Skip to content

feat(lab11): hardened nginx + WAF sidecar#1570

Open
SSSNeka wants to merge 1 commit into
inno-devops-labs:mainfrom
SSSNeka:feature/lab11
Open

feat(lab11): hardened nginx + WAF sidecar#1570
SSSNeka wants to merge 1 commit into
inno-devops-labs:mainfrom
SSSNeka:feature/lab11

Conversation

@SSSNeka

@SSSNeka SSSNeka commented Jul 16, 2026

Copy link
Copy Markdown

Goal

Put a hardened Nginx reverse proxy in front of Juice Shop: TLS 1.3-only, the full six-header security set, rate limiting, fail-closed timeouts, cipher hardening, and a cert-rotation runbook. Every control verified against live responses.

Changes

  • Hardened labs/lab11/reverse-proxy/nginx.conf: TLS 1.3-only (dropped TLS 1.2), TLS1.3 cipher suites via ssl_conf_command Ciphersuites (three-suite Mozilla Modern list), ssl_ecdh_curve X25519:secp384r1, ssl_session_tickets off, limit_conn 50, HSTS max-age=63072000, and an OCSP-stapling documentation block.
  • Added submissions/lab11.md β€” Task 1 (TLS + 6 headers, with proof + per-header explanation) and Task 2 (rate-limit/timeout/cipher proofs + 7-step cert-rotation runbook + OCSP explanation).
  • Self-signed cert, results/, logs/, and the two test scripts are gitignored / not committed.

Testing

  • HTTPS redirect: HTTP β†’ 308 to https://localhost/, carrying the full header set.
  • TLS 1.3: openssl s_client -tls1_3 β†’ Protocol version: TLSv1.3, Ciphersuite: TLS_AES_256_GCM_SHA384.
  • 6 headers: all present on the live 200 response (HSTS, X-CTO, X-FO, Referrer-Policy, Permissions-Policy, CSP-Report-Only); upstream's weaker headers stripped via proxy_hide_header.
  • Rate limit: 60 sequential POSTs to /rest/user/login β†’ 6Γ— 401 (through burst) + 54Γ— 429.
  • Timeout: partial request held 15s β†’ nginx closes the socket after client_header_timeout 10s (unexpected eof).
  • Cipher: Server Temp Key: X25519, Cipher is TLS_AES_256_GCM_SHA384.

Artifacts & Screenshots

See submissions/lab11.md for all proofs (http-redirect, tls13, headers, ratelimit, timeout, cipher), the nginx.conf sections, per-header explanations, and the 7-step cert-rotation runbook.

Note: the lab's Task 2 template suggests TLS1.3 suite names in ssl_ciphers, which crashes nginx (no cipher match) on a TLS1.3-only server β€” in nginx ssl_ciphers only governs TLS ≀1.2, so TLS 1.3 suites are set via ssl_conf_command Ciphersuites instead. Documented in the submission.

Checklist

  • Title is clear (feat(labN): <topic> style)
  • No secrets/large temp files committed
  • Submission file at submissions/lab11.md exists
- [x] Task 1 β€” TLS 1.3 + 6 security headers (with proof)
- [x] Task 2 β€” Rate limit + timeouts + cipher hardening + cert-rotation runbook
- [ ] Bonus β€” Coraza/ModSec WAF + OWASP CRS catching a payload Nginx-alone passes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant