This is a reference configuration for running a web application firewall (WAF) on Kubernetes. It is a container build of ModSecurity+Nginx running the ModSecurity Core Rule Set along with a Go helper.
The Ironclad container runs as a sidecar for your application. It proxies inbound requests to your application over localhost within the confines of a single Kubernetes Pod.
The Go helper helps the process integrate more nicely in a Kubernetes environment:
Supports live-reload of rule configuration from a ConfigMap.
Has useful liveness and readiness hooks to enable safe deploys.
Emits JSON-formatted logs.
Emits Prometheus metrics.
This code is a work in progress and is meant as a simple proof of concept. File an issue or talk to @mattmoyer if you have ideas or want to help.
# If true, ModSecurity will not block requests it thinks are malicious. detectionOnly: false # The TCP port on which Nginx should listen for requests. listenPort: 80 # The TCP port to which Nginx should forward requests. # Your application should be configured to listen on 127.0.0.1:8080. backendPort: 8080 # Emit logs in JSON format (default is a text-based format) logFormat: json # Log at INFO level (includes alerts). logLevel: info # Prepend zero or more rules to the ModSecurity Core Rule Set. prependRules:  # Append zero or more rules to the ModSecurity Core Rule Set. appendRules: # For example, change the default "block" action to a redirect: - SecDefaultAction "phase:1,nolog,auditlog,redirect:https://bit.ly/2GtuuDZ" - SecDefaultAction "phase:2,nolog,auditlog,redirect:https://bit.ly/2GtuuDZ"
This product includes GeoLite2 data created by MaxMind, available from https://maxmind.com.