MVC: Allow users a global way to enable/disable their WAF (Web application firewall) and change between logging/blocking mode
Problem to solve
WAF users need an easy way to turn the WAF on or off and to switch the WAF between logging and blocking mode.
Although these settings can be changed currently, the current approaches have limitations:
- SSH into the container is time consuming (especially for customers with lots of containers) and requires technical knowledge
- Changing states via CI/CD pipeline environmental variables works well, but is not easily discoverable by the end user; unless they have read our documentation, they are unlikely to know that they can use environmental variables to change the WAF behavior
- The WAF can be globally toggled on or off via a UI checkbox under Operations -> Kubernetes -> Ingress; however, this does not allow for toggling between logging and blocking mode or environment-specific configuration
In the event that the WAF is causing performance problems, the user needs to be able to disable the WAF quickly and easily in the GitLab UI. In the event that the WAF in blocking mode is blocking legitimate traffic (false positives), the user needs to be able to quickly and easily change the WAF from blocking mode to logging mode in the GitLab UI.
Intended users
Further details
Although we hope that performance problems with the WAF will never happen or will be caught in testing, there is always a risk that a problem exists as the WAF interacts with customer-specific environments. This is an MVC designed to help users quickly disable or change the mode from blocking to logging in the event of a problem.
Proposal
- Allow users to install/uninstall the ModSecurity WAF. By default it will be installed.
- If the ModSecurity WAF is installed, allow users to enable/disable the ModSecurity WAF. By default it will be enabled.
- If the ModSecurity WAF is installed and enabled, allow users to toggle the global default setting for WAF between logging and blocking modes. By default it will be set to logging
Experience:
Cluster level settings:
ModSec - not enabled | ModSec - enabled |
---|---|
![]() |
![]() |
Cluster edge cases:
ModSec - Setting change state | ModSec - error state |
---|---|
![]() |
![]() |
Permissions and Security
Users must be a Maintainer or Owner on the project to have access to the Operations -> Kubernetes page. No additional permissions are required.
Documentation
- Documentation will be updated to describe how to install/uninstall the ModSecurity WAF
- Documentation will be updated to describe how to enable/disable the ModSecurity WAF
- Documentation will be added on how to globally set the WAF to Logging and Blocking modes