You may already know what and how NGINX work, but your application can still be improved by using NGINX Plus with App Protect feature to enhance security of your application by embed it with Ingress Controller. App Protect is a lightweight WAF module in NGINX Plus which suitable for DevOps environment.
Why we need WAF for web application? Many hackers can add some malicious script or parameter to do a cyber-attack. WAF can filter and block traffic based on your configuration. For example, hacker try to pass specific parameter or run script from URL, WAF will detect those URL and block it automatically. In this case, I use App Protect from NGINX Plus as a WAF for my test application.
This is only basic guide to see the overview how to setup App Protect and configure it in Kubernetes and show some result before and after using
NGINX Plus App Protect
Requirement
· Kubernetes
· NGINX Ingress Operator
· NGINX Plus with App Protect image
Getting start
Note: I won’t go through detail for each step but only major one that you need to make it done before making WAF ready to use.
1. Deploy NGINX Ingress controller with App Protect
2. Deploy application
3. Apply config to Kubernetes (policy ingress, logconf, etc.)
With these three steps, your web application will be ready to operate with WAF. We need 3 main config for Kubernetes kind which are
· Ingress
For redirect service to NGINX Ingress Controller, which policy will be used, which location will be used to store log
· APPolicy
For setting alarm and block policy (WAF)
· APLogConf
For define log type and size to be stored, so you can track and block specific IPs or signatures
Note: Log from App Protect can be use with other visualization tools to make it easier for monitor and track.
Example
APPolicy has many options that can be set to detect violation and decide to alarm or block such as IP is in the deny list, Bot Client Detected, Evasion technique detected, and others illegal method to attack web application. For more detectable violation, you can visit this link “Violation List” to check which violation can be detected.
For example, without App Protect hacker may see any information that should not see by outsider as shown in the picture.
With App Protect, you can force return page to any malicious URL or parameter to see as shown in the picture which use HTML language to create this response of your choice. In this case, hacker try to pass null parameter, so he will see only 403 Forbidden although actual response code is not 403 Forbidden.
If APPolicy is not set the response page it will return default response which will look like this picture. You can use support ID to track each incident in log server.
Reference
2. https://github.com/NGINXinc/kubernetes-ingress/tree/v1.11.0