Ingress ModSecurity防护
Ingress Controller 全局配置
# 编辑集群网关 添加如下配置选项
data:
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
modsecurity-snippet: |
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess On
SecAuditEngine RelevantOnly
SecAuditLogParts ABIJDEFHZ
#
Ingress 单路由配置
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: xxxxx
namespace: tools
annotations:
nginx.ingress.kubernetes.io/enable-modsecurity: 'false' # 关闭
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleEngine On #拦截恶意请求
#SecRuleEngine DetectionOnly #仅记录,不拦截
nginx.ingress.kubernetes.io/whitelist-source-range: 'x.x.x.x'
误判处理
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
namespace: xxxx
annotations:
nginx.ingress.kubernetes.io/modsecurity-snippet: |
# 移除指定ID的规则
SecRule REQUEST_URI "@rx ^/(js|cdn)/.*\.(js|css)$" "id:1000001,phase:1,nolog,pass,ctl:ruleRemoveById=959100"
辅助调试
修改配置后,执行以下命令查看Controller日志
kubectl -n kubesphere-controls-system logs -f --tail=100 deploy/kubesphere-router-cluster | grep -v " 200 " | grep -v " 304 " | grep -v " 302 "
确认出现以下内容代表规则生效
I0616 02:57:48.410908 7 event.go:285] Event(v1.ObjectReference{Kind:"Ingress", Namespace:"battery-detection", Name:"bd-chuxing-gandongyun-com", UID:"5fa5829b-780b-4e14-a34d-65d4da9cac63", APIVersion:"networking.k8s.io/v1", ResourceVersion:"3492390", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync
I0616 02:57:48.411781 7 controller.go:168] "Configuration changes detected, backend reload required"
I0616 02:57:48.837738 7 controller.go:185] "Backend successfully reloaded"
I0616 02:57:48.837919 7 event.go:285] Event(v1.ObjectReference{Kind:"Pod", Namespace:"kubesphere-controls-system", Name:"kubesphere-router-cluster-ddb66bd79-4676q", UID:"28ab1d7c-53e5-4988-acd9-664da2de36cc", APIVersion:"v1", ResourceVersion:"1785908", FieldPath:""}): type: 'Normal' reason: 'RELOAD' NGINX reload triggered due to a change in configuration