Simple WAF setup

charsleysa · January 19, 2021, 10:16pm

Hi guys,

I was looking for a simple WAF setup and reeeealllly hoping there is a WAF fly layer coming soon. If not, is there any plans for creating a built-in that has all the recommended configurations for OWASP Top10 and the like that would be suitable for both frontends and APIs?

Cheers,
Stefan

kurt · January 20, 2021, 2:20am

We vaguely plan to ship some WAF-like features, but I don’t know when!

Right now the simplest thing to do is run nginx + modsecurity. You can launch this pretty fast by:

flyctl init
Choose “Docker Image”, enter owasp/modsecurity-crs:3.3-nginx
Set port to 80 when prompted (not the default)
Edit fly.toml and add env variables for PROXY="1" and UPSTREAM="your-app"

You’ll end up with a config like this:

[build]
image = "owasp/modsecurity-crs:3.3-nginx"

[env]
PARANOIA="1"
PROXY="1"
UPSTREAM="https://fly.io"


[[services]]
  internal_port = 80
  protocol = "tcp"

  [services.concurrency]
    hard_limit = 250
    soft_limit = 200

  [[services.ports]]
    handlers = ["http"]
    port = "80"

  [[services.ports]]
    handlers = ["tls", "http"]
    port = "443"

  [[services.tcp_checks]]
    interval = 10000
    timeout = 2000

kmccauley · January 20, 2021, 7:07pm

I’m having problems executing this example. When I run fly deploy it exits with the following errors:
2021-01-20T18:38:48Z [info] Starting init (commit: 7cf0409)…
2021-01-20T18:38:48Z [info] Running: /docker-entrypoint.sh nginx -g daemon off; as root
2021-01-20T18:38:48Z [info] 2021/01/20 18:38:48 [notice] 502#502: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/913/0)
2021-01-20T18:38:52Z [info] Health check status changed to ‘warning’
2021-01-20T18:38:57Z [info] Health check status changed to ‘critical’
2021-01-20T18:39:34Z [info] Shutting down virtual machine
2021-01-20T18:39:34Z [info] Program exited with code: 0
***v3 failed - Failed due to unhealthy allocations - no stable job version to auto revert to

kurt · January 20, 2021, 7:09pm

Oh make sure it’s set to internal_port: 80 in fly.toml. It probably defaulted to 8080, which is wrong.

kmccauley · January 20, 2021, 7:18pm

Yes! Thanks for the quick reply. May want to highlight that in the fly.toml example above ;->

kurt · January 21, 2021, 2:22am

Fixed!

greg · August 27, 2021, 1:02pm

Hello,

Came across this during my Cloudflare experiments. Was interested in knowing how this approach went.

Am I right in thinking that since there isn’t support for a Docker-compose style of running nginx and nodejs together, to make this work you would have two apps: this nginx-owasp one (which would provide the IP you would point your public domain at) based on the config above, and then separately still have the existing app?

And set the UPSTREAM as the existing app’s … IP? Or would that be https://[name].fly.dev?

Thanks.

kurt · August 27, 2021, 3:22pm

Setting the upstream to <app>.fly.dev would work best, but you need to make sure it’s a variable for proxy_pass so nginx will resolve DNS more than once.

For what it’s worth, when we build docker-compose support in, it will launch multiple apps. So what you’re thinking is pretty close to “correct”.

greg · August 27, 2021, 3:28pm

Ok. Thanks @kurt

Topic		Replies	Views
Best Ubuntu+Nginx Reverse Proxy setup?	5	989	July 24, 2023
Does Fly have any sort of firewall/IP blocking?	8	2266	February 14, 2022
Controlling access to a Fly app Questions / Help	16	2358	January 21, 2023
Error tunnel unavailable: failed probing "personal": context deadline exceeded Questions / Help rails	11	3409	December 5, 2023
Can I use fly + WireGuard to expose an internal web interface? Questions / Help	8	2090	April 5, 2021

Simple WAF setup

Related Topics