From 4c5c9a757c9a080ed20357c9efdac11d62b114bb Mon Sep 17 00:00:00 2001 From: oseoin Date: Tue, 2 Jul 2024 20:41:46 +0100 Subject: [PATCH] Initial test data for ingress NAP and VS DOS templates (#5922) --- .../version1/__snapshots__/template_test.snap | 98 ++++++++++-- internal/configs/version1/nginx-plus.tmpl | 2 +- internal/configs/version1/template_test.go | 141 ++++++++++++------ .../__snapshots__/templates_test.snap | 19 +++ internal/configs/version2/templates_test.go | 14 ++ 5 files changed, 217 insertions(+), 57 deletions(-) diff --git a/internal/configs/version1/__snapshots__/template_test.snap b/internal/configs/version1/__snapshots__/template_test.snap index 6eb1b9216a..913e95100b 100644 --- a/internal/configs/version1/__snapshots__/template_test.snap +++ b/internal/configs/version1/__snapshots__/template_test.snap @@ -130,6 +130,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -156,7 +158,20 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos escape=json + '$remote_addr - $remote_user [$time_local]' + ' "$request" $status $body_bytes_sent ' + ' "$http_referer" "$http_user_agent"' + ; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -251,9 +266,6 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } -mgmt { - usage_report interval=0s; -} --- @@ -293,6 +305,7 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + app_protect_enforcer_address enforcer.svc.local; access_log /dev/stdout main; sendfile on; @@ -530,6 +543,21 @@ server { set $resource_type "ingress"; set $resource_name "cafe-ingress"; set $resource_namespace "default"; + app_protect_enable on; + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + app_protect_security_log_enable on; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2; + + app_protect_dos_enable on; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/logConf.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log /var/log/dos log_dos if=$loggable; + app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30; + app_protect_dos_name "testdos"; if ($scheme = http) { @@ -610,6 +638,21 @@ server { set $resource_type "ingress"; set $resource_name "cafe-ingress"; set $resource_namespace "default"; + app_protect_enable on; + app_protect_policy_file /etc/nginx/waf/nac-policies/default-dataguard-alarm; + app_protect_security_log_enable on; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514; + app_protect_security_log /etc/nginx/waf/nac-logconfs/test_logconf2; + + app_protect_dos_enable on; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/logConf.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log /var/log/dos log_dos if=$loggable; + app_protect_dos_monitor uri=/path/to/monitor protocol=http1 timeout=30; + app_protect_dos_name "testdos"; if ($scheme = http) { @@ -2343,6 +2386,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -2369,7 +2414,20 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos escape=json + '$remote_addr - $remote_user [$time_local]' + ' "$request" $status $body_bytes_sent ' + ' "$http_referer" "$http_user_agent"' + ; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -2464,9 +2522,6 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } -mgmt { - usage_report interval=0s; -} --- @@ -2480,6 +2535,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -2506,7 +2563,18 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' + 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' + 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -2618,6 +2686,8 @@ daemon off; error_log stderr ; pid /var/lib/nginx/nginx.pid; +load_module modules/ngx_http_app_protect_module.so; +load_module modules/ngx_http_app_protect_dos_module.so; load_module modules/ngx_fips_check_module.so; load_module modules/ngx_http_js_module.so; @@ -2644,7 +2714,20 @@ http { default $upstream_trailer_grpc_status; '' $sent_http_grpc_status; } + log_format log_dos escape=json + '$remote_addr - $remote_user [$time_local]' + ' "$request" $status $body_bytes_sent ' + ' "$http_referer" "$http_user_agent"' + ; + app_protect_dos_arb_fqdn arb.test.server.com; access_log /dev/stdout main; + app_protect_failure_mode_action pass; + app_protect_compressed_requests_action pass; + app_protect_cookie_seed ABCDEFGHIJKLMNOP; + app_protect_cpu_thresholds high=low=100; + app_protect_physical_memory_util_thresholds high=low=100; + app_protect_reconnect_period_seconds 10; + include /etc/nginx/waf/nac-usersigs/index.conf; sendfile on; #tcp_nopush on; @@ -2739,9 +2822,6 @@ stream { include /etc/nginx/stream-conf.d/*.conf; } -mgmt { - usage_report interval=0s; -} --- diff --git a/internal/configs/version1/nginx-plus.tmpl b/internal/configs/version1/nginx-plus.tmpl index c62c8b71f1..da4f18a65b 100644 --- a/internal/configs/version1/nginx-plus.tmpl +++ b/internal/configs/version1/nginx-plus.tmpl @@ -75,7 +75,7 @@ http { {{range $i, $value := .AppProtectDosLogFormat -}} {{with $value}}'{{if $i}} {{end}}{{$value}}' {{end}}{{end}}; - {{- else -}} + {{- else }} log_format log_dos ', vs_name_al=$app_protect_dos_vs_name, ip=$remote_addr, tls_fp=$app_protect_dos_tls_fp, ' 'outcome=$app_protect_dos_outcome, reason=$app_protect_dos_outcome_reason, ' 'ip_tls=$remote_addr:$app_protect_dos_tls_fp, '; diff --git a/internal/configs/version1/template_test.go b/internal/configs/version1/template_test.go index ef5c9f020e..19088a40e2 100644 --- a/internal/configs/version1/template_test.go +++ b/internal/configs/version1/template_test.go @@ -1751,6 +1751,22 @@ var ( LoginURL: "https://test.example.com/login", }, }, + AppProtectEnable: "on", + AppProtectPolicy: "/etc/nginx/waf/nac-policies/default-dataguard-alarm", + AppProtectLogConfs: []string{ + "/etc/nginx/waf/nac-logconfs/test_logconf syslog:server=127.0.0.1:514", + "/etc/nginx/waf/nac-logconfs/test_logconf2", + }, + AppProtectLogEnable: "on", + AppProtectDosEnable: "on", + AppProtectDosPolicyFile: "/test/policy.json", + AppProtectDosLogConfFile: "/test/logConf.json", + AppProtectDosLogEnable: true, + AppProtectDosMonitorURI: "/path/to/monitor", + AppProtectDosMonitorProtocol: "http1", + AppProtectDosMonitorTimeout: 30, + AppProtectDosName: "testdos", + AppProtectDosAccessLogDst: "/var/log/dos", }, }, Upstreams: []Upstream{testUpstream}, @@ -1982,29 +1998,46 @@ var ( } mainCfg = MainConfig{ - DefaultHTTPListenerPort: 80, - DefaultHTTPSListenerPort: 443, - ServerNamesHashMaxSize: "512", - ServerTokens: "off", - WorkerProcesses: "auto", - WorkerCPUAffinity: "auto", - WorkerShutdownTimeout: "1m", - WorkerConnections: "1024", - WorkerRlimitNofile: "65536", - LogFormat: []string{"$remote_addr", "$remote_user"}, - LogFormatEscaping: "default", - StreamSnippets: []string{"# comment"}, - StreamLogFormat: []string{"$remote_addr", "$remote_user"}, - StreamLogFormatEscaping: "none", - ResolverAddresses: []string{"example.com", "127.0.0.1"}, - ResolverIPV6: false, - ResolverValid: "10s", - ResolverTimeout: "15s", - KeepaliveTimeout: "65s", - KeepaliveRequests: 100, - VariablesHashBucketSize: 256, - VariablesHashMaxSize: 1024, - NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r30)"), + AppProtectLoadModule: true, + AppProtectV5LoadModule: false, + AppProtectV5EnforcerAddr: "", + AppProtectFailureModeAction: "pass", + AppProtectCompressedRequestsAction: "pass", + AppProtectCookieSeed: "ABCDEFGHIJKLMNOP", + AppProtectCPUThresholds: "high=low=100", + AppProtectPhysicalMemoryThresholds: "high=low=100", + AppProtectReconnectPeriod: "10", + AppProtectDosLoadModule: true, + AppProtectDosLogFormat: []string{ + "$remote_addr - $remote_user [$time_local]", + "\"$request\" $status $body_bytes_sent ", + "\"$http_referer\" \"$http_user_agent\"", + }, + AppProtectDosLogFormatEscaping: "json", + AppProtectDosArbFqdn: "arb.test.server.com", } mainCfgR31 = MainConfig{ @@ -2031,33 +2064,47 @@ var ( VariablesHashBucketSize: 256, VariablesHashMaxSize: 1024, NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + AppProtectV5LoadModule: true, + AppProtectV5EnforcerAddr: "enforcer.svc.local", } mainCfgHTTP2On = MainConfig{ - DefaultHTTPListenerPort: 80, - DefaultHTTPSListenerPort: 443, - HTTP2: true, - ServerNamesHashMaxSize: "512", - ServerTokens: "off", - WorkerProcesses: "auto", - WorkerCPUAffinity: "auto", - WorkerShutdownTimeout: "1m", - WorkerConnections: "1024", - WorkerRlimitNofile: "65536", - LogFormat: []string{"$remote_addr", "$remote_user"}, - LogFormatEscaping: "default", - StreamSnippets: []string{"# comment"}, - StreamLogFormat: []string{"$remote_addr", "$remote_user"}, - StreamLogFormatEscaping: "none", - ResolverAddresses: []string{"example.com", "127.0.0.1"}, - ResolverIPV6: false, - ResolverValid: "10s", - ResolverTimeout: "15s", - KeepaliveTimeout: "65s", - KeepaliveRequests: 100, - VariablesHashBucketSize: 256, - VariablesHashMaxSize: 1024, - NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + DefaultHTTPListenerPort: 80, + DefaultHTTPSListenerPort: 443, + HTTP2: true, + ServerNamesHashMaxSize: "512", + ServerTokens: "off", + WorkerProcesses: "auto", + WorkerCPUAffinity: "auto", + WorkerShutdownTimeout: "1m", + WorkerConnections: "1024", + WorkerRlimitNofile: "65536", + LogFormat: []string{"$remote_addr", "$remote_user"}, + LogFormatEscaping: "default", + StreamSnippets: []string{"# comment"}, + StreamLogFormat: []string{"$remote_addr", "$remote_user"}, + StreamLogFormatEscaping: "none", + ResolverAddresses: []string{"example.com", "127.0.0.1"}, + ResolverIPV6: false, + ResolverValid: "10s", + ResolverTimeout: "15s", + KeepaliveTimeout: "65s", + KeepaliveRequests: 100, + VariablesHashBucketSize: 256, + VariablesHashMaxSize: 1024, + NginxVersion: nginx.NewVersion("nginx version: nginx/1.25.3 (nginx-plus-r31)"), + AppProtectLoadModule: true, + AppProtectV5LoadModule: false, + AppProtectV5EnforcerAddr: "", + AppProtectFailureModeAction: "pass", + AppProtectCompressedRequestsAction: "pass", + AppProtectCookieSeed: "ABCDEFGHIJKLMNOP", + AppProtectCPUThresholds: "high=low=100", + AppProtectPhysicalMemoryThresholds: "high=low=100", + AppProtectReconnectPeriod: "10", + AppProtectDosLoadModule: true, + AppProtectDosLogFormat: []string{}, + AppProtectDosArbFqdn: "arb.test.server.com", } mainCfgCustomTLSPassthroughPort = MainConfig{ diff --git a/internal/configs/version2/__snapshots__/templates_test.snap b/internal/configs/version2/__snapshots__/templates_test.snap index c39644ec92..4fa5c98686 100644 --- a/internal/configs/version2/__snapshots__/templates_test.snap +++ b/internal/configs/version2/__snapshots__/templates_test.snap @@ -177,6 +177,15 @@ server { + app_protect_dos_enable on; + app_protect_dos_name "my-dos-coffee"; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/log.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log svc.dns.com:123 log_dos if=$loggable; + app_protect_dos_monitor uri=test.example.com protocol=http timeout=30; # server snippet location /split { rewrite ^ @split_0 last; @@ -609,6 +618,15 @@ server { + app_protect_dos_enable on; + app_protect_dos_name "my-dos-coffee"; + app_protect_dos_policy_file /test/policy.json; + app_protect_dos_security_log_enable on; + app_protect_dos_security_log /test/log.json; + set $loggable '0'; + # app-protect-dos module will set it to '1' if a request doesn't pass the rate limit + access_log svc.dns.com:123 log_dos if=$loggable; + app_protect_dos_monitor uri=test.example.com protocol=http timeout=30; # server snippet location /split { rewrite ^ @split_0 last; @@ -1976,6 +1994,7 @@ server { + app_protect_dos_enable on; # server snippet location /split { rewrite ^ @split_0 last; diff --git a/internal/configs/version2/templates_test.go b/internal/configs/version2/templates_test.go index b01bb5c38b..0e4f8ead22 100644 --- a/internal/configs/version2/templates_test.go +++ b/internal/configs/version2/templates_test.go @@ -694,6 +694,17 @@ func vsConfig() VirtualServerConfig { Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, + Dos: &Dos{ + Enable: "on", + Name: "my-dos-coffee", + ApDosMonitorURI: "test.example.com", + ApDosMonitorProtocol: "http", + ApDosAccessLogDest: "svc.dns.com:123", + ApDosPolicy: "/test/policy.json", + ApDosSecurityLogEnable: true, + ApDosLogConf: "/test/log.json", + ApDosMonitorTimeout: 30, + }, Snippets: []string{"# server snippet"}, InternalRedirectLocations: []InternalRedirectLocation{ { @@ -1394,6 +1405,9 @@ var ( Enable: "on", ApLogConf: []string{"/etc/nginx/waf/nac-logconfs/default-logconf"}, }, + Dos: &Dos{ + Enable: "on", + }, Snippets: []string{"# server snippet"}, InternalRedirectLocations: []InternalRedirectLocation{ {