Skip to content
This repository has been archived by the owner on Dec 13, 2023. It is now read-only.

Redefine WAF provisioning to include disabled rules defined in TOML file #97

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Redefine WAF provisioning to include disabled rules defined in TOML file #97

wants to merge 3 commits into from

Conversation

jwadolowski
Copy link
Contributor

@jwadolowski jwadolowski commented Oct 10, 2019
edited
Loading

At the moment waflyctl doesn't allow me to promote waflyctl.toml in a batch mode. My goal is to reuse VCL delivery model for WAF config - store it in Git, version and promote across environments.

Here's how my waflyctl.toml looks like:

logpath = "/tmp/waflyctl.log"
apiendpoint = "https://api.fastly.com"
tags = ["application-multi"]
publisher = ["owasp", "fastly"]
action = "block"
rules = []
disabledrules = [
    920272, # Invalid character in request (outside of printable chars below ascii 127)
    # ...
]

[owasp]
    AllowedHTTPVersions = "HTTP/1.0 HTTP/1.1 HTTP/2"
    AllowedMethods = "GET HEAD POST OPTIONS"
    # ...

# remaining sections have been removed on purpose, as they're managed in Terraform codebase

Disabled rules are not included while provisioning a service with waflyctl --apikey=<FASTLY_API_KEY> --serviceid=<FASTLY_SERVICE_ID> --config=</path/to/waflyctl.toml> --provision. That's not a surprise because of this comment and DefaultRuleDisabled function placement (it gets triggered only when there's no WAF attached to given service yet).

It simply means that disabledrules property is effectively ignored after initial WAF setup. The only way to disable rules is to use waflyctl --apikey=<FASTLY_API_KEY> --serviceid=<FASTLY_SERVICE_ID> --config=</path/to/waflyctl.toml> --rules=<X,Y,Z> --action=disabled.

Unfortunately, such approach is not ideal. To get it done I'd have to use the following deployment strategy:

  • waflyctl --provision (set tag/publishers rules to block)
  • waflyctl --rules=<X,Y,Z> --action=disabled (disable selected rules)

There's a couple of downsides here:

  • 1st command unconditionally changes rules grouped into tag/publisher to given status (let's assume block). For tag-based rules that's less of a problem, as by default --force-status is false, so already disabled rules won't be changed to blocking mode. When it comes to publisher rules there's no such option - loop that goes through items fetched from /wafs/rules?filter[publisher]=<whatever> simply sets an action according to config (or CLI param).
  • 2nd command disables given rules. Most likely they were turned into block mode few seconds ago, which means there's a short period of time when all rules block traffic, which is a no-go from my perspective.

Alternatively I could deploy rules on a fine-grained basis (disable rule A, B and C, then turn rules X, Y, Z into blocking mode, etc), but that kinda defeats the purpose of having waflyctl.toml file.

This PR respects disabledrules property during subsequent deployments. I also redefined the order in which ruleset is prepared before actual deployment (PatchRules). OWASP settings get applied at the very end of WAF provisioning.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jwadolowski