Skip to content

GitLab Next

Closed
Opened by Sam White@sam.whiteDeveloper

MVC: Allow users a global way to enable/disable their WAF (Web application firewall) and change between logging/blocking mode

Problem to solve

WAF users need an easy way to turn the WAF on or off and to switch the WAF between logging and blocking mode.

Although these settings can be changed currently, the current approaches have limitations:

  1. SSH into the container is time consuming (especially for customers with lots of containers) and requires technical knowledge
  2. Changing states via CI/CD pipeline environmental variables works well, but is not easily discoverable by the end user; unless they have read our documentation, they are unlikely to know that they can use environmental variables to change the WAF behavior
  3. The WAF can be globally toggled on or off via a UI checkbox under Operations -> Kubernetes -> Ingress; however, this does not allow for toggling between logging and blocking mode or environment-specific configuration

In the event that the WAF is causing performance problems, the user needs to be able to disable the WAF quickly and easily in the GitLab UI. In the event that the WAF in blocking mode is blocking legitimate traffic (false positives), the user needs to be able to quickly and easily change the WAF from blocking mode to logging mode in the GitLab UI.

Intended users

Further details

Although we hope that performance problems with the WAF will never happen or will be caught in testing, there is always a risk that a problem exists as the WAF interacts with customer-specific environments. This is an MVC designed to help users quickly disable or change the mode from blocking to logging in the event of a problem.

Proposal

  1. Allow users to install/uninstall the ModSecurity WAF. By default it will be installed.
  2. If the ModSecurity WAF is installed, allow users to enable/disable the ModSecurity WAF. By default it will be enabled.
  3. If the ModSecurity WAF is installed and enabled, allow users to toggle the global default setting for WAF between logging and blocking modes. By default it will be set to logging

Experience:

Cluster level settings:

ModSec - not enabled ModSec - enabled
cluster_experience_disabled cluster_experience_enabled
Cluster edge cases:
ModSec - Setting change state ModSec - error state
cluster_experience_setting_change cluster_experience_error

Permissions and Security

Users must be a Maintainer or Owner on the project to have access to the Operations -> Kubernetes page. No additional permissions are required.

Documentation

  1. Documentation will be updated to describe how to install/uninstall the ModSecurity WAF
  2. Documentation will be updated to describe how to enable/disable the ModSecurity WAF
  3. Documentation will be added on how to globally set the WAF to Logging and Blocking modes

What is the type of buyer?

GitLab Core

Links / references

Edited by Sam White