feat(router): adding modsecurity module with OWASP core rule set as sec option

Author: Cryptophobia

README.md

@@ -250,6 +250,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="enable-regex-domains"></a>deis-router | deployment | [router.deis.io/nginx.enableRegexDomains](#enable-regex-domains) | `"false"` | Whether to _enable_ application-level regex domain that can be explicitly defined for specific applications.  With this option enabled, each app can have its own regex domain in server_name blocks of the nginx config.  This allows for useful domains like `store-number-\d*.example.com`.  |
 | <a name="load-tcell-module"></a>deis-router | deployment | [router.deis.io/nginx.loadTcellModule](#load-tcell-module) | `"false"` | Whether to _enable_ the dynamic security nginx module provided by [Tcell](https://tcell.io/) as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. Note this requires that you purchase a Tcell account and have application configured in the Tcell UI.  The tcell_agent.config is passed through a configMap object through k8s.  Example of the configMap can be found in this [gist](https://gist.github.com/Cryptophobia/648b23f234eeb9538c87b478de401a53).  The open source alternative for this is Modsecurity dynamic module.  |
 | <a name="global-tcell-app-id"></a>deis-router | deployment | [router.deis.io/nginx.globalTcellAppID](#global-tcell-app-id) | N/A | This is the global app id to insert for the Tcell module in the top-most http{} block of the nginx config.  To configure an individual app id for each application, you need to use the application annotation below.  The application specific app id will take precedence over the global one.  |
+| <a name="load-modsecurity-module"></a>deis-router | deployment | [router.deis.io/nginx.loadModsecurityModule](#load-modsecurity-module) | `"false"` | Whether to _enable_ the open source dynamic security nginx module [Modsecurity](https://github.com/SpiderLabs/ModSecurity/tree/v3/master) globally for all apps as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router.  The rule set that Modsecurity will use by default is the [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) and Modsecurity will be turned on to block malicious traffic on all apps if this annotation is enabled.  This core rule set can be overwritten by configMap like in the example above for the Tcell module.  |
 | <a name="default-whitelist"></a>deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as  a comma-delimited list of addresses (using IP or CIDR notation).  Application-specific whitelists can either extend or override this default. |
 | <a name="whitelist-mode"></a>deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined).  Valid values are `"extend"` and `"override"`. |
 | <a name="default-service-enabled"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceEnabled](#default-service-enabled) | `"false"` | Enables default back-end service for traffic hitting /. In order to work correctly both `defaultServiceIP` and `DefaultAppName` MUST also be set.  |

model/model.go

@@ -59,6 +59,7 @@ type RouterConfig struct {
 	EnableRegexDomains       bool        `key:"enableRegexDomains" constraint:"(?i)^(true|false)$"`
 	LoadTcellModule          bool        `key:"loadTcellModule" constraint:"(?i)^(true|false)$"`
 	GlobalTcellAppID         string      `key:"globalTcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"`
+	LoadModsecurityModule    bool        `key:"loadModsecurityModule" constraint:"(?i)^(true|false)$"`
 	DefaultServiceIP         string      `key:"defaultServiceIP"`
 	DefaultAppName           string      `key:"defaultAppName"`
 	DefaultServiceEnabled    bool        `key:"defaultServiceEnabled" constraint:"(?i)^(true|false)$"`
@@ -96,6 +97,7 @@ func newRouterConfig() (*RouterConfig, error) {
 		WhitelistMode:            "extend",
 		EnableRegexDomains:       false,
 		LoadTcellModule:          false,
+		LoadModsecurityModule:    false,
 		RequestIDs:               false,
 		SSLConfig:                newSSLConfig(),
 		DefaultServiceEnabled:    false,

nginx/config.go

@@ -21,6 +21,11 @@ worker_processes {{ $routerConfig.WorkerProcesses }};
 load_module modules/ngx_http_tcell_agent_module.so;
 {{- end }}
 
+{{ if $routerConfig.LoadModsecurityModule -}}
+# Loading the Modsecurity connector nginx dynamic module
+load_module modules/ngx_http_modsecurity_module.so;
+{{- end }}
+
 events {
 	worker_connections {{ $routerConfig.MaxWorkerConnections }};
 	# multi_accept on;
@@ -237,6 +242,12 @@ http {
 		tcell_app_id {{ $appConfig.TcellAppID }};
 		{{- end }}
 
+		{{ if $routerConfig.LoadModsecurityModule -}}
+		# Turning on modsecurity if modsecurity module loaded
+		modsecurity on;
+		modsecurity_rules_file /opt/router/conf/modsecurity.conf;
+		{{- end }}
+
 		{{ if index $appConfig.Certificates $domain }}
 		listen 6443 ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
 		ssl_protocols {{ $sslConfig.Protocols }};

rootfs/Dockerfile

@@ -9,7 +9,7 @@ RUN adduser --system \
 
 COPY /bin /bin
 
-RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
+RUN buildDeps='gcc make apt-utils libgeoip-dev libssl-dev libpcre3-dev'; \
     apt-get update && \
     apt-get install -y --no-install-recommends \
         $buildDeps \
@@ -51,6 +51,22 @@ RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
     get_src 8c535a2e526a9684afca6c227dc2115eb06681c48103541b97c73716da9f0cf5 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64.tar.gz" && \
     mv "$PREFIX/modules/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64/ubuntu/xenial/nginx-1.13.7-custom_flags_ssl_1.0.2g/ngx_http_tcell_agent_module.so" . && \
     rm -rf "$PREFIX/modules/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64" && \
+    # include libmodsecurity3 and modsecurity connector dynamic module
+    modsecurityDeps='apt-utils git libcurl4-openssl-dev libyajl-dev libxml2 libxml2-dev' && \
+    apt-get install -y --no-install-recommends \
+        $modsecurityDeps && \
+    cd "$PREFIX/modules" && \
+    get_src 2dd0d6dc258da729a42a94ea5118a3b16b2f3f7f91c198342a67f19378656366 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/modsecurity-v3-ubuntu-16.04.tar.gz" && \
+    mv usr/local/modsecurity /usr/local/modsecurity && \
+    rm -rf usr && \
+    get_src_file c9fd4ddb69ba1ce0a3118e529c43f87c3ab216e20900e25863e58537399d2d19 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/ngx_http_modsecurity_module.so" && \
+    # setup the modsecurity config and OWASP rules
+    cd "$PREFIX/conf" && \
+    get_src_file 905d47245003204b338eb1760933ab48a12c6b1a29c6f7080860b6c5d9ad337b "https://s3.amazonaws.com/hephy-artifacts/hephy-router/modsecurity.conf" && \
+    git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git && \
+    cp -R owasp-modsecurity-crs/rules/ $PREFIX/conf/ && \
+    cp $PREFIX/conf/owasp-modsecurity-crs/crs-setup.conf.example $PREFIX/conf/crs-setup.conf && \
+    rm -rf owasp-modsecurity-crs && \
     # cleanup
     apt-get purge -y --auto-remove $buildDeps && \
     apt-get autoremove -y && \
@@ -76,7 +92,7 @@ RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
 COPY . /
 
 # Fix some permissions since we'll be running as a non-root user
-RUN chown -R router:router /opt/router
+RUN chown -R router:router /opt/router /var/log
 
 USER router
 

rootfs/bin/get_src_file

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+hash="$1"
+url="$2"
+f=$(basename "$url")
+
+curl -sSL "$url" -o "$f"
+echo "$hash  $f" | sha256sum -c - || exit 10