Configuration
Check out the complete NGINX Ingress Controller with App Protect DoS example for VirtualServer and the NGINX Ingress Controller with App Protect DoS example for Ingress.
App Protect DoS Configuration
A DosProtectedResource
is a Custom Resource that holds the configuration of a collection of protected resources.
An Ingress, VirtualServer and VirtualServerRoute can be protected by specifying a reference to the DosProtectedResource.
- Create an
DosProtectedResource
Custom resource manifest. As an example:
apiVersion: appprotectdos.f5.com/v1beta1
kind: DosProtectedResource
metadata:
name: dos-protected
spec:
enable: true
name: "webapp.example.com"
apDosMonitor:
uri: "webapp.example.com"
protocol: "http1"
timeout: 5
- Enable App Protect DoS for an Ingress resource by adding an annotation to the Ingress. Set the value of the annotation to the qualified identifier(
namespace/name
) of a DosProtectedResource:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: webapp-ingress
annotations:
appprotectdos.f5.com/app-protect-dos-resource: "default/dos-protected"
- Enable App Protect DoS on a VirtualServer resource by setting the
dos
field value to the qualified identifier(namespace/name
) of a DosProtectedResource:
apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
name: webapp
spec:
host: webapp.example.com
upstreams:
- name: webapp
service: webapp-svc
port: 80
routes:
- path: /
dos: dos-protected
action:
pass: webapp
DoS Policy Configuration
You can configure the policy for DoS by creating an APDosPolicy
Custom Resource and specifying the qualified identifier(namespace/name
) of the ApDosPolicy
in the DosProtectedResource
.
For example, say you want to use DoS Policy as shown below:
{
mitigation_mode: "standard",
signatures: "on",
bad_actors: "on",
automation_tools_detection: "on",
tls_fingerprint: "on",
}
Create an APDosPolicy
resource with the policy defined in the spec
, as shown below:
apiVersion: appprotectdos.f5.com/v1beta1
kind: APDosPolicy
metadata:
name: dospolicy
spec:
mitigation_mode: "standard"
signatures: "on"
bad_actors: "on"
automation_tools_detection: "on"
tls_fingerprint: "on"
Then add a reference in the DosProtectedResource
to the ApDosPolicy
:
apiVersion: appprotectdos.f5.com/v1beta1
kind: DosProtectedResource
metadata:
name: dos-protected
spec:
enable: true
name: "my-dos"
apDosMonitor:
uri: "webapp.example.com"
apDosPolicy: "default/dospolicy"
App Protect DoS Logs
You can set the App Protect DoS Log configuration by creating an APDosLogConf
Custom Resource and specifying the qualified identifier(namespace/name
) of the ApDosLogConf
in the DosProtectedResource
.
For example, say you want to log state changing requests for your Ingress resources using App Protect DoS. The App Protect DoS log configuration looks like this:
{
"filter": {
"traffic-mitigation-stats": "all",
"bad-actors": "top 10",
"attack-signatures": "top 10"
}
}
You would add that config in the spec
of your APDosLogConf
resource as follows:
apiVersion: appprotectdos.f5.com/v1beta1
kind: APDosLogConf
metadata:
name: doslogconf
spec:
filter:
traffic-mitigation-stats: all
bad-actors: top 10
attack-signatures: top 10
Then add a reference in the DosProtectedResource
to the APDosLogConf
:
apiVersion: appprotectdos.f5.com/v1beta1
kind: DosProtectedResource
metadata:
name: dos-protected
spec:
enable: true
name: "my-dos"
apDosMonitor:
uri: "webapp.example.com"
dosSecurityLog:
enable: true
apDosLogConf: "doslogconf"
dosLogDest: "syslog-svc.default.svc.cluster.local:514"
Global Configuration
NGINX Ingress Controller has a set of global configuration parameters that align with those available in the NGINX App Protect DoS module. See ConfigMap keys for the complete list. The App Protect parameters use the app-protect-dos*
prefix.