From d7a7ef4bd0a344e27ff3c35c70f594c233389d96 Mon Sep 17 00:00:00 2001 From: Lucas Charles Date: Tue, 10 Sep 2019 14:37:51 -0700 Subject: Enable modsecurity in nginx-ingress deployments Update the default ingress chart to enable modsecurity along with the default Core Rule Set. This functionality uses the default settings of "detection-only" mode to log requests to the audit log but blocks no traffic by default Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/65192 --- app/models/clusters/applications/ingress.rb | 18 ++++++++++++++++++ .../65192-enable-modsecurity-in-ingress-ce.yml | 5 +++++ doc/user/clusters/applications.md | 21 +++++++++++++++++++++ 3 files changed, 44 insertions(+) create mode 100644 changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb index 50def3ba38c..8654393dc95 100644 --- a/app/models/clusters/applications/ingress.rb +++ b/app/models/clusters/applications/ingress.rb @@ -35,6 +35,10 @@ module Clusters 'stable/nginx-ingress' end + def values + content_values.to_yaml + end + def allowed_to_uninstall? external_ip_or_hostname? && application_jupyter_nil_or_installable? end @@ -67,6 +71,20 @@ module Clusters private + def specification + return {} unless Feature.enabled?(:ingrees_modsecurity, cluster.project) + + { + "controller" => { + "config" => { "enable-modsecurity" => "true", "enable-owasp-modsecurity-crs" => "true" } + } + } + end + + def content_values + YAML.load_file(chart_values_file).deep_merge!(specification) + end + def application_jupyter_nil_or_installable? cluster.application_jupyter.nil? || cluster.application_jupyter&.installable? end diff --git a/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml b/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml new file mode 100644 index 00000000000..8a2e9fae1c1 --- /dev/null +++ b/changelogs/unreleased/65192-enable-modsecurity-in-ingress-ce.yml @@ -0,0 +1,5 @@ +--- +title: Enable modsecurity in nginx-ingress apps +merge_request: 32905 +author: +type: added diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index e43b1ca6826..518094d2cc9 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -117,6 +117,27 @@ balancing, SSL termination, and name-based virtual hosting. It acts as a web proxy for your applications and is useful if you want to use [Auto DevOps](../../topics/autodevops/index.md) or deploy your own web apps. +#### Modsecurity Application Firewall + +By default we enable +[`modsecurity`](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#modsecurity) +to check requests against [OWASP's Core Rule Set](https://www.modsecurity.org/CRS/Documentation/). +This feature runs in "Detection-only mode" unless configured and is viewable by +checking your ingress controller's modsec log for rule violations. +This can be done by tailing the audit log on your ingress-controller pod: + +``` +kubectl -n gitlab-managed-apps exec -it ingress-nginx-ingress-controller-8675309-bz5n4 -- tail -f /var/log/modsec_audit.log +``` + +There is a small performance overhead by enabling modsecurity, however, +if this is considered significant for your application you can disable this +using a feature flag by running the following command within the rails console: + +```ruby +Feature.disable(:ingress_modsecurity) +``` + NOTE: **Note:** The [stable/nginx-ingress](https://github.com/helm/charts/tree/master/stable/nginx-ingress) -- cgit v1.2.1