Skip to content

Commit

Permalink
Initial test data for ingress NAP and VS DOS templates (#5922)
Browse files Browse the repository at this point in the history
  • Loading branch information
@oseoin
oseoin authored Jul 2, 2024
1 parent 99ad023 commit 4c5c9a7
Show file tree
Hide file tree
Showing 5 changed files with 217 additions and 57 deletions.
98 changes: 89 additions & 9 deletions internal/configs/version1/__snapshots__/template_test.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ daemon off;
error_log stderr ;
pid /var/lib/nginx/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_app_protect_dos_module.so;
load_module modules/ngx_fips_check_module.so;
load_module modules/ngx_http_js_module.so;
Expand All @@ -156,7 +158,20 @@ http {
default $upstream_trailer_grpc_status;
'' $sent_http_grpc_status;
}
log_format log_dos escape=json
'$remote_addr - $remote_user [$time_local]'
' "$request" $status $body_bytes_sent '
' "$http_referer" "$http_user_agent"'
;
app_protect_dos_arb_fqdn arb.test.server.com;
access_log /dev/stdout main;
app_protect_failure_mode_action pass;
app_protect_compressed_requests_action pass;
app_protect_cookie_seed ABCDEFGHIJKLMNOP;
app_protect_cpu_thresholds high=low=100;
app_protect_physical_memory_util_thresholds high=low=100;
app_protect_reconnect_period_seconds 10;
include /etc/nginx/waf/nac-usersigs/index.conf;
sendfile on;
#tcp_nopush on;
Expand Down Expand Up @@ -251,9 +266,6 @@ stream {
include /etc/nginx/stream-conf.d/*.conf;
}
mgmt {
usage_report interval=0s;
}
---
Expand Down Expand Up @@ -293,6 +305,7 @@ http {
default $upstream_trailer_grpc_status;
'' $sent_http_grpc_status;
}
app_protect_enforcer_address enforcer.svc.local;
access_log /dev/stdout main;
sendfile on;
Expand Down Expand Up @@ -530,6 +543,21 @@ server {
set $resource_type "ingress";
set $resource_name "cafe-ingress";
set $resource_namespace "default";
app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514;
app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2;
app_protect_dos_enable on;
app_protect_dos_policy_file /test/policy.json;
app_protect_dos_security_log_enable on;
app_protect_dos_security_log /test/logConf.json;
set $loggable '0';
# app-protect-dos module will set it to '1' if a request doesn't pass the rate limit
access_log /var/log/dos log_dos if=$loggable;
app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30;
app_protect_dos_name "testdos";
if ($scheme = http) {
Expand Down Expand Up @@ -610,6 +638,21 @@ server {
set $resource_type "ingress";
set $resource_name "cafe-ingress";
set $resource_namespace "default";
app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514;
app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2;
app_protect_dos_enable on;
app_protect_dos_policy_file /test/policy.json;
app_protect_dos_security_log_enable on;
app_protect_dos_security_log /test/logConf.json;
set $loggable '0';
# app-protect-dos module will set it to '1' if a request doesn't pass the rate limit
access_log /var/log/dos log_dos if=$loggable;
app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30;
app_protect_dos_name "testdos";
if ($scheme = http) {
Expand Down Expand Up @@ -2343,6 +2386,8 @@ daemon off;
error_log stderr ;
pid /var/lib/nginx/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_app_protect_dos_module.so;
load_module modules/ngx_fips_check_module.so;
load_module modules/ngx_http_js_module.so;
Expand All @@ -2369,7 +2414,20 @@ http {
default $upstream_trailer_grpc_status;
'' $sent_http_grpc_status;
}
log_format log_dos escape=json
'$remote_addr - $remote_user [$time_local]'
' "$request" $status $body_bytes_sent '
' "$http_referer" "$http_user_agent"'
;
app_protect_dos_arb_fqdn arb.test.server.com;
access_log /dev/stdout main;
app_protect_failure_mode_action pass;
app_protect_compressed_requests_action pass;
app_protect_cookie_seed ABCDEFGHIJKLMNOP;
app_protect_cpu_thresholds high=low=100;
app_protect_physical_memory_util_thresholds high=low=100;
app_protect_reconnect_period_seconds 10;
include /etc/nginx/waf/nac-usersigs/index.conf;
sendfile on;
#tcp_nopush on;
Expand Down Expand Up @@ -2464,9 +2522,6 @@ stream {
include /etc/nginx/stream-conf.d/*.conf;
}
mgmt {
usage_report interval=0s;
}
---
Expand All @@ -2480,6 +2535,8 @@ daemon off;
error_log stderr ;
pid /var/lib/nginx/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_app_protect_dos_module.so;
load_module modules/ngx_fips_check_module.so;
load_module modules/ngx_http_js_module.so;
Expand All @@ -2506,7 +2563,18 @@ http {
default $upstream_trailer_grpc_status;
'' $sent_http_grpc_status;
}
log_format log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, '
'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, '
'ip_tls=$remote_addr:$app_protect_dos_tls_fp, ';
app_protect_dos_arb_fqdn arb.test.server.com;
access_log /dev/stdout main;
app_protect_failure_mode_action pass;
app_protect_compressed_requests_action pass;
app_protect_cookie_seed ABCDEFGHIJKLMNOP;
app_protect_cpu_thresholds high=low=100;
app_protect_physical_memory_util_thresholds high=low=100;
app_protect_reconnect_period_seconds 10;
include /etc/nginx/waf/nac-usersigs/index.conf;
sendfile on;
#tcp_nopush on;
Expand Down Expand Up @@ -2618,6 +2686,8 @@ daemon off;
error_log stderr ;
pid /var/lib/nginx/nginx.pid;
load_module modules/ngx_http_app_protect_module.so;
load_module modules/ngx_http_app_protect_dos_module.so;
load_module modules/ngx_fips_check_module.so;
load_module modules/ngx_http_js_module.so;
Expand All @@ -2644,7 +2714,20 @@ http {
default $upstream_trailer_grpc_status;
'' $sent_http_grpc_status;
}
log_format log_dos escape=json
'$remote_addr - $remote_user [$time_local]'
' "$request" $status $body_bytes_sent '
' "$http_referer" "$http_user_agent"'
;
app_protect_dos_arb_fqdn arb.test.server.com;
access_log /dev/stdout main;
app_protect_failure_mode_action pass;
app_protect_compressed_requests_action pass;
app_protect_cookie_seed ABCDEFGHIJKLMNOP;
app_protect_cpu_thresholds high=low=100;
app_protect_physical_memory_util_thresholds high=low=100;
app_protect_reconnect_period_seconds 10;
include /etc/nginx/waf/nac-usersigs/index.conf;
sendfile on;
#tcp_nopush on;
Expand Down Expand Up @@ -2739,9 +2822,6 @@ stream {
include /etc/nginx/stream-conf.d/*.conf;
}
mgmt {
usage_report interval=0s;
}
---
Expand Down
2 changes: 1 addition & 1 deletion internal/configs/version1/nginx-plus.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ http {
{{range $i, $value := .AppProtectDosLogFormat -}}
{{with $value}}'{{if $i}} {{end}}{{$value}}'
{{end}}{{end}};
{{- else -}}
{{- else }}
log_format log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, '
'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, '
'ip_tls=$remote_addr:$app_protect_dos_tls_fp, ';
Expand Down
141 changes: 94 additions & 47 deletions internal/configs/version1/template_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1751,6 +1751,22 @@ var (
LoginURL: "https://test.example.com/login",
},
},
AppProtectEnable: "on",
AppProtectPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm",
AppProtectLogConfs: []string{
"/etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514",
"/etc/nginx/waf/nac-logconfs/test_logconf2",
},
AppProtectLogEnable: "on",
AppProtectDosEnable: "on",
AppProtectDosPolicyFile: "/test/policy.json",
AppProtectDosLogConfFile: "/test/logConf.json",
AppProtectDosLogEnable: true,
AppProtectDosMonitorURI: "/path/to/monitor",
AppProtectDosMonitorProtocol: "http1",
AppProtectDosMonitorTimeout: 30,
AppProtectDosName: "testdos",
AppProtectDosAccessLogDst: "/var/log/dos",
},
},
Upstreams: []Upstream{testUpstream},
Expand Down Expand Up @@ -1982,29 +1998,46 @@ var (
}

mainCfg = MainConfig{
DefaultHTTPListenerPort: 80,
DefaultHTTPSListenerPort: 443,
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
WorkerCPUAffinity: "auto",
WorkerShutdownTimeout: "1m",
WorkerConnections: "1024",
WorkerRlimitNofile: "65536",
LogFormat: []string{"$remote_addr", "$remote_user"},
LogFormatEscaping: "default",
StreamSnippets: []string{"# comment"},
StreamLogFormat: []string{"$remote_addr", "$remote_user"},
StreamLogFormatEscaping: "none",
ResolverAddresses: []string{"example.com", "127.0.0.1"},
ResolverIPV6: false,
ResolverValid: "10s",
ResolverTimeout: "15s",
KeepaliveTimeout: "65s",
KeepaliveRequests: 100,
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"),
DefaultHTTPListenerPort: 80,
DefaultHTTPSListenerPort: 443,
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
WorkerCPUAffinity: "auto",
WorkerShutdownTimeout: "1m",
WorkerConnections: "1024",
WorkerRlimitNofile: "65536",
LogFormat: []string{"$remote_addr", "$remote_user"},
LogFormatEscaping: "default",
StreamSnippets: []string{"# comment"},
StreamLogFormat: []string{"$remote_addr", "$remote_user"},
StreamLogFormatEscaping: "none",
ResolverAddresses: []string{"example.com", "127.0.0.1"},
ResolverIPV6: false,
ResolverValid: "10s",
ResolverTimeout: "15s",
KeepaliveTimeout: "65s",
KeepaliveRequests: 100,
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r30)"),
AppProtectLoadModule: true,
AppProtectV5LoadModule: false,
AppProtectV5EnforcerAddr: "",
AppProtectFailureModeAction: "pass",
AppProtectCompressedRequestsAction: "pass",
AppProtectCookieSeed: "ABCDEFGHIJKLMNOP",
AppProtectCPUThresholds: "high=low=100",
AppProtectPhysicalMemoryThresholds: "high=low=100",
AppProtectReconnectPeriod: "10",
AppProtectDosLoadModule: true,
AppProtectDosLogFormat: []string{
"$remote_addr - $remote_user [$time_local]",
"\"$request\" $status $body_bytes_sent ",
"\"$http_referer\" \"$http_user_agent\"",
},
AppProtectDosLogFormatEscaping: "json",
AppProtectDosArbFqdn: "arb.test.server.com",
}

mainCfgR31 = MainConfig{
Expand All @@ -2031,33 +2064,47 @@ var (
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"),
AppProtectV5LoadModule: true,
AppProtectV5EnforcerAddr: "enforcer.svc.local",
}

mainCfgHTTP2On = MainConfig{
DefaultHTTPListenerPort: 80,
DefaultHTTPSListenerPort: 443,
HTTP2: true,
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
WorkerCPUAffinity: "auto",
WorkerShutdownTimeout: "1m",
WorkerConnections: "1024",
WorkerRlimitNofile: "65536",
LogFormat: []string{"$remote_addr", "$remote_user"},
LogFormatEscaping: "default",
StreamSnippets: []string{"# comment"},
StreamLogFormat: []string{"$remote_addr", "$remote_user"},
StreamLogFormatEscaping: "none",
ResolverAddresses: []string{"example.com", "127.0.0.1"},
ResolverIPV6: false,
ResolverValid: "10s",
ResolverTimeout: "15s",
KeepaliveTimeout: "65s",
KeepaliveRequests: 100,
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"),
DefaultHTTPListenerPort: 80,
DefaultHTTPSListenerPort: 443,
HTTP2: true,
ServerNamesHashMaxSize: "512",
ServerTokens: "off",
WorkerProcesses: "auto",
WorkerCPUAffinity: "auto",
WorkerShutdownTimeout: "1m",
WorkerConnections: "1024",
WorkerRlimitNofile: "65536",
LogFormat: []string{"$remote_addr", "$remote_user"},
LogFormatEscaping: "default",
StreamSnippets: []string{"# comment"},
StreamLogFormat: []string{"$remote_addr", "$remote_user"},
StreamLogFormatEscaping: "none",
ResolverAddresses: []string{"example.com", "127.0.0.1"},
ResolverIPV6: false,
ResolverValid: "10s",
ResolverTimeout: "15s",
KeepaliveTimeout: "65s",
KeepaliveRequests: 100,
VariablesHashBucketSize: 256,
VariablesHashMaxSize: 1024,
NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"),
AppProtectLoadModule: true,
AppProtectV5LoadModule: false,
AppProtectV5EnforcerAddr: "",
AppProtectFailureModeAction: "pass",
AppProtectCompressedRequestsAction: "pass",
AppProtectCookieSeed: "ABCDEFGHIJKLMNOP",
AppProtectCPUThresholds: "high=low=100",
AppProtectPhysicalMemoryThresholds: "high=low=100",
AppProtectReconnectPeriod: "10",
AppProtectDosLoadModule: true,
AppProtectDosLogFormat: []string{},
AppProtectDosArbFqdn: "arb.test.server.com",
}

mainCfgCustomTLSPassthroughPort = MainConfig{
Expand Down
Loading

0 comments on commit 4c5c9a7

Please sign in to comment.