Global WAF logging/blocking
Problem to solve
Please reference the MVC Issue
Intended users
Please reference the MVC Issue
Further details
Please reference the MVC Issue
Proposal
- If the ModSecurity WAF is installed and enabled, allow users to toggle the global default setting for WAF between logging and blocking modes. By default it will be set to logging
Permissions and Security
Users must be a Maintainer or Owner on the project to have access to the Operations -> Kubernetes page. No additional permissions are required.
Experience:
Cluster level settings:
Cluster edge cases:
Documentation
- Documentation will be added on how to globally set the WAF to Logging and Blocking modes
What is the type of buyer?
Links / references
Designs
- Show closed items
- Issue#324228BacklogCategory:SAST GitLab Core GitLab Premium GitLab Ultimate [deprecated] Accepting merge requests backend devops application security testing group static analysis section sec type feature
- Epicgitlab-org#130501219Feb 10 – Sep 13, 2024Category:SAST devops application security testing feature consolidation group static analysis section sec type feature
- Issue#439046BacklogCategory:SAST backend customer devops application security testing group static analysis section sec
- Issue#425084BacklogCategory:SAST devops application security testing group static analysis section sec type feature workflow planning breakdown
- Issue#373117515.9Category:SAST Deliverable Track Health Status [DEPRECATED] devops application security testing feature enhancement group static analysis section sec type feature workflow complete
- Issue#36295816.0Category:SAST Deliverable GitLab Free GitLab Premium GitLab Ultimate backend customer devops application security testing documentation group static analysis missed-deliverable missed:15.7 missed:15.8 section sec type feature workflow complete
- Issue#36284915.10Category:SAST Deliverable [deprecated] Accepting merge requests devops application security testing feature consolidation group static analysis section sec type feature workflow complete
- Issue#35266615.4Category:SAST GitLab Free GitLab Premium GitLab Ultimate backend devops application security testing documentation group static analysis missed:15.2 missed:15.3 section sec type feature
- Issue#34725815.4Category:SAST backend customer devops application security testing feature enhancement group static analysis section sec type feature workflow production
- Issue#335221BacklogCategory:SAST [deprecated] Accepting merge requests devops application security testing group static analysis maintenance workflow section sec type maintenance
- Issue#33406514.02Category:SAST backend devops application security testing group static analysis section sec type maintenance workflow in dev
- Epicgitlab-org#544064Feb 18 – Apr 17, 2021Category:SAST devops application security testing group static analysis section sec type feature
- EpicClosedgitlab-org#56881013Jan 18 – Jun 17, 2021Category:SAST backend devops application security testing group static analysis section sec
- Issue#331801BacklogCategory:SAST [deprecated] Accepting merge requests backend devops application security testing feature enhancement group static analysis section sec type feature
- Issue#330578BacklogCategory:SAST Product Feedback SAST: New Scanner [deprecated] Accepting merge requests customer devops application security testing group static analysis section sec
- Epicgitlab-org#57971015Apr 18 – May 17, 2021Category:SAST [deprecated] Accepting merge requests backend devops application security testing feature enhancement group static analysis section sec type feature
- Issue#327236BacklogCategory:SAST [deprecated] Accepting merge requests backend devops application security testing feature enhancement group static analysis section sec type feature
- Issue#321204BacklogCategory:SAST [deprecated] Accepting merge requests backend devops application security testing group static analysis section sec type feature
- Issue#118496BacklogCategory:SAST SAST: Integrate customer devops application security testing group static analysis section sec type feature workflow start
- Issue#26206813.11Category:SAST Deliverable Discovery SAST: Integrate [deprecated] Accepting merge requests backend devops application security testing group static analysis missed-deliverable missed:13.10 missed:13.9 section sec type feature workflow planning breakdown
- IssueClosed#300486BacklogCategory:SAST [deprecated] Accepting merge requests auto updated backend devops application security testing group static analysis section sec type feature
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Sam White added Category:WAF direction typefeature labels
added Category:WAF direction typefeature labels
- Sam White added to epic &2555 (closed)
added to epic &2555 (closed)
- Sam White assigned to @andyvolpe
assigned to @andyvolpe
- Sam White mentioned in issue #198727 (closed)
mentioned in issue #198727 (closed)
- Sam White marked this issue as related to #198727 (closed)
marked this issue as related to #198727 (closed)
- Sam White changed the description
Compare with previous version changed the description
- Sam White added workflowplanning breakdown label and removed workflowdesign label
added workflowplanning breakdown label and removed workflowdesign label
- Contributor
@sam.white: I suggest you replace the content above "Proposal" as it is a copy/paste from the epic. Instead, replace with content specific to this issue (which should be shorter).
Edited by Wayne Haber 1 - Sam White changed the description
Compare with previous version changed the description
- Lindsay Kerr changed the description
Compare with previous version changed the description
- Contributor
@andyvolpe I've removed the screenshots from this issue that was broken out out #198727 (closed) & replaced them with deep links back to the original issue. I'm also removing the UX label & unassigning you to keep your list of issues to track to a reasonable number.
Edited by Lindsay Kerr - Lindsay Kerr removed UX label
removed UX label
- Contributor
Assigning to @zmartins for grooming
- Lindsay Kerr assigned to @zmartins
assigned to @zmartins
- Lindsay Kerr unassigned @andyvolpe
unassigned @andyvolpe
- Developer
The only question I have will be similar to the one posted on one of the related issues: #207172 (comment 300105164)
- Zamir Martins added backend-weight2 frontend-weight2 workflowready for development labels and removed ~12817314 workflowplanning breakdown labels
added backend-weight2 frontend-weight2 workflowready for development labels and removed ~12817314 workflowplanning breakdown labels
- Zamir Martins added workflowin dev label and removed workflowready for development label
added workflowin dev label and removed workflowready for development label
- Lindsay Kerr changed weight to 3
changed weight to 3
- Sam White mentioned in merge request gitlab-com/www-gitlab-com!42138 (merged)
mentioned in merge request gitlab-com/www-gitlab-com!42138 (merged)
- Zamir Martins mentioned in merge request !27133 (merged)
mentioned in merge request !27133 (merged)
- Zamir Martins added workflowin review label and removed workflowin dev label
added workflowin review label and removed workflowin dev label
- Zamir Martins added workflowissue reviewed label and removed workflowin review label
added workflowissue reviewed label and removed workflowin review label
- Sam White mentioned in merge request gitlab-com/www-gitlab-com!44455 (merged)
mentioned in merge request gitlab-com/www-gitlab-com!44455 (merged)
- Sam White added documentation label
added documentation label
- Contributor
Collapse replies - Maintainer
I checked the reallocation spreadsheet; Defend still gets me for 12.10 - so assign to me. @ngaskill escapes … THIS TIME.
1
- Wayne Haber added workflowverification label and removed workflowissue reviewed label
added workflowverification label and removed workflowissue reviewed label
- Maintainer
I want to check in with @sam.white to find out what is expected of me in this issue; it's assigned to me, which implies there's work remaining for me to do on this issue, but I'm not clear what's needed of me.
Collapse replies - Author Contributor
We need the WAF documentation to be updated to show and describe how to switch the WAF between logging and blocking mode. Currently the screenshot and text do not describe that.
- Developer
I can looking into the docs.
- Maintainer
@zmartins Send me a MR when you've assembled the facts, and I can help you shape it into something publishable.
- Developer
@aqualls Thank you! here is the MR !29087 (merged) with some update for the cluster applications and WAF quick start guide.
- Maintainer
Edits done, and back to you @zmartins - thank you!
1
- Amy Qualls added Technical Writing label
added Technical Writing label
- Amy Qualls mentioned in issue technical-writing#104
mentioned in issue technical-writing#104
- Maintainer
Unassigning myself; reassign me if I'm specifically needed on this issue, since I've been assigned to the MRs.
- Amy Qualls unassigned @aqualls
unassigned @aqualls
- Zamir Martins mentioned in merge request !29087 (merged)
mentioned in merge request !29087 (merged)
- Zamir Martins added workflowstaging label and removed workflowverification label
added workflowstaging label and removed workflowverification label
- Author Contributor
@zmartins it appears that the screenshot that was used for the documentation states that the logging/blocking setting can be overridden by environment-level settings. We need to remove that sentence from the product as well as from the documentation, considering that our issues to add environment-level exceptions have been pushed out to the Backlog and will not be done for %12.10.
- Developer
@sam.white environmental-level settings can still be performed through the CI/CD. An example can be found in our demo project for WAF
Collapse replies - Author Contributor
Right, I forgot about that. Thanks - no change is necessary.
1
- Wayne Haber added workflowverification label and removed workflowstaging label
added workflowverification label and removed workflowstaging label
- Wayne Haber changed due date to April 24, 2020
changed due date to April 24, 2020
- Developer
Closing after testing...
Tested in production with GKE cluster: https://gitlab.com/groups/cilium-cluster-group/-/clusters/100383
Installed in logging mode with two consecutive mode changes.
Chart history:
helm history ingress --tiller-connection-timeout 1 --tls \ --tls-ca-cert ~/.gitlab-helm/tiller-ca.crt \ --tls-cert ~/.gitlab-helm/tiller.crt \ --tls-key ~/.gitlab-helm/tiller.key \ --tiller-namespace gitlab-managed-apps REVISION UPDATED STATUS CHART APP VERSION DESCRIPTION 1 Fri Apr 24 17:59:39 2020 SUPERSEDED nginx-ingress-1.29.7 0.28.0 Install complete 2 Fri Apr 24 18:04:32 2020 SUPERSEDED nginx-ingress-1.29.7 0.28.0 Upgrade complete 3 Fri Apr 24 18:05:26 2020 DEPLOYED nginx-ingress-1.29.7 0.28.0 Upgrade complete
Desired change in Nginx config file:
kubectl exec -n gitlab-managed-apps $(kubectl get pod -n gitlab-managed-apps -l app=nginx-ingress,component=controller --no-headers=true -o custom-columns=:metadata.name) -- grep SecRuleEngine /etc/nginx/nginx.conf Defaulting container name to nginx-ingress-controller. Use 'kubectl describe pod/ingress-nginx-ingress-controller-64ddfc58fc-c5fj2 -n gitlab-managed-apps' to see all of the containers in this pod. SecRuleEngine DetectionOnly
/cc @sam.white
1 - Zamir Martins closed
closed
- Zamir Martins added workflowproduction label and removed workflowverification label
added workflowproduction label and removed workflowverification label