Skip to main content

Hello world protected by a WAF

Prerequisites

To run this onboarding tutorial, we should first have:

  • a k8saas cluster deployed
info

To ask and set up your own cluster, look at the section Getting Started.

And downloaded the following file:

Tutorial

This tutorial is about deploying simple website application and simulate an attack to it.

Get your credentials

note

The cluster name and the resource group name are the same within k8saas.

az aks get-credentials  --name "$K8SAAS_RESOURCE_NAME"  --resource-group "$K8SAAS_RESOURCE_NAME"
kubelogin convert-kubeconfig -l azurecli

Update DNS zone

You will need to update the file pomerium-ingress.yaml with the right DNS zone and at the same time we will change the host to be sure it's unique and not interfering with another project.

Look and replace:

spec:
ingressClassName: pomerium
rules:
- host: <VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>
...
tls:
- hosts:
- <VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>

With the DNS zone information that was in the onboarding email sent to you. If you do not have this information you can always run this:

kubectl get ingress -n monitoring

It should return something like this:

NAME                          CLASS   HOSTS                                                             ADDRESS         PORTS     AGE
prometheus-operator-grafana nginx grafana.k8saas-rbo-sandbox.eu.k8saas.thalesdigital.io 20.50.218.145 80, 443 389d

Now with the information from the previous command, update pomerium-ingress.yaml with the right information. Here we've replaced hello-world-ingress with rbo-sandbox-hw to be unique like suggested earlier.

spec:
ingressClassName: pomerium
rules:
- host: rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io
...
tls:
- hosts:
- rbo-sandbox-hw.demo-pomerium.eu.k8saas.thalesdigital.io

Deploy the application

Deploy the application, composed of :

  • a kubernetes Deployment object: which spin up the application pod (container) and make sure it's up and running at all time;
  • a kubernetes Service object: which exposes the pod internally;
  • a kubernetes Ingress object: which exposes the pod to the internet.

Using the following commands:

# this start a hello world pod and service
kubectl apply -f aks-helloworld-one.yaml --namespace customer-namespaces
# this exposes the port to the internet
kubectl apply -f hello-world-ingress.yaml --namespace customer-namespaces

The application is now available online at:

curl -k https://<VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>

Simulate an attack

Now, to simulate an attack, you're to use the user agent of nikto:

curl -H "User-Agent: Nikto" -k https://<VALUE_TO_CHANGE>.demo-waf.<DNS_ZONE>

You should have:

<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

Then, check the logs.

tip

If it's the first time you access to log analytics, follow the onboarding doc.

Run the following query:

ingress_CL
| where kubernetes_labels_app_kubernetes_io_name_s contains "ingress-nginx"
| where log_s contains "ModSecurity"
| project TimeGenerated, log_s

You should see this message:

2021-02-11T01:15:07.52754143Z stderr F 2021/02/11 01:15:07 [error] 855#855: *666244 [client 192.168.0.35] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/owasp-modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "192.168.0.10"] [uri "/"] [unique_id "161300610710.914637"] [ref ""], client: 192.168.0.35, server: hello-world-ingress.demo.kaas.thalesdigital.io, request: "GET / HTTP/2.0", host: "hello-world-ingress.demo.kaas.thalesdigital.io"
info

The WAF successfully detected the malicious user-agent and blocked it.

warning

Using "SecRuleEngine DetectionOnly" does not generate any log.

Next steps

Disable or add custom rules following this documentation.

Remove your test

$ kubectl delete -f aks-helloworld-one.yaml --namespace customer-namespaces
$ kubectl delete -f hello-world-ingress.yaml --namespace customer-namespaces