VirtualServer(Route) - Cafe
VirtualServer(Route) - Cafe¶
Introduction¶
Cafe application, configured by your own in lab 2, have been already deployed in its final configuration in namespace lab3-cafe.
Like an Ingress resource, a VirtualServer resource allows you to set a default policy at the http context in configuration file.
More, a VirtualServerRoute allows you to set a location policy in the configuration file.
A WAF policy have been already applied to VirtualServer and each VirtualServerRoute resources.
Try to access to
https://cafe{{site_ID}}.f5app.dev/teaandhttps://cafe{{site_ID}}.f5app.dev/coffee
Exercise 1: K8S resources¶
The Policy resource allows you to configure a WAF policy, which you can add to your VirtualServer and VirtualServerRoute resources. More details here.
VirtualServer¶
View Cafe
VirtualServerand associated WAF policy
kubectl describe virtualserver -n lab3-cafe cafe | grep -A 20 Spec
output:
Host: cafe1.f5app.dev
Ingress Class Name: nginx-external
Policies:
Name: generic-security-level-low
Namespace: lab3-cafe
VirtualServerRoute¶
View a Coffee
VirtualServerRouteand associated WAF policy
kubectl describe virtualserverroute -n lab3-cafe coffee | grep -A 38 Spec
output:
Host: cafe1.f5app.dev
Ingress Class Name: nginx-external
Subroutes:
...
Path: /coffee/proxy
Action:
Pass: coffee
Path: /coffee
Policies:
Name: waf-cafe-coffee
Namespace: lab3-cafe
Upstreams:
Name: coffee
Port: 80
Service: coffee
Capture The Flag
1.1 What is the waf policy name that protects /tea?
WAF Policy¶
View a Coffee WAF
Policyand associated App Protect policy
kubectl describe policy -n lab3-cafe waf-cafe-coffee | grep -A 7 Spec
output:
Waf:
Ap Policy: external-ingress-controller/cafe-coffee
Enable: true
Security Log:
Ap Log Conf: external-ingress-controller/naplogformat
Enable: true
Log Dest: syslog:server=10.1.0.10:5144
App Protect Policy¶
View a Coffee
appolicy
kubectl describe appolicy -n external-ingress-controller cafe-coffee | grep -A 100 Spec
output:
Policy:
Application Language: utf-8
Blocking - Settings:
Violations:
Alarm: true
Block: true
Name: VIOL_HTTP_RESPONSE_STATUS
Enforcement Mode: blocking
Name: cafe-coffee-security-level-low
Signatures:
Enabled: false
Signature Id: 200000128
Template:
Name: POLICY_TEMPLATE_NGINX_BASE
Capture The Flag
1.2 In which namespace are located all APPolicies?
Exercise 2: Ingress Controller configuration¶
Log into IC
kubectl get pods -n external-ingress-controller
output:
NAME READY STATUS RESTARTS AGE
nap-external-ingress-controller-7576b65b4-ps4ck 1/1 Running 0 8d
kubectl exec --namespace external-ingress-controller -it nap-external-ingress-controller-7576b65b4-ps4ck bash
NGINX¶
See configured WAF policies
grep -E 'server_name |location |protect' /etc/nginx/conf.d/vs_lab3-cafe_cafe.conf
output:
server_name cafe1.f5app.dev;
app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat syslog:server=10.1.0.10:5144;
location @return_0 {
location /redirect {
location /return_page {
location /coffee/proxy {
location /coffee {
app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/external-ingress-controller_cafe-coffee;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat syslog:server=10.1.0.10:5144;
location /tea/proxy {
location /tea {
app_protect_enable on;
app_protect_policy_file /etc/nginx/waf/nac-policies/external-ingress-controller_cafe-tea;
app_protect_security_log_enable on;
app_protect_security_log /etc/nginx/waf/nac-logconfs/external-ingress-controller_naplogformat syslog:server=10.1.0.10:5144;
Capture The Flag
2.1 Which App Protect policy name protects /return_page?
App Protect¶
See configured WAF policies
cat /opt/app_protect/config/config_set.json
output:
{
"policies": {
"/etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low": {
"import_filename": "/etc/nginx/waf/nac-policies/external-ingress-controller_generic-security-level-low",
"src_config_line": 109,
"vs_info": {
"50-cafe1.f5app.dev:19-/tea/proxy": {
},
"50-cafe1.f5app.dev:17-/coffee/proxy": {
},
"50-cafe1.f5app.dev:16-/return_page": {
},
"50-cafe1.f5app.dev:15-/redirect": {
},
"50-cafe1.f5app.dev:14-@return_0": {
},
"50-cafe1.f5app.dev:0-": {
}
}
},
"/etc/nginx/waf/nac-policies/external-ingress-controller_cafe-coffee": {
"import_filename": "/etc/nginx/waf/nac-policies/external-ingress-controller_cafe-coffee",
"src_config_line": 373,
"vs_info": {
"50-cafe1.f5app.dev:18-/coffee": {
}
}
},
"/etc/nginx/waf/nac-policies/external-ingress-controller_cafe-tea": {
}
}
}
Capture The Flag
2.2 Two VirtualServerRoutes in same namespace can reference same WAF policy. Is it true?
2.3 Two VirtualServerRoutes in 2 namespaces can reference same WAF policy in another nameSpace. Is it true?