June 26, 2022
Protect public URLs with ModSecurity for Nginx on a Kubernetes cluster
If you’re using Ingress Nginx to manage public endpoints, ModSecurity is already installed, but it’s disabled by default. To enable it, add the following to the ConfigMap ingress-nginx-controller:
allow-snippet-annotations: "true"
enable-modsecurity: "true"
enable-owasp-modsecurity-crs: "true"
modsecurity-snippet: |-
SecRuleEngine On
SecRequestBodyAccess OnCustomize ModSecurity rules on a per host basis
It’s possible to adjust the ModSecurity configuration for each Ingress object on the cluster using annotations.
annotations:
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/enable-owasp-core-rules: "false"
nginx.ingress.kubernetes.io/modsecurity-snippet: |
SecRuleRemoveById <rule_id>How to completely customize modsecurity.conf
With the modsecurity-snippet option, its possible to add custom configuration to ModSecurity. However, you can override the modsecurity.conf entirely if you want.
To do so, first copy the file inside the pod.
kubectl -n ingress-nginx cp <ingress-controller-pod-name>:/etc/nginx/modsecurity/modsecurity.conf ./modsecurity.confModify it as required and save the file in a ConfigMap.
kubectl -n ingress-nginx create configmap modsecurityconf --from-file=modsecurity.confIf, after creating the initial version, you need to change the file again locally, you can update the ConfigMap by doing the following.
kubectl -n ingress-nginx create configmap modsecurityconf \
--from-file=modsecurity.conf -o yaml \
--dry-run=client | kubectl apply -f -To mount the ConfigMap to the controller deployment, create a patch file.
spec:
template:
spec:
volumes:
- name: modsecurityconf
configMap:
name: modsecurityconf
containers:
- name: controller
volumeMounts:
- name: modsecurityconf
mountPath: "/etc/nginx/modsecurity/modsecurity.conf"
subPath: modsecurity.conf
readOnly: trueAnd then apply the patch file.
kubectl -n ingress-nginx patch deployment/ingress-nginx-controller --patch-file deployment-patch.yml