Skip to content

feat(lab11): hardened nginx + ModSecurity CRS WAF sidecar#1558

Open
prudenz1 wants to merge 2 commits into
inno-devops-labs:mainfrom
prudenz1:feature/lab11
Open

feat(lab11): hardened nginx + ModSecurity CRS WAF sidecar#1558
prudenz1 wants to merge 2 commits into
inno-devops-labs:mainfrom
prudenz1:feature/lab11

Conversation

@prudenz1

Copy link
Copy Markdown

Goal

Bonus Lab 11 β€” harden Nginx in front of Juice Shop (TLS 1.3, security headers, rate limiting) and demonstrate OWASP CRS ModSecurity blocking SQL injection that Nginx alone proxies.

Changes

  • labs/lab11/reverse-proxy/nginx.conf β€” TLS 1.3-only, 6 headers, rate/conn limits, Mozilla Modern ciphers
  • labs/lab11/waf/docker-compose.override.yml β€” ModSecurity v3 + OWASP CRS sidecar
  • submissions/lab11.md β€” proofs + cert-rotation runbook + WAF tradeoff analysis

Checklist

  • Task 1 β€” TLS 1.3 + 6 security headers (with proof)
  • Task 2 β€” Rate limit + timeouts + cipher hardening + cert-rotation runbook
  • Bonus β€” ModSec WAF + OWASP CRS catching a payload Nginx-alone passes

prudenz1 added 2 commits July 14, 2026 18:12
TLS 1.3-only reverse proxy with security headers, rate limits,
cipher hardening, and OWASP CRS blocking SQLi that nginx alone passes.
Keep hardened TLS 1.3 / headers / limits from feature/lab11; adopt course listen ports from upstream main.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant