Skip to content

Deploy WAF containers when enabled in NGINXProxy #3481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 11, 2025
Merged

Deploy WAF containers when enabled in NGINXProxy #3481

merged 5 commits into from
Jun 11, 2025

Conversation

@ciarams87
Copy link
Contributor

@ciarams87 ciarams87 commented Jun 9, 2025
edited
Loading

Proposed changes

Problem: In order to enable NAP WAF protection for NGF traffic, we need to install the nap module in the NGINX container, provide a mechanism to deploy the additional WAF v5 containers in the NGINX deployment, and then set the base app_protect_* directives in the NGINX conf

Solution:

  1. Add the ability to build a NAP WAF image:
  • Update the NGINX Plus Dockerfile to optionally install the app protect module when INCLUDE_NAP_WAF=true
  • Extend the ENTRYPOINT script to create an additional required file
  • Create an additional Make target to build the image
  1. Extend the NGINXProxy resource to support WAF
  • Add a toggle to enable waf in the NGINXProxy resource
  • If enabled, deploy the additional waf containers
  • Add support for user overrides of certain parameters of the waf containers (image, resources, additional volumes)
  • If WAF is enabled, add the required base app_protect_* directives to the nginx conf (load module and enforcer address)
  1. Extend the Helm chart to support these new configuration options

Notes:

  • NAP v5 is supported in both OSS and Plus. This PR only adds Dockerfile support for Plus, but deploying an NGF compatible OSS image with the NAP module installed isn't blocked by this implementation
  • Building the image and testing in the pipeline will be handled in a separate PR

Testing: Deployed in GKE (NAP WAF does not run on arm64 and we can't use emulated images locally, so deploying NAP requires an amd64 architecture). Created the NAP enabled image, used NGINXProxy to set WAF to true, used user provided images for the waf containers (I cached them to the GCP registry), and I mounted an additional volume to NGINX and waf-config-mgr for bundles (as we don't have the next part developed yet). Once deployed, I used kubectl cp to copy the bundle to the mounted volume. I used snippets to create the app protect directives at the server level, and checked that the firewall blocked the malicious appearing traffic.

Closes #3451
Closes #3453

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • [] I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

@github-actions github-actions bot added documentation Improvements or additions to documentation enhancement New feature or request helm-chart Relates to helm chart labels Jun 9, 2025
@codecov
Copy link

codecov bot commented Jun 9, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 97.94989% with 9 lines in your changes missing coverage. Please review.

Project coverage is 86.94%. Comparing base (0bbb602) to head (2472887).
Report is 1 commits behind head on feat/nap-waf.

Files with missing lines Patch % Lines
internal/controller/provisioner/objects.go 98.39% 5 Missing and 2 partials ⚠️
internal/controller/state/graph/nginxproxy.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@               Coverage Diff                @@
##           feat/nap-waf    #3481      +/-   ##
================================================
+ Coverage         86.78%   86.94%   +0.16%     
================================================
  Files               127      127              
  Lines             15079    15308     +229     
  Branches             62       62              
================================================
+ Hits              13086    13310     +224     
- Misses             1841     1845       +4     
- Partials            152      153       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ciarams87 ciarams87 marked this pull request as ready for review June 9, 2025 15:54
@ciarams87 ciarams87 requested a review from a team as a code owner June 9, 2025 15:54
@sjberman
Copy link
Collaborator

sjberman commented Jun 9, 2025

(FYI I think if you want to close multiple issues in one PR, you have to specify Closes: xxx on multiple lines)

This was linked to issues Jun 9, 2025
Build WAF enabled NGINX Plus image #3451
Closed
Extend NGINXProxy with waf enabled toggle #3453
Closed
sjberman
sjberman reviewed Jun 9, 2025
View reviewed changes
@ciarams87 ciarams87 force-pushed the feat/add-waf-nginx-proxy branch from c3fd670 to 1642f36 Compare June 10, 2025 13:31
@ciarams87 ciarams87 force-pushed the feat/add-waf-nginx-proxy branch from 1642f36 to f423ef0 Compare June 10, 2025 14:05
sjberman
sjberman reviewed Jun 10, 2025
View reviewed changes
salonichf5
salonichf5 reviewed Jun 10, 2025
View reviewed changes
salonichf5
salonichf5 reviewed Jun 10, 2025
View reviewed changes
salonichf5
salonichf5 approved these changes Jun 11, 2025
View reviewed changes
Copy link
Contributor

@salonichf5 salonichf5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 🚀

@ciarams87 ciarams87 merged commit 173fcf2 into feat/nap-waf Jun 11, 2025
71 of 72 checks passed
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in NGINX Gateway Fabric Jun 11, 2025
@ciarams87 ciarams87 deleted the feat/add-waf-nginx-proxy branch June 11, 2025 20:53
ciarams87 added a commit that referenced this pull request Jun 19, 2025
@ciarams87
Deploy WAF containers when enabled in NGINXProxy (#3481)
0a8caf8 
* Add WAF dockerfile and make targets

* Add WAF parameters to NGINXProxy resource

* Review feedback

* Add plus image path; add readOnlyRootFS to waf containers

* Capitalise WAF
ciarams87 added a commit that referenced this pull request Jul 9, 2025
@ciarams87
Deploy WAF containers when enabled in NGINXProxy (#3481)
ac78eaf 
* Add WAF dockerfile and make targets

* Add WAF parameters to NGINXProxy resource

* Review feedback

* Add plus image path; add readOnlyRootFS to waf containers

* Capitalise WAF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sjberman sjberman sjberman approved these changes

@salonichf5 salonichf5 salonichf5 approved these changes

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation enhancement New feature or request helm-chart Relates to helm chart

Projects

NGINX Gateway Fabric
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Extend NGINXProxy with waf enabled toggle Build WAF enabled NGINX Plus image

4 participants

@ciarams87 @sjberman @salonichf5