WAF configuration using K8s ConfigMap does't work in Gateway object
htech7x opened this issue · comments
Gloo Edge Product
Enterprise
Gloo Edge Version
1.16.7
Kubernetes Version
1.28.5
Describe the bug
WAF filter configuration in Gloo EE using k8s ConfigMap works with VirtualService object, works on "routes" level, but does not work with Gateway object.
Expected Behavior
WAF filtering works
Steps to reproduce the bug
- Create ConfigMap from the file "wafip.conf":
SecRuleEngine On
SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"
kubectl create cm mywaf --from-file=wafip.conf -n gloo-system
- Edit Gateway object:
apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
labels:
app: gloo
name: gateway-proxy
namespace: gloo-system
spec:
bindAddress: '::'
bindPort: 8080
httpGateway:
options: # < --- add this line
waf: # < --- add this line
configMapRuleSets: # < --- add this line
- configMapRef: # < --- add this line
name: mywaf # < --- add this line
namespace: gloo-system # < --- add this line
options:
accessLoggingService:
accessLog:
- fileSink:
path: /dev/stdout
stringFormat: |
[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
proxyNames:
- gateway-proxy
ssl: false
useProxyProto: false
- Check:
curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 200 OK
content-type: text/xml
date: Fri, 19 Apr 2024 17:32:31 GMT
content-length: 86
x-envoy-upstream-service-time: 0
server: envoy
[{"id":1,"name":"Dog","status":"available"},{"id":2,"name":"Cat","status":"pending"}]
logs:
[2024-04-19T17:32:24.697Z] GET /zoo /api/pets - HTTP/1.1 200 - via_upstream 192.168.12.227:8080 default-petstore-8080_gloo-system
Using the same ConfigMap in VirtualService, works as expected:
apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
name: pet-vs
namespace: gloo-system
spec:
virtualHost:
options:
waf:
configMapRuleSets:
- configMapRef:
name: mywaf
namespace: gloo-system
domains:
- pet.com
routes:
- matchers:
- prefix: /zoo
options:
prefixRewrite: /api/pets
routeAction:
single:
upstream:
name: default-petstore-8080
namespace: gloo-system
curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 403 Forbidden
content-length: 34
content-type: text/plain
date: Fri, 19 Apr 2024 18:33:44 GMT
server: envoy
ModSecurity: intervention occurred%
logs:
[2024-04-19T18:33:45.126Z] GET - /zoo - HTTP/1.1 403 UAEX [client_192.168.15.38]_ModSecurity:_Access_denied_with_code_403_(phase_1)._Matched_"Operator_`IpMatch'_with_parameter_`173.175.0.0/16,10.10.11.101'_against_variable_`REMOTE_ADDR'_(Value:_`192.168.15.38'_)_[file_"<<reference_missing_or_not_informed>>"]_[line_"2"]_[id_"1"]_[rev_""]_[msg_"block_ip"]_[data_""]_[severity_"0"]_[ver_""]_[maturity_"0"]_[accuracy_"0"]_[hostname_""]_[uri_"/zoo"]_[unique_id_"171355162570.596724"]_[ref_"v0,13"] - default-petstore-8080_gloo-system
Using WAF directly in Gateway, works as expected:
apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
labels:
app: gloo
name: gateway-proxy
namespace: gloo-system
spec:
bindAddress: '::'
bindPort: 8080
httpGateway:
options:
waf:
ruleSets:
- ruleStr: |
SecRuleEngine On
SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"
options:
accessLoggingService:
accessLog:
- fileSink:
path: /dev/stdout
stringFormat: |
[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
proxyNames:
- gateway-proxy
ssl: false
useProxyProto: false
curl -H "Host: pet.com" ab4abd470440f492f9ae49fde56a48fc-652961447.us-east-2.elb.amazonaws.com/zoo -i
HTTP/1.1 403 Forbidden
content-length: 34
content-type: text/plain
date: Fri, 19 Apr 2024 18:50:24 GMT
server: envoy
ModSecurity: intervention occurred%
logs:
[2024-04-19T18:50:24.450Z] GET - /zoo - HTTP/1.1 403 UAEX [client_192.168.15.38]_ModSecurity:_Access_denied_with_code_403_(phase_1)._Matched_"Operator_`IpMatch'_with_parameter_`173.175.0.0/16,10.10.11.101'_against_variable_`REMOTE_ADDR'_(Value:_`192.168.15.38'_)_[file_"<<reference_missing_or_not_informed>>"]_[line_"2"]_[id_"1"]_[rev_""]_[msg_"block_ip"]_[data_""]_[severity_"0"]_[ver_""]_[maturity_"0"]_[accuracy_"0"]_[hostname_""]_[uri_"/zoo"]_[unique_id_"17135526242.949542"]_[ref_"v0,13"] - default-petstore-8080_gloo-system
Additional Environment Detail
No response
Additional Context
No response
@nfuden interesting this works from direct config or mounting from file but not from configMap?
@kcbabo We've seen this same behavior following the latest documentation. Directly applying to gateway works, but referencing configmap from gateway does not.