Configuring ModSecurity

ModSecurity is an open-source Web Application Firewall (WAF) designed to protect web applications from malicious attacks. It is maintained by the open-source community and supports various programming languages and web servers. The platform Load Balancer (ALB) supports configuring ModSecurity, allowing for individual configurations at the Ingress level.

Terminology

Term	Explanation
owasp-core-rules	The OWASP Core Rule Set is an open-source ruleset used to detect and prevent common web application attacks.

Steps to Operate

Configure ModSecurity by adding annotations to the corresponding resource's YAML file or by configuring CR.

Method One: Add Annotations

Add the following annotations to the metadata.annotations field of the corresponding YAML file to configure ModSecurity.

Ingress-Nginx Compatible Annotations

Annotation	Type	Applicable Object	Explanation
nginx.ingress.kubernetes.io/enable-modsecurity	bool	Ingress	Enable ModSecurity.
nginx.ingress.kubernetes.io/enable-owasp-core-rules	bool	Ingress	Enable the OWASP Core Rule Set.
nginx.ingress.kubernetes.io/modsecurity-transaction-id	string	Ingress	Used to identify unique transaction IDs for each request, aiding in logging and debugging.
nginx.ingress.kubernetes.io/modsecurity-snippet	string	Ingress, ALB, FT, Rule	Allows users to insert custom ModSecurity configurations to meet specific security requirements.

ALB Special Annotations

Annotation	Type	Applicable Object	Explanation
alb.modsecurity.cpaas.io/use-recommend	bool	Ingress	Enable or disable recommended ModSecurity rules; set to `true` to apply a predefined set of security rules.
alb.modsecurity.cpaas.io/cmref	string	Ingress	Reference specific configurations, e.g., custom security configurations can be loaded by specifying the ConfigMap's reference path (`$ns/$name#$section`).

Method Two: Configure CR

Open the ALB, FT, or Rule configuration file that needs to be configured.

Add the following fields under spec.config as required.

{ 
 "modsecurity": {
   "enable": true,   # Enable or disable ModSecurity
   "transactionId": "$xx", # Use ID from Nginx
   "useCoreRules": true,   # Add modsecurity_rules_file /etc/nginx/owasp-modsecurity-crs/nginx-modsecurity.conf
   "useRecommend": true,    # Add modsecurity_rules_file /etc/nginx/modsecurity/modsecurity.conf
   "cmRef": "$ns/$name#$section"  # Add configuration from ConfigMap
 }
}

Save and apply the configuration file.

Override

If ModSecurity is not configured in the Rule, it will attempt to find the configuration in FT; if there is no configuration in FT, it will use the configuration from ALB.

Configuration Example

The following example deploys an ALB named waf-alb and a demo backend application named hello. Additionally, an Ingress named ing-waf-enable is deployed, which defines the /waf-enable route and configures ModSecurity rules. Any request containing the query parameter test, where the value includes the string test, will be blocked.

apiVersion: crd.alauda.io/v2
kind: ALB2
metadata:
  name: waf-alb
  namespace: cpaas-system
spec:
  config:
    loadbalancerName: waf-alb
    projects:
    - ALL_ALL
    replicas: 1
  type: nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/modsecurity-transaction-id: "$request_id"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
        SecRuleEngine On
        SecRule ARGS:test "@contains test" "id:1234,deny,log"
  name: ing-waf-enable
spec:
  ingressClassName: waf-alb
  rules:
  - http:
      paths:
      - backend:
          service:
            name: hello
            port:
              number: 80
        path: /waf-enable
        pathType: ImplementationSpecific
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-waf-normal
spec:
  ingressClassName: waf-alb
  rules:
  - http:
      paths:
      - backend:
          service:
            name: hello
            port:
              number: 80
        path: /waf-not-enable
        pathType: ImplementationSpecific
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello
spec:
  replicas: 1
  selector:
    matchLabels:
      service.cpaas.io/name: hello
      service_name: hello
  template:
    metadata:
      labels:
        service.cpaas.io/name: hello
        service_name: hello
    spec:
      containers:
      - name: hello-world
        image: docker.io/hashicorp/http-echo
        imagePullPolicy: IfNotPresent
---
apiVersion: v1
kind: Service
metadata:
  name: hello
spec:
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 5678
  selector:
    service_name: hello
  sessionAffinity: None
  type: ClusterIP

ON THIS PAGE

How to

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Guides

Pre-Application Creation Preparation

Creating Applications

Creating Workloads

Actions You Can Take After Creating an Application

Configuring Network

Using Services

Using Ingresses

Using Gateways and Route Rules

Using LoadBalancers

Operation and Maintenance

Catalog

Pod and Container

Pod

Container

How To

Concepts

Guides

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application

GitOps Observability

Architecture

Guides

How To