Simple WAF setup

1

Hi guys,

I was looking for a simple WAF setup and reeeealllly hoping there is a WAF fly layer coming soon. If not, is there any plans for creating a built-in that has all the recommended configurations for OWASP Top10 and the like that would be suitable for both frontends and APIs?

Cheers,
Stefan

2

We vaguely plan to ship some WAF-like features, but I donā€™t know when!

Right now the simplest thing to do is run nginx + modsecurity. You can launch this pretty fast by:

  1. flyctl init
  2. Choose ā€œDocker Imageā€, enter owasp/modsecurity-crs:3.3-nginx
  3. Set port to 80 when prompted (not the default)
  4. Edit fly.toml and add env variables for PROXY="1" and UPSTREAM="your-app"

Youā€™ll end up with a config like this:

[build]
image = "owasp/modsecurity-crs:3.3-nginx"

[env]
PARANOIA="1"
PROXY="1"
UPSTREAM="https://fly.io"


[[services]]
  internal_port = 80
  protocol = "tcp"

  [services.concurrency]
    hard_limit = 250
    soft_limit = 200

  [[services.ports]]
    handlers = ["http"]
    port = "80"

  [[services.ports]]
    handlers = ["tls", "http"]
    port = "443"

  [[services.tcp_checks]]
    interval = 10000
    timeout = 2000
1 Like
3

Iā€™m having problems executing this example. When I run fly deploy it exits with the following errors:
2021-01-20T18:38:48Z [info] Starting init (commit: 7cf0409)ā€¦
2021-01-20T18:38:48Z [info] Running: /docker-entrypoint.sh nginx -g daemon off; as root
2021-01-20T18:38:48Z [info] 2021/01/20 18:38:48 [notice] 502#502: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/913/0)
2021-01-20T18:38:52Z [info] Health check status changed to ā€˜warningā€™
2021-01-20T18:38:57Z [info] Health check status changed to ā€˜criticalā€™
2021-01-20T18:39:34Z [info] Shutting down virtual machine
2021-01-20T18:39:34Z [info] Program exited with code: 0
***v3 failed - Failed due to unhealthy allocations - no stable job version to auto revert to

4

Oh make sure itā€™s set to internal_port: 80 in fly.toml. It probably defaulted to 8080, which is wrong.

5

Yes! Thanks for the quick reply. May want to highlight that in the fly.toml example above ;->

1 Like
6

Fixed!

7

Hello,

Came across this during my Cloudflare experiments. Was interested in knowing how this approach went.

Am I right in thinking that since there isnā€™t support for a Docker-compose style of running nginx and nodejs together, to make this work you would have two apps: this nginx-owasp one (which would provide the IP you would point your public domain at) based on the config above, and then separately still have the existing app?

And set the UPSTREAM as the existing appā€™s ā€¦ IP? Or would that be https://[name].fly.dev?

Thanks.

8

Setting the upstream to <app>.fly.dev would work best, but you need to make sure itā€™s a variable for proxy_pass so nginx will resolve DNS more than once.

For what itā€™s worth, when we build docker-compose support in, it will launch multiple apps. So what youā€™re thinking is pretty close to ā€œcorrectā€.

1 Like
9

Ok. Thanks @kurt

10

@kurt is this still the recommended way to run a simple WAF for a Fly app? Iā€™m getting host not found in resolver "nameserver" in /etc/nginx/nginx.conf, so Iā€™m guessing things might have changed since 2021. I havenā€™t found any docs/blogposts on the topic, so Iā€™m reviving this old thread :innocent: . Thanks!