-
-
Save kzgrzendek/403abf65892b965aea1a552e20f92279 to your computer and use it in GitHub Desktop.
OpenAppSec K8S Ingress NGINX Agent configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1 | |
kind: Ingress | |
metadata: | |
annotations: | |
meta.helm.sh/release-namespace: redcap-externe-qual | |
nginx.ingress.kubernetes.io/backend-protocol: HTTPS | |
nginx.ingress.kubernetes.io/client-body-timeout: "3600" | |
nginx.ingress.kubernetes.io/client-header-timeout: "3600" | |
nginx.ingress.kubernetes.io/client_max_body_size: 5000m | |
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" | |
nginx.ingress.kubernetes.io/proxy-body-size: 5000m | |
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" | |
nginx.ingress.kubernetes.io/session-cookie-expires: "86400" | |
nginx.ingress.kubernetes.io/session-cookie-max-age: "86400" | |
openappsec.io/policy: open-appsec-aphp-eds-ovh-policy | |
name: [REDACTED] | |
namespace: [REDACTED] | |
spec: | |
ingressClassName: appsec-nginx | |
rules: | |
- host: [REDACTED] | |
http: | |
paths: | |
- backend: | |
service: | |
name: [REDACTED] | |
port: | |
number: [REDACTED] | |
path: / | |
pathType: ImplementationSpecific | |
tls: | |
- hosts: | |
- [REDACTED] | |
secretName: [REDACTED] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"accessControlV2": { | |
"rulebase": { | |
"accessControl": [], | |
"traditionalFirewall": [], | |
"l4firewall": [], | |
"rateLimit": [] | |
} | |
}, | |
"waap": { | |
"WAAP": { | |
"WebAPISecurity": [], | |
"WebApplicationSecurity": [ | |
{ | |
"context": "All()", | |
"webAttackMitigation": true, | |
"webAttackMitigationSeverity": "high", | |
"webAttackMitigationAction": "balanced", | |
"webAttackMitigationMode": "Prevent", | |
"practiceAdvancedConfig": { | |
"httpHeaderMaxSize": 32768, | |
"httpIllegalMethodsAllowed": 0, | |
"httpRequestBodyMaxSize": 50000, | |
"jsonMaxObjectDepth": 40, | |
"urlMaxSize": 32768 | |
}, | |
"csrfProtection": "Disabled", | |
"openRedirect": "Disabled", | |
"errorDisclosure": "Disabled", | |
"practiceId": "24617f1c-b3e4-4d50-8c65-22d8d122641a", | |
"practiceName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-practice", | |
"assetId": "Any", | |
"assetName": "Any", | |
"ruleId": "Any", | |
"ruleName": "Any", | |
"schemaValidation": false, | |
"schemaValidation_v2": "Disabled", | |
"oas": [], | |
"triggers": [ | |
{ | |
"$triggerType": "log", | |
"id": "52f53d60-cc7d-4ad5-bed2-bf0645b0698a", | |
"name": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"log": { | |
"context": "triggerId(52f53d60-cc7d-4ad5-bed2-bf0645b0698a)", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"triggerType": "log", | |
"verbosity": "Standard", | |
"acAllow": false, | |
"acDrop": false, | |
"complianceViolations": false, | |
"complianceWarnings": false, | |
"extendloggingMinSeverity": "high", | |
"extendlogging": true, | |
"logToAgent": true, | |
"logToCef": false, | |
"logToCloud": false, | |
"logToK8sService": true, | |
"logToSyslog": false, | |
"responseBody": true, | |
"responseCode": false, | |
"tpDetect": true, | |
"tpPrevent": true, | |
"webBody": true, | |
"webHeaders": true, | |
"webRequests": true, | |
"webUrlPath": true, | |
"webUrlQuery": true, | |
"urlForSyslog": ":514", | |
"urlForCef": ":0", | |
"formatLoggingOutput": true | |
} | |
} | |
], | |
"applicationUrls": "", | |
"overrides": [], | |
"trustedSources": [ | |
{ | |
"id": "20fd1b2f-6732-42c3-94b8-2ec6cc104bd4", | |
"name": "", | |
"numOfSources": 0, | |
"sourcesIdentifiers": [], | |
"parameterType": "TrustedSource" | |
} | |
], | |
"waapParameters": [], | |
"botProtection": false, | |
"antiBot": { | |
"injected": [], | |
"validated": [] | |
}, | |
"botProtection_v2": "Detect" | |
}, | |
{ | |
"context": "Any(All(Any(EqualHost([REDACTED])),EqualListeningPort(80)),All(Any(EqualHost([REDACTED])),EqualListeningPort(443)))", | |
"webAttackMitigation": true, | |
"webAttackMitigationSeverity": "high", | |
"webAttackMitigationAction": "balanced", | |
"webAttackMitigationMode": "Prevent", | |
"practiceAdvancedConfig": { | |
"httpHeaderMaxSize": 32768, | |
"httpIllegalMethodsAllowed": 0, | |
"httpRequestBodyMaxSize": 50000, | |
"jsonMaxObjectDepth": 40, | |
"urlMaxSize": 32768 | |
}, | |
"csrfProtection": "Disabled", | |
"openRedirect": "Disabled", | |
"errorDisclosure": "Disabled", | |
"practiceId": "1c89cbce-345d-4563-afe6-5692ee2ea194", | |
"practiceName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-practice", | |
"assetId": "[REDACTED]/", | |
"assetName": "[REDACTED]/", | |
"ruleId": "[REDACTED]/", | |
"ruleName": "[REDACTED]/", | |
"schemaValidation": false, | |
"schemaValidation_v2": "Disabled", | |
"oas": [], | |
"triggers": [ | |
{ | |
"$triggerType": "log", | |
"id": "52f53d60-cc7d-4ad5-bed2-bf0645b0698a", | |
"name": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"log": { | |
"context": "triggerId(52f53d60-cc7d-4ad5-bed2-bf0645b0698a)", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"triggerType": "log", | |
"verbosity": "Standard", | |
"acAllow": false, | |
"acDrop": false, | |
"complianceViolations": false, | |
"complianceWarnings": false, | |
"extendloggingMinSeverity": "high", | |
"extendlogging": true, | |
"logToAgent": true, | |
"logToCef": false, | |
"logToCloud": false, | |
"logToK8sService": true, | |
"logToSyslog": false, | |
"responseBody": true, | |
"responseCode": false, | |
"tpDetect": true, | |
"tpPrevent": true, | |
"webBody": true, | |
"webHeaders": true, | |
"webRequests": true, | |
"webUrlPath": true, | |
"webUrlQuery": true, | |
"urlForSyslog": ":514", | |
"urlForCef": ":0", | |
"formatLoggingOutput": true | |
} | |
} | |
], | |
"applicationUrls": "[REDACTED]/", | |
"overrides": [], | |
"trustedSources": [ | |
{ | |
"id": "a6af9d97-b373-4510-b3cd-7959f2f6e4b9", | |
"name": "", | |
"numOfSources": 0, | |
"sourcesIdentifiers": [], | |
"parameterType": "TrustedSource" | |
} | |
], | |
"waapParameters": [], | |
"botProtection": false, | |
"antiBot": { | |
"injected": [], | |
"validated": [] | |
}, | |
"botProtection_v2": "Detect" | |
} | |
] | |
} | |
}, | |
"triggers": { | |
"rulebase": { | |
"log": [ | |
{ | |
"context": "triggerId(52f53d60-cc7d-4ad5-bed2-bf0645b0698a)", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"triggerType": "log", | |
"verbosity": "Standard", | |
"acAllow": false, | |
"acDrop": false, | |
"complianceViolations": false, | |
"complianceWarnings": false, | |
"extendloggingMinSeverity": "high", | |
"extendlogging": true, | |
"logToAgent": true, | |
"logToCef": false, | |
"logToCloud": false, | |
"logToK8sService": true, | |
"logToSyslog": false, | |
"responseBody": true, | |
"responseCode": false, | |
"tpDetect": true, | |
"tpPrevent": true, | |
"webBody": true, | |
"webHeaders": true, | |
"webRequests": true, | |
"webUrlPath": true, | |
"webUrlQuery": true, | |
"urlForSyslog": ":514", | |
"urlForCef": ":0", | |
"formatLoggingOutput": true | |
} | |
], | |
"webUserResponse": [ | |
{ | |
"context": "triggerId(71108ff4-c30a-4287-b8f9-97588e9dc782)", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/403-forbidden", | |
"details level": "response-code-only", | |
"response body": "", | |
"response code": 403, | |
"response title": "" | |
} | |
] | |
} | |
}, | |
"rules": { | |
"rulebase": { | |
"rulesConfig": [ | |
{ | |
"assetId": "[REDACTED]/", | |
"assetName": "[REDACTED]/", | |
"ruleId": "[REDACTED]/", | |
"ruleName": "[REDACTED]/", | |
"context": "Any(All(Any(EqualHost([REDACTED])),EqualListeningPort(80)),All(Any(EqualHost([REDACTED])),EqualListeningPort(443)))", | |
"priority": 1, | |
"isCleanup": false, | |
"parameters": [ | |
{ | |
"parameterId": "", | |
"parameterName": "", | |
"parameterType": "Exception" | |
} | |
], | |
"practices": [ | |
{ | |
"practiceId": "1c89cbce-345d-4563-afe6-5692ee2ea194", | |
"practiceName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-practice", | |
"practiceType": "WebApplication" | |
} | |
], | |
"triggers": [ | |
{ | |
"triggerId": "52f53d60-cc7d-4ad5-bed2-bf0645b0698a", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"triggerType": "log" | |
}, | |
{ | |
"triggerId": "71108ff4-c30a-4287-b8f9-97588e9dc782", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/403-forbidden", | |
"triggerType": "WebUserResponse" | |
} | |
], | |
"zoneId": "", | |
"zoneName": "" | |
}, | |
{ | |
"assetId": "Any", | |
"assetName": "Any", | |
"ruleId": "Any", | |
"ruleName": "Any", | |
"context": "All()", | |
"priority": 1, | |
"isCleanup": false, | |
"parameters": [ | |
{ | |
"parameterId": "", | |
"parameterName": "", | |
"parameterType": "Exception" | |
} | |
], | |
"practices": [ | |
{ | |
"practiceId": "24617f1c-b3e4-4d50-8c65-22d8d122641a", | |
"practiceName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-practice", | |
"practiceType": "WebApplication" | |
} | |
], | |
"triggers": [ | |
{ | |
"triggerId": "52f53d60-cc7d-4ad5-bed2-bf0645b0698a", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/open-appsec-aphp-eds-ovh-log-trigger", | |
"triggerType": "log" | |
}, | |
{ | |
"triggerId": "71108ff4-c30a-4287-b8f9-97588e9dc782", | |
"triggerName": "open-appsec-aphp-eds-ovh-policy/403-forbidden", | |
"triggerType": "WebUserResponse" | |
} | |
], | |
"zoneId": "", | |
"zoneName": "" | |
} | |
], | |
"usersIdentifiers": [] | |
} | |
}, | |
"ips": { | |
"IPS": { | |
"IpsProtections": [] | |
} | |
}, | |
"exceptions": { | |
"rulebase": { | |
"exception": [ | |
{ | |
"context": "Any()", | |
"exceptions": [] | |
} | |
] | |
} | |
}, | |
"fileSecurity": { | |
"FileSecurity": { | |
"FileSecurityProtections": [] | |
} | |
}, | |
"version": "Tue Sep 12 13:40:48 UTC 2023" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: openappsec.io/v1beta1 | |
kind: Exception | |
metadata: | |
name: open-appsec-aphp-eds-ovh-exceptions | |
namespace: ingress-nginx-openappsec | |
spec: | |
- action: accept | |
comment: "K8S probes for the NGinx Ingress Controller" | |
sourceIp: | |
- 127.0.0.1 | |
hostName: | |
- "127.0.0.1:10246" | |
url: | |
- "/configuration/backends" | |
- "/is-dynamic-lb-initialized" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: openappsec.io/v1beta1 | |
kind: LogTrigger | |
metadata: | |
name: open-appsec-aphp-eds-ovh-log-trigger | |
namespace: ingress-nginx-openappsec | |
spec: | |
appsec-logging: | |
detect-events: true | |
prevent-events: true | |
all-web-requests: true | |
additional-suspicious-events-logging: | |
enabled: true | |
minimum-severity: high # {high|critical} | |
response-body: true | |
response-code: true | |
extended-logging: | |
url-path: true | |
url-query: true | |
http-headers: true | |
request-body: true | |
log-destination: | |
stdout: | |
format: json-formatted |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: openappsec.io/v1beta1 | |
kind: Policy | |
metadata: | |
name: open-appsec-aphp-eds-ovh-policy | |
namespace: ingress-nginx-openappsec | |
spec: | |
default: | |
custom-response: 403-forbidden | |
mode: detect | |
practices: | |
- open-appsec-aphp-eds-ovh-practice | |
triggers: | |
- open-appsec-aphp-eds-ovh-log-trigger | |
exceptions: [] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: Practice | |
metadata: | |
name: open-appsec-aphp-eds-ovh-practice | |
namespace: ingress-nginx-openappsec | |
spec: | |
web-attacks: | |
max-body-size-kb: 50000 | |
max-header-size-bytes: 32768 | |
max-object-depth: 40 | |
max-url-size-bytes: 32768 | |
override-mode: prevent-learn | |
minimum-confidence: high | |
protections: | |
csrf-enabled: prevent-learn | |
error-disclosure-enabled: prevent-learn | |
non-valid-http-methods: true | |
open-redirect-enabled: prevent-learn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment