# Installation on docker-compose

Login to the registry with:

docker login cr.trustedapphub.io

Create a docker-compose.yaml to create a waf container and a simple backend:

version: "2"
services:
  waf:
    image: cr.trustedapphub.io/appsec-runtime:0.4.1
    user: nobody:nobody
    working_dir: /
    environment:
      - APP_BACKEND=http://backend/
      # use this to redirect access logs to stdout. Default: /dev/null
      # - APP_LOG_DEST=stdout

      # use this to set access logs format to Common Log Format. Default: "JSON"
      # - APP_LOG_FORMAT=CLF

      # this key will be used to authenticate with appsecctl auth login command
      - APP_LOCAL_AUTH_KEY=changeme

    network_mode: bridge
    ports:
      - "80:8080"
    read_only: true
    tmpfs:
      - /run:uid=65534,gid=65534
    links:
      - backend
  backend:
    image: nginxdemos/hello:latest
    network_mode: bridge
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

Launch them locally with:

docker-compose up -d

Login with the container with:

appsecctl auth login -l WAF_IP -c "changeme"

Then create a sample WAF configuration in a file my-waf.yaml

---
apiVersion: core/v1beta
kind: App
metadata:
  name: my-api
spec:
  name: myserver
  alias: myserver:8080
  log_level: warn
  workflow: my-workflow
  workflow_params:
    exceptions: my-exceptions-configuration
---
apiVersion: core/v1beta
kind: Workflow
metadata:
  name: my-workflow
spec:
  entrypoint: main
  source: |-
    package main

    func main(icx_policy ICXConfiguration, exceptions SecurityExceptionConfiguration) {
        ActionICXSecurityEngine(Args{"configuration": "${params.icx_policy}"})
        ActionSecurityExceptionManagement(Args{"configuration": "${params.exceptions}"})
        ActionLogSecurity()
        if security.exception.blocked == true {
            ActionGenerateResponse(Args{"status": "403", "content": "<html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access ${http.request.path} on this server.</p></body></html>"})
        } else {
            ActionProxyRequest()
        }
    }
---
apiVersion: core/v1beta
kind: SecurityException
metadata:
  name: my-exceptions-configuration
spec:
  rules:
    - name: "Exception for ICX Engine: Cross-Site Scripting (XSS) in Var_GET 'content'"
      filters:
        - uri == "/webmail/message"
        - token.matchingParts.Contains(token.part == "Var_GET" && token.partKey == "content" && token.partValuePatternName == "Html Injection")
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

You can now configure your WAF (use docker inspect to retrieve WAF_IP).

appsecctl -H WAF_IP apply -k -f my-waf.yaml

Check that all works with:

curl $(hostname) 
# return 200 OK with the backend response
curl $(hostname)'/?q=cmd.exe' 
# return 403 Forbidden
curl $(hostname)"/webmail/message?content=&lt;html&gt;&lt;header&gt;&lt;/header&gt;&lt;body&gt;Hello&nbsp;i'm&nbsp;the&nbsp;mail&nbsp;content&lt;/body&gt;&lt;/html&gt;" 
# return 200 OK
1
2
3
4
5
6

Check WAF logs with:

docker-compose logs waf

Check Security logs with:

appsecctl -H WAF_IP -k logs
Last Updated: 5/12/2022, 3:29:03 PM