MVC: Allow users environment-level control to enable/disable their WAF (Web application firewall) and change between logging/blocking mode
Problem to solve
WAF users need an easy way to turn the WAF on or off and to switch the WAF between logging and blocking mode for specific environments.
Although these settings can be changed currently, the current approaches have limitations:
- SSH into the container is time consuming (especially for customers with lots of containers) and requires technical knowledge
- Changing states via CI/CD pipeline environmental variables works well, but is not easily discoverable by the end user; unless they have read our documentation, they are unlikely to know that they can use environmental variables to change the WAF behavior
In the event that the WAF is causing performance problems, the user needs to be able to disable the WAF quickly and easily on a per-environment basis in the GitLab UI. In the event that the WAF in blocking mode is blocking legitimate traffic (false positives), the user needs to be able to quickly and easily change the WAF from blocking mode to logging mode in the GitLab UI.
Intended users
Further details
Although we hope that performance problems with the WAF will never happen or will be caught in testing, there is always a risk that a problem exists as the WAF interacts with customer-specific environments. This is an MVC designed to help users quickly disable or change the mode from blocking to logging in the event of a problem.
Proposal
- Allow users to configure exceptions to the global setting on a per-environment basis by setting the individual environment to Disabled, Logging, or Blocking mode
- The current method of using environmental variables to configure the WAF functionality on a per-environment basis will continue to work and will override the UI setting
Experience:
Environment level settings
Environment settings GIF |
---|
Details
environment page |
---|
Main states
protection settings open - enabled | protection settings open - disabled |
---|---|
Edge cases & addt'l states
protection settings - Cluster WAF Disabled | protection settings - changes made |
---|---|
Clicking the Enable button will take the user to the cluster page (/kubernetes) where they can enable the WAF |
protection settings - success toast | protection settings - saving error |
---|---|
Permissions and Security
Users must be a Maintainer or Owner on the project to have access to the new Protection button on the Operations -> Environments page. No additional permissions are required.
Documentation
- Documentation will be updated to describe how to enable/disable the ModSecurity WAF at the environment level
- Documentation will be updated to describe how to switch the WAF between logging and blocking modes on a per-environment basis