\u8fd9\u7bc7\u6587\u7ae0\u662fNTT\u30b3\u30e0\u30a6\u30a7\u30a2 Advent Calendar 2022\u7b2c19\u5929\u7684\u6587\u7ae0\u3002
\nhttps:\/\/qiita.com\/advent-calendar\/2022\/nttcomware<\/p>\n
\u4f60\u597d\u3002\u6211\u662fNTT Comware\u7684\u6771\u3002
\n\u5927\u5bb6\u90fd\u5728\u4f7f\u7528Kubernetes(k8s)\u5417\uff1f<\/p>\n
\u5728Kubernetes\u4e2d\uff0cNGINX Ingress Controller\u88ab\u8ba4\u4e3a\u662fIngress\u63a7\u5236\u5668\u7684\u4e8b\u5b9e\u6807\u51c6\u3002\u5b9e\u9645\u4e0a\uff0cNGINX Ingress Controller\u5185\u7f6e\u4e86\u4e00\u4e2a\u540d\u4e3aModSecurity\u7684\u5f00\u6e90Web\u5e94\u7528\u9632\u706b\u5899\uff08WAF\uff09\u5b9e\u73b0\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cModSecurity\u5904\u4e8e\u975e\u8fd0\u884c\u72b6\u6001\uff0c\u4f46\u53ea\u9700\u8fdb\u884c\u76f8\u5173\u8bbe\u7f6e\u5c31\u53ef\u4ee5\u542f\u7528\u5b83\u3002\u56e0\u6b64\uff0c\u60a8\u53ef\u4ee5\u514d\u8d39\u5c06Ingress\u8f6c\u5316\u4e3aWAF\u3002\u8fd9\u662f\u4e00\u4e2a\u4e0d\u80fd\u9519\u8fc7\u7684\u529f\u80fd\u3002<\/p>\n
\u90a3\u4e48\uff0c\u5728\u672c\u6587\u4e2d\uff0c\u6211\u5c06\u4ecb\u7ecd\u5982\u4f55\u5728NGINX Ingress Controller\u4e2d\u542f\u7528ModSecurity\u7684WAF\u529f\u80fd\u3002<\/p>\n
\u987a\u4fbf\u63d0\u4e00\u4e0b\uff0c\u672c\u6587\u9488\u5bf9\u5df2\u7ecf\u638c\u63e1Kubernetes\u57fa\u672c\u6982\u5ff5\u548c\u64cd\u4f5c\u6280\u5de7\u7684\u7528\u6237\u3002<\/p>\n
<\/p>\n
\u3042\u304f\u307e\u3067\u81ea\u8eab\u306e\u30b5\u30a4\u30c8\u306e\u30c6\u30b9\u30c8\u76ee\u7684\u3067\u306e\u5229\u7528\u306b\u9650\u308a\u307e\u3059\u3002
\n\u60aa\u7528\u3057\u305f\u5834\u5408\u3001\u4e0d\u6b63\u30a2\u30af\u30bb\u30b9\u7981\u6b62\u6cd5\u7b49\u3067\u8a34\u3048\u3089\u308c\u308b\u53ef\u80fd\u6027\u304c\u3054\u3056\u3044\u307e\u3059\u3002<\/p>\n
\u867d\u7136\u6211\u60f3\u7acb\u5373\u4ecb\u7ecd\u64cd\u4f5c\u6b65\u9aa4\uff0c\u4f46\u5728\u6b64\u4e4b\u524d\uff0c\u8ba9\u6211\u4eec\u7b80\u5355\u4ecb\u7ecd\u4e00\u4e0b\u201cOWASP\u201d\u548c\u201cCRS\u201d\u3002\u82e5\u4f60\u5bf9\u8fd9\u4e9b\u540d\u5b57\u6709\u6240\u4e86\u89e3\uff0c\u53ef\u4ee5\u8df3\u8fc7\u672c\u7ae0\u8282\u3002<\/p>\n
ModSecurity\u6839\u636e\u5b9a\u4e49\u4e86\u8bb8\u591a\u5e94\u89c6\u4e3a\u653b\u51fb\u7684\u8bbf\u95ee\u6a21\u5f0f\u7684\u89c4\u5219\u96c6\u6765\u5224\u65ad\u8bbf\u95ee\u662f\u5426\u4e3a\u653b\u51fb\u3002\u5f53\u524d\u7684ModSecurity\u4ec5\u662f\u4e00\u4e2a\u57fa\u4e8e\u89c4\u5219\u96c6\u8fdb\u884c\u5224\u65ad\u7684\u6a21\u5757\uff0c\u89c4\u5219\u96c6\u4e0eModSecurity\u662f\u5206\u5f00\u5f00\u53d1\u548c\u7ef4\u62a4\u7684\u3002<\/p>\n
\u5728\u8fd9\u4e2a\u89c4\u5219\u96c6\u4e2d\uff0c\u6700\u5f3a\u5927\u7684\u662f\u7531OWASP\u793e\u533a\u7ef4\u62a4\u7684\u540d\u4e3a”\u6838\u5fc3\u89c4\u5219\u96c6”\u7684\u5f00\u6e90\u8f6f\u4ef6\u3002\u5b83\u6709\u65f6\u88ab\u79f0\u4e3a”OWASP ModSecurity CRS”\u6216\u7b80\u79f0\u4e3a”CRS”\u3002<\/p>\n
OWASP\uff08Open Web Application Security Project\uff09 \u662f\u4e00\u4e2a\u5f00\u6e90\u793e\u533a\uff0c\u81f4\u529b\u4e8e\u5728\u8f6f\u4ef6\u548cWeb\u5e94\u7528\u5b89\u5168\u9886\u57df\u8fdb\u884c\u7814\u7a76\u548c\u6307\u5bfc\u6027\u51c6\u5219\u7684\u5236\u5b9a\uff0c\u5f00\u53d1\u6f0f\u6d1e\u8bca\u65ad\u5de5\u5177\uff0c\u4e3e\u529e\u6d3b\u52a8\u7b49\u591a\u65b9\u9762\u7684\u6d3b\u52a8\u3002<\/p>\n
\u521a\u521a\u6211\u63d0\u5230\u300cNGINX Ingress Controller\u4e2d\u5df2\u7ecf\u96c6\u6210\u4e86ModSecurity\u300d\uff0c\u4f46\u5b9e\u9645\u4e0a\u66f4\u51c6\u786e\u7684\u8bf4\u6cd5\u662f\u5b83\u5b9e\u9645\u4e0a\u96c6\u6210\u4e86ModSecurity\u548cCRS\u3002<\/p>\n
\u56e0\u6b64\uff0c\u4ece\u73b0\u5728\u5f00\u59cb\uff0c\u6211\u5c06\u5c55\u793a\u5728NGINX Ingress Controller\u4e2d\u5f15\u5165\u548c\u542f\u7528ModSecurity + CRS\u7684\u6b65\u9aa4\u3002<\/p>\n
\u7b46\u8005\u6240\u7528\u7684\u6e2c\u8a66\u74b0\u5883\u5982\u4e0b\u6240\u793a\u3002\u7121\u8ad6\u5982\u4f55\uff0c\u53ea\u8981\u6709\u904b\u884cNGINX Ingress Controller\u7684k8s\u74b0\u5883\uff0c\u4e0d\u9650\u65bcEKS\uff0c\u90fd\u53ef\u4ee5\u3002<\/p>\n
Kubernetes v1.24.7<\/p>\n
Amazon EKS\u3092\u7528\u3044\u69cb\u7bc9<\/p>\n
NGINX Ingress Controller v1.5.1\u3000\uff08\u3053\u306e\u5f8c\u306e\u624b\u9806\u3067\u5c0e\u5165\uff09<\/p>\n
\u30b3\u30f3\u30c6\u30ca\u30a4\u30e1\u30fc\u30b8\uff1aregistry.k8s.io\/ingress-nginx\/controller:v1.5.1
\n\u540c\u68b1\u30e2\u30b8\u30e5\u30fc\u30eb\uff1a<\/p>\n
ModSecurity v3.0.8
\nOWASP ModSecurity CRS v3.3.4<\/p>\n
\u4f5c\u4e3a\u51c6\u5907\u5de5\u4f5c\uff0c\u6211\u4eec\u5c06\u521b\u5efa\u4e00\u4e2a\u914d\u7f6e\u6587\u4ef6\uff0c\u5176\u4e2d\u5305\u542b\u4e86\u8981\u6784\u5efa\u7684ModSecurity\u7684\u5404\u79cd\u63a8\u8350\u53c2\u6570\u3002
\n\u539f\u56e0\u662f\uff0cNGINX Ingress Controller\u7684\u5bb9\u5668\u955c\u50cf\u5df2\u7ecf\u5b89\u88c5\u4e86ModSecurity\u548cCRS\uff0c\u5e76\u4e14\u914d\u7f6e\u6587\u4ef6\u5df2\u7ecf\u88ab\u90e8\u7f72\uff0c\u4f46\u662f\u8bf7\u6c42\u6b63\u6587\u7684\u68c0\u6d4b\u662f\u65e0\u6548\u7684\uff0c\u6709\u70b9\u4e0d\u592a\u597d\u3002
\n\u6b64\u5916\uff0cNGINX Ingress Controller\u8fd8\u53ef\u4ee5\u4f7f\u7528modsecurity-snippet\u6dfb\u52a0\u4efb\u610f\u7684ModSecurity\u914d\u7f6e\uff0c\u4f46\u662f\u8be5\u65b9\u6cd5\u6709\u4e00\u4e2a\u9650\u5236\uff0c\u5373\u4e0d\u80fd\u8d85\u8fc74096\u4e2a\u5b57\u7b26\uff0c\u56e0\u6b64\u65e0\u6cd5\u6dfb\u52a0\u592a\u591a\u7684\u8bbe\u7f6e\u548c\u89c4\u5219\u3002<\/p>\n
\u56e0\u6b64\uff0c\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u5c06\u6839\u636eModSecurity\u793e\u533a\u7684\u5efa\u8bae\u521b\u5efa\u914d\u7f6e\u6587\u4ef6\uff0c\u5e76\u5728ConfigMap\u4e2d\u9644\u52a0\u3002<\/p>\n
\u9996\u5148\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u4e0b\u8f7dModSecurity\u793e\u533a\u7684\u63a8\u8350\u5185\u5bb9\u3002
\n\u201cv3\/master\u201d\u90e8\u5206\u662fModSecurity GitHub\u7684\u5f53\u524d\u9ed8\u8ba4\u5206\u652f\uff082022\/12\uff09\u3002\u8bf7\u6ce8\u610f\uff0c\u6b64\u540e\u53ef\u80fd\u4f1a\u53d1\u751f\u66f4\u6539\uff0c\u8bf7\u786e\u4fdd\u67e5\u770bGitHub\u9996\u9875\u3002<\/p>\n
$ <\/span>curl -L<\/span> -O<\/span> https:\/\/raw.githubusercontent.com\/SpiderLabs\/ModSecurity\/v3\/master\/modsecurity.conf-recommended\r\n<\/code><\/pre>\n\u6211\u628a\u4e0b\u8f7d\u7684ModSecurity\u793e\u533a\u5efa\u8bae\u7a0d\u4f5c\u4fee\u6539\uff0c\u7528\u4e8eNGINX Ingress Controller\u3002\u4fee\u6539\u540e\u7684\u6587\u4ef6\u53e6\u5b58\u4e3acustom-modsecurity.conf\u3002<\/p>\n
$ <\/span>cat <\/span>modsecurity.conf-recommended | sed<\/span> \\<\/span>\r\n -e<\/span> \"s\/^SecRuleEngine DetectionOnly\/SecRuleEngine On\/\"<\/span> \\<\/span>\r\n -e<\/span> \"s\/^SecAuditLog <\/span>\\\/<\/span>var<\/span>\\\/<\/span>log<\/span>\\\/<\/span>modsec_audit.log\/SecAuditLog <\/span>\\\/<\/span>dev<\/span>\\\/<\/span>stdout\/\"<\/span> \\<\/span>\r\n -e<\/span> \"s\/^SecUnicodeMapFile unicode.mapping 20127\/SecUnicodeMapFile <\/span>\\\/<\/span>etc<\/span>\\\/<\/span>nginx<\/span>\\\/<\/span>modsecurity<\/span>\\\/<\/span>unicode.mapping 20127\/\"<\/span> \\<\/span>\r\n -e<\/span> \"s\/^SecStatusEngine On\/SecStatusEngine Off\/\"<\/span> \\<\/span>\r\n -e<\/span> '$aSecAuditLogFormat JSON'<\/span> \\<\/span>\r\n -e<\/span> '$aSecRuleRemoveById 920350'<\/span> ><\/span> custom-modsecurity.conf\r\n<\/code><\/pre>\n\u4ee5\u4e0b\u662f\u4e66\u5199\u4fee\u6539\u7684\u8981\u70b9\u3002<\/p>\n
\n- \n
SecRuleEngine<\/ul>\n<\/li>\n<\/ul>\n\u30c7\u30d5\u30a9\u30eb\u30c8\u306eDetectionOnly\u3067\u306f\u691c\u51fa\u3057\u30ed\u30b0\u51fa\u529b\u3059\u308b\u306e\u307f\u3067\u30a2\u30af\u30bb\u30b9\u306f\u901a\u3059\u305f\u3081\u3001”On”\u3068\u3057\u691c\u77e5\u3057\u305f\u653b\u6483\u30a2\u30af\u30bb\u30b9\u3092\u62d2\u5426\u3055\u305b\u308b\u3002<\/p>\n
SecAuditLog<\/p>\n
ModSecurity\u306e\u30ed\u30b0\u3092\u30b3\u30f3\u30c6\u30ca\u306e\u6a19\u6e96\u51fa\u529b\u306b\u51fa\u529b\u3059\u308b\u3002<\/p>\n
SecUnicodeMapFile<\/p>\n
unicode.mapping\u306e\u30d1\u30b9\u3092NGINX Ingress Controller\u30a4\u30e1\u30fc\u30b8\u306b\u5408\u308f\u305b\u66f8\u304d\u63db\u3048\u308b\u3002<\/p>\n
SecStatusEngine<\/p>\n
NGINX\u8d77\u52d5\u6642\u306b\u30b9\u30c6\u30fc\u30bf\u30b9\u30ec\u30dd\u30fc\u30c8\u3092ModSecurity\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u30c1\u30fc\u30e0\u306b\u9001\u4fe1\u3057\u306a\u3044(Off)\u3002<\/p>\n
SecAuditLogFormat<\/p>\n
\u30ed\u30b0\u5f62\u5f0f\u3092JSON\u306b\u6307\u5b9a\u3002(\u8ffd\u8a18)<\/p>\n
SecRuleRemoveById<\/p>\n
CRS\u306e id:920350 \u3068\u3044\u3046\u30eb\u30fc\u30eb\u306f\u3001localhost\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u3092\u62d2\u5426\u3059\u308b\u30eb\u30fc\u30eb\u3060\u304c\u3001k8s\u306e\u5834\u5408\u3001\u5185\u90e8\u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u304clocalhost\u304b\u3089\u3042\u308b\u305f\u3081\u3053\u306e\u30eb\u30fc\u30eb\u3092\u7121\u52b9\u5316\u3059\u308b\u884c\u3092\u8ffd\u52a0\u3002<\/p>\n
\u5728\u8fd9\u91cc\uff0c\u6211\u4eec\u53ea\u8fdb\u884c\u4e86\u5fc5\u8981\u7684\u6700\u5c0f\u66f4\u6539\u6765\u4f7f\u5176\u6b63\u5e38\u8fd0\u884c\uff0c\u4f46\u4e5f\u53ef\u4ee5\u5305\u542b\u5176\u4ed6ModSecurity\u7684\u8c03\u6574\u548c\u81ea\u5b9a\u4e49\u9644\u52a0\u89c4\u5219\u3002<\/div>\n\u4f7f\u7528\u4fee\u6539\u540e\u7684\u6587\u4ef6(custom-modsecurity.conf)\u4f5c\u4e3a\u57fa\u7840\u521b\u5efaConfigMap\u3002\u7136\u540e\u5c06\u6b64ConfigMap\u9644\u52a0\u4e3a\u540e\u7eedNGINX Ingress Controller(Pod)\u7684\u914d\u7f6e\u6587\u4ef6\u3002
\n\u8bf7\u6839\u636e\u90e8\u7f72NGINX Ingress Controller\u7684\u76ee\u6807\u8fdb\u884c\u9002\u5f53\u66f4\u6539\uff0c\u5c06\u547d\u540d\u7a7a\u95f4\u540d”ingress-nginx”\u66ff\u6362\u4e3a\u5408\u9002\u7684\u503c\u3002<\/p>\n
$ <\/span>kubectl create namespace ingress-nginx\r\n$ <\/span>kubectl -n<\/span> ingress-nginx create configmap modsecurity-config \\<\/span>\r\n --from-file<\/span>=<\/span>custom-modsecurity.conf=<\/span>custom-modsecurity.conf\r\n<\/code><\/pre>\n\u90e8\u7f72NGINX Ingress Controller<\/h2>\n
\u9274\u4e8e\u7b14\u8005\u4f7f\u7528\u7684\u662fAWS\uff08EKS\uff09\u73af\u5883\uff0c\u56e0\u6b64\u5c06\u6309\u7167\u6b64\u73af\u5883\u76f4\u63a5\u6307\u5b9a\u6e05\u5355\u7684\u65b9\u5f0f\u8fdb\u884c\u90e8\u7f72\u3002<\/p>\n
\u5982\u679c\u60a8\u4f7f\u7528helm\uff0c\u8bf7\u53c2\u8003\u672c\u6587\u5e95\u90e8\u7684\u201c\u53c2\u8003\uff09\u4f7f\u7528helm\u201d\u7684\u90e8\u5206\u3002<\/div>\n\u9996\u5148\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u4e0b\u8f7dNGINX Ingress Controller\u7684\u6e05\u5355\u6587\u4ef6\u3002<\/p>\n
$ <\/span>curl -L<\/span> -O<\/span> https:\/\/raw.githubusercontent.com\/kubernetes\/ingress-nginx\/controller-v1.5.1\/deploy\/static\/provider\/aws\/deploy.yaml\r\n<\/code><\/pre>\n\u5728deploy.yaml\u6587\u4ef6\u4e2d\uff0c\u6dfb\u52a0\u542f\u7528ModSecurity\u7684\u914d\u7f6e\u548c\u9644\u52a0\u4e4b\u524d\u521b\u5efa\u7684ConfigMap\u201cmodsecurity-config\u201d\u7684\u914d\u7f6e\u3002<\/p>\n
$ <\/span>vi deploy.yaml\r\n\u2192\u4ee5\u4e0bdiff\u306e\u5185\u5bb9\u3092\u8ffd\u8a18\r\n<\/code><\/pre>\n\u4ee5\u4e0b\u662f\u8ffd\u52a0\u5185\u5bb9\u524d\u540e\u7684\u53d8\u52a8\u3002<\/p>\n
--- deploy.yaml.org 2022-12-08 10:03:37.083369804 +0900\r\n<\/span>+++ deploy.yaml 2022-12-08 10:07:20.720523517 +0900\r\n<\/span>@@ -336,6 +336,10 @@<\/span>\r\n apiVersion: v1\r\n data:\r\n allow-snippet-annotations: \"true\"\r\n+ enable-modsecurity: \"true\"\r\n+ enable-owasp-modsecurity-crs: \"true\"\r\n+ modsecurity-snippet: |\r\n+ Include \/etc\/nginx\/owasp-modsecurity-crs\/custom\/custom-modsecurity.conf\r\n<\/span> kind: ConfigMap\r\n metadata:\r\n labels:\r\n@@ -509,6 +513,8 @@<\/span>\r\n - mountPath: \/usr\/local\/certificates\/\r\n name: webhook-cert\r\n readOnly: true\r\n+ - mountPath: \/etc\/nginx\/owasp-modsecurity-crs\/custom\/\r\n+ name: modsecurity-config\r\n<\/span> dnsPolicy: ClusterFirst\r\n nodeSelector:\r\n kubernetes.io\/os: linux\r\n@@ -518,6 +524,9 @@<\/span>\r\n - name: webhook-cert\r\n secret:\r\n secretName: ingress-nginx-admission\r\n+ - name: modsecurity-config\r\n+ configMap:\r\n+ name: modsecurity-config\r\n<\/span> ---\r\n apiVersion: batch\/v1\r\n kind: Job\r\n<\/code><\/pre>\n\u4f7f\u7528\u66f4\u6539\u540e\u7684deploy.yaml\u6587\u4ef6\u8fdb\u884cNGINX Ingress Controller\u7684\u90e8\u7f72\u3002<\/p>\n
\u5982\u679c\u60a8\u4e0d\u6253\u7b97\u5c06NGINX Ingress Controller\u7684Service\u8d44\u6e90\u66b4\u9732\u7ed9\u5168\u4e16\u754c\uff0c\u53ef\u4ee5\u8003\u8651\u901a\u8fc7\u5916\u90e8\u8d1f\u8f7d\u5747\u8861\u5668\u9650\u5236\u8bbf\u95ee\u6e90IP\u5730\u5740\u7b49\u65b9\u5f0f\u6765\u5b9e\u73b0\uff08\u4f8b\u5982\u7528\u4e8e\u9a8c\u8bc1\u76ee\u7684\u7b49\u60c5\u51b5\uff09\u3002<\/div>\n$ <\/span>kubectl apply -f<\/span> deploy.yaml\r\n<\/code><\/pre>\n\u786e\u8ba4\u884c\u52a8<\/h2>\n
\u5728\u5df2\u542f\u52a8\u7684 NGINX Ingress Controller \u7684 Pod \u5185\u90e8\u6267\u884c “nginx -T” \u547d\u4ee4\uff0c\u4ee5\u786e\u8ba4 NGINX \u662f\u5426\u5df2\u52a0\u8f7d ModSecurity \u6a21\u5757\u3002<\/p>\n
\u4ee5\u4e0b\u7684\u4ee3\u7801\u5c06\u5728PODNAME\u73af\u5883\u53d8\u91cf\u4e2d\u8bb0\u5f55NGINX Ingress Controller\u7684Pod\u540d\u79f0\uff0c\u5e76\u901a\u8fc7kubectl exec\u6267\u884c\u547d\u4ee4\u3002\u53ef\u4ee5\u786e\u8ba4\u5b58\u5728\u51e0\u884c\u5305\u542b”ModSecurity”\u8fd9\u4e2a\u8bcd\u7684\u884c\u3002<\/p>\n
$ PODNAME<\/span>=<\/span>$(<\/span> kubectl -n<\/span> ingress-nginx get pod -l<\/span> app.kubernetes.io\/component=<\/span>controller -o<\/span>=<\/span>jsonpath<\/span>=<\/span>'{.items[0].metadata.name}'<\/span> )<\/span>\r\n$ <\/span>kubectl -n<\/span> ingress-nginx exec<\/span> -it<\/span> $PODNAME<\/span> --<\/span> nginx -T<\/span> | grep<\/span> -i<\/span> modsecurity\r\n2022\/12\/08 02:46:15 [<\/span>notice] 579#579: ModSecurity-nginx v1.0.2 (<\/span>rules loaded inline\/local\/remote: 7\/782\/0)<\/span>\r\nload_module \/etc\/nginx\/modules\/ngx_http_modsecurity_module.so;<\/span>\r\n modsecurity on;<\/span>\r\n modsecurity_rules '\r\n Include \/etc\/nginx\/owasp-modsecurity-crs\/custom\/custom-modsecurity.conf\r\n modsecurity_rules_file \/etc\/nginx\/owasp-modsecurity-crs\/nginx-modsecurity.conf;\r\n<\/span><\/code><\/pre>\n\u4e0b\u4e00\u6b65\uff0c\u6211\u4f1a\u5b9e\u9645\u8fdb\u884c\u4e00\u4e9b\u653b\u51fb\u6a21\u62df\uff0c\u5e76\u786e\u4fdd\u5b83\u4eec\u80fd\u591f\u88ab\u6709\u6548\u5730\u9632\u5fa1\u3002\u6211\u5c06\u6839\u636e\u8fd9\u91cc\u63d0\u4f9b\u7684\u6307\u5357\uff0c\u5f15\u5165\u4e00\u6b3e\u4f5c\u4e3aIngress\u540e\u7aef\u7684\u793a\u8303\u5e94\u7528\u3002<\/p>\n
$ <\/span>kubectl create deployment demo --image<\/span>=<\/span>httpd --port<\/span>=<\/span>80\r\n$ <\/span>kubectl expose deployment demo\r\n$ <\/span>kubectl create ingress demo-localhost --class<\/span>=<\/span>nginx \\<\/span>\r\n --rule<\/span>=<\/span>\"demo.localdev.me\/*=demo:80\"<\/span>\r\n$ <\/span>kubectl port-forward --namespace<\/span>=<\/span>ingress-nginx service\/ingress-nginx-controller 8080:80\r\n<\/code><\/pre>\n\u4f7f\u7528curl\u7b49\u5de5\u5177\uff0c\u786e\u8ba4\u80fd\u591f\u8bbf\u95ee\u3002<\/p>\n
$ <\/span>curl http:\/\/demo.localdev.me:8080\/\r\n<html><body><h1>It works!<\/h1><\/body><\/html>\r\n<\/code><\/pre>\n\u6211\u4f1a\u7528\u4e00\u79cd\u653b\u51fb\u7684\u65b9\u5f0f\u5c1d\u8bd5\u8bbf\u95ee\u8fd9\u4e2a\u793a\u4f8b\u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n
$ <\/span>curl -X<\/span> POST -d<\/span> \"cmd=<script>\"<\/span> http:\/\/demo.localdev.me:8080\/\r\n<html>\r\n<head<\/span>><\/span><title>403 Forbidden<\/title><\/head>\r\n<body>\r\n<center><h1>403 Forbidden<\/h1><\/center>\r\n<hr><center>nginx<\/center>\r\n<\/body>\r\n<\/html>\r\n<\/code><\/pre>\n\u8fd4\u56de\u4e86\u201c403 Forbidden\u201d\u3002<\/p>\n
\u67e5\u770bNGINX Ingress Controller\u7684\u65e5\u5fd7\uff0c\u53ef\u4ee5\u770b\u5230ModSecurity\u7684\u53cd\u5e94\uff0c\u4f3c\u4e4e\u6210\u529f\u5730\u963b\u6b62\u4e86\u8bbf\u95ee\u3002\u6211\u4eec\u53ef\u4ee5\u786e\u8ba4ModSecurity\u6b63\u5e38\u8fd0\u884c\u3002<\/p>\n
$ <\/span>kubectl -n<\/span> ingress-nginx logs $PODNAME<\/span> | grep <\/span>ModSecurity:\r\n\u30fb\u30fb\u30fb\r\n2022\/12\/08 03:01:34 [<\/span>error] 844#844: *<\/span>47316 [<\/span>client 127.0.0.1] ModSecurity: Access denied with code 403 (<\/span>phase 2)<\/span>.<\/span> Matched \"Operator <\/span>`<\/span>Ge' with parameter `5'<\/span> against variable `<\/span>TX:ANOMALY_SCORE' (Value: <\/span>`<\/span>15' ) [file \"\/etc\/nginx\/owasp-modsecurity-crs\/rules\/REQUEST-949-BLOCKING-EVALUATION.conf\"] [line \"81\"] [id \"949110\"] [rev \"\"] [msg \"Inbound Anomaly Score Exceeded (Total Score: 15)\"] [data \"\"] [severity \"2\"] [ver \"OWASP_CRS\/3.3.4\"] [maturity \"0\"] [accuracy \"0\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-generic\"] [hostname \"127.0.0.1\"] [uri \"\/\"] [unique_id \"167046849467.029474\"] [ref \"\"], client: 127.0.0.1, server: demo.localdev.me, request: \"POST \/ HTTP\/1.1\", host: \"demo.localdev.me:8080\"\r\n<\/span><\/code><\/pre>\n\u6b64\u5916\uff0cNGINX Ingress Controller\u7684\u65e5\u5fd7\u4ee5JSON\u683c\u5f0f\u66f4\u8be6\u7ec6\u5730\u8f93\u51fa\u4e86ModSecurity\u7684\u68c0\u6d4b\u7ed3\u679c\u3002<\/p>\n
\u4ee5\u4e0b\u662f\u901a\u8fc7\u4f7f\u7528grep\u548cjq\u547d\u4ee4\u5bf9\u4ee5”^{“transaction”: “\u5f00\u5934\u7684\u884c\u8fdb\u884c\u683c\u5f0f\u5316\u7684\u7ed3\u679c\uff08\u7531\u4e8e\u957f\u5ea6\u8f83\u957f\uff0c\u5df2\u6298\u53e0\uff09\u3002\u60a8\u53ef\u4ee5\u83b7\u53d6\u5230\u8bbf\u95ee\u6765\u6e90\u3001\u54cd\u5e94\u5185\u5bb9\u4ee5\u53ca\u88ab\u68c0\u6d4b\u7684\u89c4\u5219\u548c\u539f\u56e0\u7b49\u8be6\u7ec6\u4fe1\u606f\u3002<\/p>\n\u8a73\u7d30\u65e5\u5fd7
\n$ kubectl -n ingress-nginx logs $PODNAME | grep ‘^{“transaction”:’ | jq
\n{
\n“transaction”: {
\n“client_ip”: “127.0.0.1”,
\n“time_stamp”: “2022\u5e7412\u67088\u65e5\u661f\u671f\u56db 03:01:34”,
\n“server_id”: “d0fb58befb07ce0cec85f68d9197f05ab5150f14”,
\n“client_port”: 34376,
\n“host_ip”: “127.0.0.1”,
\n“host_port”: 80,
\n“unique_id”: “167046849467.029474”,
\n“request”: {
\n“method”: “POST”,
\n“http_version”: 1.1,
\n“uri”: “\/”,
\n“headers”: {
\n“Host”: “demo.localdev.me:8080”,
\n“User-Agent”: “curl\/7.61.1”,
\n“Accept”: “*\/*”,
\n“Content-Length”: “12”,
\n“Content-Type”: “application\/x-www-form-urlencoded”
\n}
\n},
\n“response”: {
\n“body”: “\\r\\n\\r\\n\\r\\n<\/p>\n403 Forbidden<\/h1>\n
<\/p>\n
<\/center>\\r\\n<\/p>\n
\nnginx<\/center>\\r\\n<\/p>\n\\r\\n\\r\\n”,
\n“http_code”: 403,
\n“headers”: {
\n“Server”: “”,
\n“Date”: “2022\u5e7412\u67088\u65e5\u661f\u671f\u56db 03:01:34 GMT”,
\n“Content-Length”: “146”,
\n“Content-Type”: “text\/html”,
\n“Connection”: “keep-alive”
\n}
\n},
\n“producer”: {
\n“modsecurity”: “ModSecurity v3.0.8 (Linux)”,
\n“connector”: “ModSecurity-nginx v1.0.2”,
\n“secrules_engine”: “Enabled”,
\n“components”: [
\n“OWASP_CRS\/3.3.4\\””
\n]
\n},
\n“messages”: [
\n{
\n“message”: “\u68c0\u6d4b\u5230XSS\u653b\u51fb(libinjection)”,
\n“details”: {
\n“match”: “\u68c0\u6d4b\u5230\u4f7f\u7528libinjection\u7684XSS\u653b\u51fb\u3002”,
\n“reference”: “v152,8t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls”,
\n“ruleId”: “941100”,
\n“file”: “\/etc\/nginx\/owasp-modsecurity-crs\/rules\/REQUEST-941-APPLICATION-ATTACK-XSS.conf”,
\n“lineNumber”: “38”,
\n“data”: “\u5339\u914d\u5230\u7684\u6570\u636e: \u5728ARGS:cmd\u5185\u53d1\u73b0XSS\u6570\u636e: