feat(lab11): hardened nginx + WAF sidecar#1551
Open
RanisKhaertdinov wants to merge 29 commits into
Open
Conversation
This reverts commit f6b704e.
feat(lab1): juice shop deployment and CI setup
feat(lab2): Threagile threat model + secure variant + auth flow
feat(lab3): SSH signing + gitleaks pre-commit + history rewrite
feat(lab4): SBOM generation + Grype/Trivy SCA comparison + sign-ready attestation
feat(lab5): ZAP baseline + auth + Semgrep + correlation
feat(lab6): Checkov + KICS scans + custom policy
feat(lab7): trivy + PSS restricted + conftest gate
feat(lab8): cosign sign + SBOM/provenance attestations + blob signing
feat(lab9): falco custom rules + conftest hardening policies
feat(lab10): defectdojo governance report + capstone walkthrough
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Complete Lab 11 (bonus): harden Nginx in front of Juice Shop with TLS 1.3 + a full security-header set + rate limiting, document the production posture (timeouts, cipher
hardening, cert-rotation runbook), and drop a ModSecurity + OWASP CRS WAF sidecar in front of it that blocks an attack Nginx alone lets through.
Changes
labs/lab11/reverse-proxy/nginx.conf— hardened from the starter config:ssl_protocols TLSv1.3), HSTS bumped to 2 years,ssl_ecdh_curve X25519:secp384r1, session tickets offlimit_conn conn 50) added alongside the existing login rate limiterssl_conf_command Ciphersuites ...instead ofssl_ciphers(see Testing —ssl_ciphersdoesn't understand TLS 1.3 suite names and crashesnginx)
labs/lab11/waf/docker-compose.override.yml(bonus) — adds a ModSecurity v3 + OWASP CRS sidecar (owasp/modsecurity-crs:nginx-alpine) in front of the hardened Nginx, paranoialevel 1, blocking mode (not detection-only)
submissions/lab11.md— full writeup for both tasks + the bonus, written in short, plain sentences: TLS/header proofs, rate-limit and timeout test results, cipher verification,a 7-step cert-rotation runbook, and the WAF before/after SQLi test with the exact OWASP CRS rule that fired
Testing
curl -sI http://localhost→308tohttps://localhost/openssl s_client -tls1_3→Protocol version: TLSv1.3,TLS_AES_256_GCM_SHA384/rest/user/login→ 54×429, matching the configured limiternc-based test doesn't actually testclient_header_timeout(plaintext on a TLS-only port just fails the handshake instantly) — wrote a smallTLS-aware Python script that sends a genuinely incomplete HTTP request and confirmed the server closes it at ~10.02s, matching
client_header_timeout 10sTLS_AES_256_GCM_SHA384+X25519in use viaopenssl s_client' OR 1=1--sent to/rest/products/search— through Nginx alone it reached Juice Shop's SQLite layer unfiltered (SQLITE_ERROR: incomplete input); through the WAFit returned
403, with the audit log showing OWASP CRS rule942100(SQL Injection Attack Detected via libinjection) plus the anomaly-score block rule949110compose override, and a mismatched env var name (
PROXY_SSL_CERTvs. the image's documentedPROXY_SSL_CERT_FILE)Artifacts & Screenshots
No screenshots — all proof is command output, quoted directly in
submissions/lab11.md(redirect headers, TLS handshake output, rate-limit counts, timeout timing, cipherconfirmation, WAF audit log excerpt).
Checklist
labs/lab11/reverse-proxy/certs/never leaves the machine)