theonemule/docker-waf theonemule/docker-waf

  • Stars
    star
    257
  • Rank 158,728 (Top 4 %)
  • Language
    Dockerfile
  • License
    MIT License
  • Created about 8 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
theonemule/docker-waf
github

theonemule

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An NGINX and ModSecurity based Web Application Firewall for Docker

Securing Docker Containers with a Web Application Firewall (WAF) built on ModSecurity and NGINX

One can never be too paranoid about online security for a number of reasons. Containers are generally considered to be more secure by default that virtual machines because they substantially reduce the attack surface for a given application and its supporting infrastructure. This does not imply, however, that one should not be vigilant about secure containers. In addition to following secure practices for mitigating security risks with containers, those that use them should also use edge security to protect containers as well. Most applications that are being deployed into containers are in some way connected to the internet with ports exposed and so on. Traditionally, applications are secured with edge devices such as Unified Threat Management (UTM) that provides a suite of protection services including application protection. The nature of containers though makes using a UTM harder, because container loads are portable and elastic. Likewise, container loads are also being shifted to the cloud.

A Web Application Firewall (WAF) is a purpose-built firewall designed to protect against attacks common to web apps. One of the most widely used WAF’s is ModSecurity. Originally, it was written as a module for the Apache webserver, but it has since been ported to NGINX and IIS. ModSecurity protects against attacks by looking for:

  • SQL Injection
  • Insuring the content type matches the body data.
  • Protection against malformed POST requests.
  • HTTP Protocol Protection
  • Real-time Blacklist Lookups
  • HTTP Denial of Service Protections
  • Generic Web Attack Protection
  • Error Detection and Hiding

NGINX, though, is more than merely a web server. It can also act as a load balancer, reverse proxy, and do SSL offloading. Combine with ModSecurity, it has all the features to be a full-blown WAF. The NGINX/ModSecurity WAF has traditionally be deployed on VM’s and bare-metal servers, however it too can also be containerized. Using NGINX/ModSecurity in a container means that a container itself can be a WAF and carry with it all the advantages of containers. Likewise, it can scale and deploy with containers loads with on premise and cloud based solutions while VM’s and physical firewalls cannot. The Dockerfile and script herein builds NGINX and ModSecurity from their sources inside a container, then uploads three config files. These files are configured with the defaults settings on.

  • nginx.conf – This is the NGINX configuration file that contains the directives for load balancing and reverse proxying.
    • Line 44 starts the section about enabling and disabling ModSecurity
    • Line 52 starts the section to configure the reverse proxy. For docker, this will usually be the name of the container that is being fronted by the app.
    • Line 53 contains the internal URL that nginx is proxying.
  • modsecurity.conf – this contains the configuration for modsecurity and some configuration for the defaults and exclusion of the rules used by mod security. Most everything in the modsecurity.conf file can be left as is.
    • Line 230 starts the configuration of the rules.
    • The rules are downloaded and installed (/usr/local/nginx/conf/rules) when the container is built. Individual rules can be disabled or enabled, or they can all be enabled.
  • crs-setup.conf – this configures the rules used by ModSecurity. The file has integrated documentation. Reading through this file explains what the settings are for. For more information about crs-setup.conf, visit OWASP's website.

Using the Dockerfile is simple. Change directories to the dockerfile, and build the image.

UPDATE: 6/8/2020

A new folder was added for ModSecurity 3.0

waf-2 is for ModSecurity 2 waf-3 is for ModSecurity 3

Everything else remails the same.

Multi-Stage Build:

docker build --tag mywaf .

Then run it.

docker run --name my-container-name -p 80:80 mywaf

This creates container.

Also, the image can be used with Docker Compose. The docker-compose.yml isa simple example that will deploy a simple node application along with the WAF. Change directories to the docker compose file, then run.

docker-compose up

Use with Kubernetes

It is possible to use the WAF with Kubernetes too. In short, you create a deployment and load balancer service with the WAF, then use the WAF to connect to your applicaiton running on a deployment with a a cluster IP service. Reference the kube.yml file in the code for specifics.

Then use kubectl to deploy the kube.yml file to your Kubernetes environment.

kubectl create -f kube.yml

More Repositories

1

simple-openvpn-server

A setup script and simple web UI for setting up an OpenVPN Server
Shell
228
star
2

no-ip

A shell script that works as Dynamic Update Client (DUC) for noip.com
Shell
119
star
3

dos-game

A Dockerfile for running Docker based DosBox games streamed to a browser client.
JavaScript
77
star
4

docker-dynamic-dns

A tiny Docker based dynamic DNS client for Duck DNS, NO-IP, and DynDNS
Shell
41
star
5

dockercon-demos

C#
39
star
6

nginx-rtmp

A containerize NGINX server with the RTMP plugin to allow live streams to multiple providers such as Twitch, Facebook, or YouTube simultaneously from a single source.
Shell
38
star
7

aks-demos

Azure Kubernetes Services (AKS) Demos
JavaScript
28
star
8

retroarch-docker

A Docker container for hosting RetroArch playable in a browser through NoVNC.
JavaScript
26
star
9

docker-opengl-turbovnc

A dockerfile for OpenGL with TurboVNC -- Readme forthcoming.
24
star
10

gphoto-webui

A PHP Web UI for gphoto2
JavaScript
23
star
11

docker-proxy-server

Docker Proxy Server With Content Filter Built on Squid and SquidGuard
Shell
16
star
12

x86box-docker

A container image for running x86box in a Docker container and streaming the results back to the browser.
JavaScript
14
star
13

qemu-docker

Run VMs in a Docker Container and Connect To Them With a Browser!
JavaScript
12
star
14

azure-blog-storage-ftp-server

An virtual machine based front end to supply SFTP services for Azure Blob Storage
HCL
12
star
15

fahclient-azure-vm

Installs a VM to run the Folding@Home client on a Linux VM on Azure
Shell
11
star
16

blobcaster

Blobcaster: Using Azure Blob Storage to Host a Podcast
HTML
11
star
17

tagging-samples

Sample Azure Policies to enforce tagging on resources.
6
star
18

azure-function-captcha

An Azure Function implementing a CAPTCHA with logging and email.
HTML
6
star
19

jekyll-paypal-cart

An eCommerce Site Using Jekyll and PayPal.
JavaScript
5
star
20

nextcloud-azure

Automated deployments scripts for Nextcloud on Azure using Blob Storage
Shell
5
star
21

macos-docker

Run a MacOS (OSX) Virtual Machine in a Docker Container
Shell
4
star
22

llmworkshop

A repo for cpde and slides for the LLM workshop.
HTML
3
star
23

psrd

A remote desktop client/server app implemented in PowerShell
PowerShell
2
star
24

azure-iot-architecture

JavaScript
2
star
25

azure-gaming-pc

An ARM Template for creating a remote gaming PC on Azure!
2
star
26

JekyllManager

A Lightweight Manager for Jekyll-based websites
HTML
1
star
27

graph-api-sample

Sample Code for Cosmos DB Graph API https://youtu.be/98PtbE4f4B8
C#
1
star
28

jitsi-install

A Shell Script to setup Jitsi on Ubuntu 22.04 with an Azure ARM Template
Shell
1
star
29

ce2c

Python
1
star
30

dailydadjokes

The GitHub backend for Daily Dad Jokes 4U -- a personal learning exercise in GH Actions and GH Pages.
HTML
1
star
31

python-lab

Source code for a Python Lab with Visual Studio Code
HTML
1
star
32

web-pubsub-demo

A demo app for Azure Web Pub Sub
HTML
1
star
33

llm-workshop

Python
1
star
34

nl2sql

A quick demo on how to translate natural language to SQL queries using GPT.
Python
1
star