DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

extra waf rules per ingress (#2315)

Browse source 
* extra waf rules per ingress

* document annotation nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules

* regenerate internal/file/bindata.go
This commit is contained in:
Elvin Efendi 2018-04-09 06:14:30 -04:00 committed by Manuel Alejandro de Brito Fontes
parent 16faf309ca
commit bad8295a42
5 changed files with 67 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

11
docs/user-guide/annotations.md
View file

@ -69,6 +69,7 @@ The following annotations are supported:
|[nginx.ingress.kubernetes.io/lua-resty-waf](#lua-resty-waf)|"true" or "false"|
|[nginx.ingress.kubernetes.io/lua-resty-waf-debug](#lua-resty-waf)|"true" or "false"|
|[nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets](#lua-resty-waf)|string|
|[nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules](#lua-resty-waf)|string|
**Note:** all the values must be a string. In case of booleans or number it must be quoted.
@ -486,3 +487,13 @@ nginx.ingress.kubernetes.io/lua-resty-waf-ignore-rulesets: "41000_sqli, 42000_xs
```
will ignore the two mentioned rulesets.
It is also possible to configure custom WAF rules per ingress using `nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules` annotation. For an example the following snippet will
configure a WAF rule to deny requests with query string value that contains word `foo`:
```yaml
nginx.ingress.kubernetes.io/lua-resty-waf-extra-rules: '[=[ { "access": [ { "actions": { "disrupt" : "DENY" }, "id": 10001, "msg": "my custom rule", "operator": "STR_CONTAINS", "pattern": "foo", "vars": [ { "parse": [ "values", 1 ], "type": "REQUEST_ARGS" } ] } ], "body_filter": [], "header_filter":[] } ]=]'
```
For details on how to write WAF rules, please refer to https://github.com/p0pr0ck5/lua-resty-waf.