Ngnix 入口控制器 ModsecurityOWASP 规则集高延迟响应

在我们的 AWS EKS 环境中，我通过 helm 部署了 Nginx 入口控制器，遵循官方 Nginx 安装指南并添加了一个 configmap yaml，使用 Owasp v3.3.0 规则集在此入口中启用 Waf modsecurity。它站在 aws nlb 后面

似乎我们现在对环境发怒的请求正在以高延迟处理，但是当您从同一 IP 发出第一个请求时会发生这种情况，之后，以下请求运行良好。

Nginx-values.yaml

---
controller:
  config:
    use-proxy-protocol: true
    enable-modsecurity: true
    ssl-protocols: "TLSv1.2 TLSv1.3"
    ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"
  service:
    enableHttps: true
    enableHttp: false
    type: LoadBalancer
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: external
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
      service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: 10
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout: 3
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold: 2
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold: 2
      service.beta.kubernetes.io/load-balancer-source-ranges: ${source_range}

  metrics:
    enabled: true
  extraInitContainers:
    - name: init
      image: alpine:3
      command: ["/bin/sh","-c"]
      args: ["ls -tla /opt/modsecurity/var; chown -R 101:101 /opt/modsecurity/var; ls -tla /opt/modsecurity/var; touch /opt/modsecurity/var/log/debug.log; chown -R 101:101 /opt/modsecurity/var"]
      volumeMounts:
        - name: log
          mountPath: /opt/modsecurity/var/log

      securityContext:
        runAsGroup: 0
        runAsNonRoot: false
        runAsUser: 0
        privileged: true
  extraContainers:
    - name: promtail
      image: grafana/promtail
      args:
        - -config.file=/etc/config-waf/promtail.yaml
      volumeMounts:
        - name: config-map
          mountPath: /etc/config-waf
        - name: log
          mountPath: /opt/modsecurity/var/log
          
  resources:
    limits:
      cpu: 100m
      memory: 256Mi
    requests:
      cpu: 100m
      memory: 256Mi

  extraVolumeMounts:
    - name: config-map
      mountPath: /etc/Nginx/modsecurity
    - name: log
      mountPath: /opt/modsecurity/var/log


  extraVolumes:
    - name: config-map
      configMap:
        name: waf-config
    - name: log
      emptyDir: {}
    - name: audit
      emptyDir: {}
  
  autoscaling:
    enabled: true
    minReplicas: 2
    maxReplicas: 10


  autoscalingTemplate:
    - type: Pods
      pods:
        metric:
          name: Nginx_ingress_controller_Nginx_process_requests_total
        target:
          type: AverageValue
          averageValue: 10000m

defaultBackend:
  enabled: true

waf.conf

SecruleEngine On

SecRequestBodyAccess On

Secrule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \
     "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

Secrule REQUEST_HEADERS:Content-Type "application/json" \
     "id:'200001',ctl:requestBodyProcessor=JSON"

SecRequestBodyLimit 13107200

SecRequestBodyNoFilesLimit 131072

SecRequestBodyLimitaction Reject

Secrule REQBODY_ERROR "!@eq 0" \
"id:'200002',phase:2,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

Secrule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',\
msg:'Multipart request body Failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR},\
BQ %{MULTIPART_BOUNDARY_QUOTED},\
BW %{MULTIPART_BOUNDARY_WHITESPACE},\
DB %{MULTIPART_DATA_BEFORE},\
DA %{MULTIPART_DATA_AFTER},\
HF %{MULTIPART_HEADER_FOLDING},\
LF %{MULTIPART_LF_LINE},\
SM %{MULTIPART_MISSING_SEMICOLON},\
IQ %{MULTIPART_INVALID_QUOTING},\
IP %{MULTIPART_INVALID_PART},\
IH %{MULTIPART_INVALID_HEADER_FOLDING},\
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"

Secrule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
    "id:'200004',msg:'Multipart parser detected a possible unmatched boundary.'"

SecPcreMatchLimit 1000

SecPcreMatchLimitRecursion 1000

Secrule TX:/^MSC_/ "!@streq 0" \
        "id:'200005',msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

SecResponseBodyAccess On

SecResponseBodyMimeType text/plain text/html text/xml

SecResponseBodyLimit 524288

SecResponseBodyLimitaction Processpartial

SecTmpDir /tmp/

SecDataDir /tmp/

SecDebugLog /opt/modsecurity/var/log/debug.log

SecDebugLogLevel 3

SecAuditEngine Off

SecAuditLogrelevantStatus "^(?:5|4(?!04))"

SecAuditLogParts ABIJDEFHZ

SecAuditLogType Serial

SecAuditLog /opt/modsecurity/var/audit/modsec_audit.log

SecArgumentSeparator &

SecCookieFormat 0

SecUnicodeMapFile unicode.mapping 20127

SecStatusEngine On

crs-setup.conf

SecDefaultAction "phase:1,auditlog,status:408"

SecDefaultAction "phase:2,status:408"

SecAction \
 "id:900000,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.paranoia_level=1"

SecAction \
 "id:900100,\
  setvar:tx.critical_anomaly_score=5,\
  setvar:tx.error_anomaly_score=4,\
  setvar:tx.warning_anomaly_score=3,\
  setvar:tx.notice_anomaly_score=2"

SecAction \
 "id:900110,\
  setvar:tx.inbound_anomaly_score_threshold=10000,\
  setvar:tx.outbound_anomaly_score_threshold=10000"

SecAction \
"id:900700,\
 phase:1,\
 nolog,\
 pass,\
 t:none,\
 setvar:'tx.dos_burst_time_slice=30',\
 setvar:'tx.dos_counter_threshold=250',\
 setvar:'tx.dos_block_timeout=300'"

SecAction \
"id:900960,\
 setvar:tx.do_reput_block=1"

SecAction \
"id:900970,\
 setvar:tx.reput_block_duration=300"

SecCollectionTimeout 600

SecAction \
 "id:900990,\
  setvar:tx.crs_setup_version=330"

对此有什么想法吗？

解决方法