k8saas-rbo-sandbox.eu.k8saas.thalesdigital.io 20.50.218.145 80, 443 389d
Now with the information from the previous command, update pomerium-ingress.yaml with the right information. Here we've replaced hello-world-ingress with rbo-sandbox-hw to be unique like suggested earlier.
spec:
ingressClassName: pomerium
rules:
- host: rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io
...
tls:
- hosts:
- rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io
Deploy the application
Deploy the application, composed of :
- a kubernetes Deployment object: which spin up the application pod (container) and make sure it's up and running at all time;
- a kubernetes Service object: which exposes the pod internally;
- a kubernetes Ingress object: which exposes the pod to the internet.
Using the following commands:
# this start a hello world pod and service
kubectl apply -f aks-helloworld-one.yaml --namespace customer-namespaces
# this exposes the port to the internet
kubectl apply -f hello-world-ingress.yaml --namespace customer-namespaces
The application is now available online at:
curl -k https://<VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>
Simulate an attack
Now, to simulate an attack, you're to use the user agent of nikto:
curl -H "User-Agent: Nikto" -k https://<VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>
You should have:
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
Then, check the logs.
If it's the first time you access to log analytics, follow the onboarding doc.
Run the following query:
ingress_CL
| where kubernetes_labels_app_kubernetes_io_name_s contains "ingress-nginx"
| where log_s contains "ModSecurity"
| project TimeGenerated, log_s
You should see this message:
2021-02-11T01:15:07.52754143Z stderr F 2021/02/11 01:15:07 [error] 855#855: *666244 [client 192.168.0.35] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.0.10"] [uri "/"] [unique_id "161300610710.914637"] [ref ""], client: 192.168.0.35, server: hello-world-ingress.demo.kaas.thalesdigital.io, request: "GET / HTTP/2.0", host: "hello-world-ingress.demo.kaas.thalesdigital.io"
The WAF successfully detected the malicious user-agent and blocked it.
Using "SecRuleEngine DetectionOnly" does not generate any log.
Next steps
Disable or add custom rules following this documentation.
Remove your test
$ kubectl delete -f aks-helloworld-one.yaml --namespace customer-namespaces
$ kubectl delete -f hello-world-ingress.yaml --namespace customer-namespaces