Skip to content

Feature/lab11#1560

Open
wyroxx wants to merge 5 commits into
inno-devops-labs:mainfrom
wyroxx:feature/lab11
Open

Feature/lab11#1560
wyroxx wants to merge 5 commits into
inno-devops-labs:mainfrom
wyroxx:feature/lab11

Conversation

@wyroxx

@wyroxx wyroxx commented Jul 14, 2026

Copy link
Copy Markdown

Goal

Deploy a hardened Nginx reverse proxy with TLS 1.3, security headers, abuse controls, and a ModSecurity v3 + OWASP CRS WAF in front of Juice Shop.

Changes

  • Configured HTTP β†’ HTTPS 308 redirect.
  • Enforced TLS 1.3 only with X25519 and hardened cipher suites.
  • Added HSTS and all six required security headers with always.
  • Added login rate limiting, per-IP connection limits, and fail-closed timeouts.
  • Disabled TLS session tickets and configured session caching.
  • Added a pinned ModSecurity v3 + OWASP CRS 4.28.0 WAF service at paranoia level 1.
  • Added an init service for writable WAF audit-log storage.
  • Added a reproducible verification script and captured test evidence.
  • Documented the seven-step certificate rotation runbook, OCSP posture, WAF benefits, costs, and production limitations.

Testing

  • nginx -t β€” passed.
  • Docker Compose configuration validation β€” passed.
  • HTTP redirect β€” 308 Permanent Redirect.
  • TLS 1.3 β€” negotiated TLS_AES_256_GCM_SHA384 with X25519.
  • TLS 1.2 negative control β€” rejected with protocol-version alert.
  • Security headers β€” all six required headers present on an HTTP/2 200 response.
  • Rate limiting β€” 60 concurrent login attempts produced 6Γ—401 and 54Γ—429.
  • Slowloris test β€” incomplete TLS request closed after the configured 10s.
  • Nginx-only SQLi probe β€” HTTP 200.
  • Same probe through WAF β€” HTTP 403.
  • OWASP CRS audit log β€” rule 942100 detected SQL injection; rule 949110 enforced the anomaly threshold.
  • Final rubric audit β€” passed.

Artifacts & Screenshots

  • Submission: submissions/lab11.md
  • Hardened proxy: labs/lab11/reverse-proxy/nginx.conf
  • WAF configuration: labs/lab11/waf/docker-compose.override.yml
  • Verification script: labs/lab11/scripts/verify.sh
  • Runtime evidence: labs/lab11/results/
  • Screenshots: not required; raw command outputs and WAF audit evidence are included.

Lab 11 Checklist

  • Task 1 β€” TLS 1.3 + six security headers with proof
  • Task 2 β€” rate limits, timeouts, cipher hardening, and certificate-rotation runbook
  • Bonus β€” ModSecurity WAF + OWASP CRS blocks a payload that Nginx alone passes

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets/large temporary files committed
  • Submission file at submissions/lab11.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant