Skip to content

feat(lab11): hardened nginx + WAF sidecar#1559

Open
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab11
Open

feat(lab11): hardened nginx + WAF sidecar#1559
Muratich wants to merge 4 commits into
inno-devops-labs:mainfrom
Muratich:feature/lab11

Conversation

@Muratich

Copy link
Copy Markdown

Goal

Hardened Nginx reverse proxy in front of Juice Shop (TLS 1.3, security headers, rate limiting) and added a ModSecurity WAF sidecar with OWASP CRS to block SQL injection payloads that Nginx alone passes.

Changes

  • Added / updated:
    • submissions/lab11.md β€” Task 1–2 proofs, cert rotation runbook, WAF tradeoff analysis
    • labs/lab11/reverse-proxy/nginx.conf β€” TLS 1.3, security headers, rate/conn limits, timeouts, session/OCSP hardening
    • labs/lab11/waf/docker-compose.override.yml β€” ModSecurity v3 + OWASP CRS sidecar on :8443
    • labs/lab11/waf/logs/.gitkeep β€” WAF audit log mount point
  • Other changes:
    • Internal nginx listener on :8080 for WAF β†’ nginx β†’ juice routing (docker network only)

Testing

  • Commands run:
    • docker compose up -d (nginx + juice-shop)
    • docker compose -f docker-compose.yml -f waf/docker-compose.override.yml up -d (with WAF)
    • curl -sI http://localhost β€” HTTP β†’ HTTPS redirect
    • openssl s_client -connect 127.0.0.1:443 -tls1_3 -brief β€” TLS 1.3 negotiation
    • curl -skI https://localhost β€” security headers
    • 60Γ— POST /rest/user/login β€” rate limit (54Γ—429, 6Γ—401)
    • Partial HTTP request to :443 β€” timeout (connection closed after ~10s)
    • curl ... /rest/products/search?q=' OR 1=1-- β€” no-waf vs with-waf
  • Observed output:
    • 308 redirect to https://localhost/
    • TLSv1.3, cipher TLS_AES_256_GCM_SHA384, curve X25519
    • All 6 headers present (HSTS, X-CTO, X-FO, Referrer-Policy, Permissions-Policy, CSP-Report-Only)
    • Rate limit: 54Γ—429, 6Γ—401 out of 60 requests
    • no-waf: HTTP 500 (passed through) β†’ with-waf: HTTP 403
    • OWASP CRS rule 942100 fired (SQL injection via libinjection)

Artifacts & Screenshots

  • submissions/lab11.md
  • Screenshots / links:
    • Proof outputs documented inline in submissions/lab11.md (redirect, TLS, headers, rate limit, timeout, cipher, WAF audit log)

Checklist

  • Title is clear (feat(lab11): hardened nginx + WAF sidecar)
  • No secrets or large temp files are committed (labs/lab11/results/ not included; self-signed certs local only)
  • Submission file at submissions/lab11.md exists
  • Task 1 β€” TLS 1.3 + 6 security headers (with proof)
  • Task 2 β€” Rate limit + timeouts + cipher hardening + cert-rotation runbook
  • Bonus β€” ModSecurity WAF + OWASP CRS catching a payload Nginx-alone passes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant