feat(router): adding tcell dynamic module as option for waf security

Author: Cryptophobia

README.md

@@ -248,6 +248,8 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="disable-server-tokens"></a>deis-router | deployment | [router.deis.io/nginx.disableServerTokens](#disable-server-tokens) | `"false"` | Enables or disables emitting nginx version in error messages and in the “Server” response header field. |
 | <a name="enforce-whitelists"></a>deis-router | deployment | [router.deis.io/nginx.enforceWhitelists](#enforce-whitelists) | `"false"` | Whether to _require_ application-level whitelists that explicitly enumerate allowed clients by IP / CIDR range.  With this enabled, each app will drop _all_ requests unless a whitelist has been defined. |
 | <a name="enable-regex-domains"></a>deis-router | deployment | [router.deis.io/nginx.enableRegexDomains](#enable-regex-domains) | `"false"` | Whether to _enable_ application-level regex domain that can be explicitly defined for specific applications.  With this option enabled, each app can have its own regex domain in server_name blocks of the nginx config.  This allows for useful domains like `store-number-\d*.example.com`.  |
+| <a name="load-tcell-module"></a>deis-router | deployment | [router.deis.io/nginx.loadTcellModule](#load-tcell-module) | `"false"` | Whether to _enable_ the dynamic security nginx module provided by [Tcell](https://tcell.io/) as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. Note this requires that you purchase a Tcell account and have application configured in the Tcell UI.  The tcell_agent.config is passed through a configMap object through k8s.  Example of the configMap can be found in this [gist](https://gist.github.com/Cryptophobia/648b23f234eeb9538c87b478de401a53).  The open source alternative for this is Modsecurity dynamic module.  |
+| <a name="global-tcell-app-id"></a>deis-router | deployment | [router.deis.io/nginx.globalTcellAppID](#global-tcell-app-id) | N/A | This is the global app id to insert for the Tcell module in the top-most http{} block of the nginx config.  To configure an individual app id for each application, you need to use the application annotation below.  The application specific app id will take precedence over the global one.  |
 | <a name="default-whitelist"></a>deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as  a comma-delimited list of addresses (using IP or CIDR notation).  Application-specific whitelists can either extend or override this default. |
 | <a name="whitelist-mode"></a>deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined).  Valid values are `"extend"` and `"override"`. |
 | <a name="default-service-enabled"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceEnabled](#default-service-enabled) | `"false"` | Enables default back-end service for traffic hitting /. In order to work correctly both `defaultServiceIP` and `DefaultAppName` MUST also be set.  |
@@ -274,6 +276,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="builder-tcp-timeout"></a>deis-builder | service | [router.deis.io/nginx.tcpTimeout](#builder-tcp-timeout) | `"1200s"` | nginx `proxy_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |
 | <a name="app-domains"></a>routable application | service | [router.deis.io/domains](#app-domains) | N/A | Comma-delimited list of domains for which traffic should be routed to the application.  These may be fully qualified (e.g. `foo.example.com`) or, if not containing any `.` character, will be considered subdomains of the router's domain, if that is defined. |
 | <a name="app-regex-domain"></a>routable application | service | [router.deis.io/regexDomain](#app-regex-domain) | N/A | A string that represents the regex domain for which traffic should be routed to the application.  This is the regex domain (e.g. `foo-store-\d*`) if not containing any `.` character and will be considered a subdomain of the router's domain, if that is defined. The regex domain cannot be a fully qualified name (e.g. `foo-store-\d*.example.com`) for safety and security right now.  This feature must be enabled on the router via enable-regex-domain annotation above. |
+| <a name="app-tcell-app-id"></a>routable application | service | [router.deis.io/tcellAppID](#app-tcell-app-id) | N/A | This is the individual app id to insert for the Tcell module in the server{} block of the nginx config for each app.  The application specific app id will take precedence over the global one if defined.  |
 | <a name="app-certificates"></a>routable application | service | [router.deis.io/certificates](#app-certificates) | N/A | Comma delimited list of mappings between domain names (see `router.deis.io/domains`) and the certificate to be used for each.  The domain name and certificate name must be separated by a colon.  See the [SSL section](#ssl) below for further details. |
 | <a name="app-whitelist"></a>routable application | service | [router.deis.io/whitelist](#app-whitelist) | N/A | Comma-delimited list of addresses permitted to access the application (using IP or CIDR notation).  These may either extend or override the router-wide default whitelist (if defined).  Requests from all other addresses are denied. |
 | <a name="app-connect-timeout"></a>routable application | service | [router.deis.io/connectTimeout](#app-connect-timeout) | `"30s"` | nginx `proxy_connect_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |

model/model.go

@@ -57,6 +57,8 @@ type RouterConfig struct {
 	DefaultWhitelist         []string    `key:"defaultWhitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"`
 	WhitelistMode            string      `key:"whitelistMode" constraint:"^(extend|override)$"`
 	EnableRegexDomains       bool        `key:"enableRegexDomains" constraint:"(?i)^(true|false)$"`
+	LoadTcellModule          bool        `key:"loadTcellModule" constraint:"(?i)^(true|false)$"`
+	GlobalTcellAppID         string      `key:"globalTcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"`
 	DefaultServiceIP         string      `key:"defaultServiceIP"`
 	DefaultAppName           string      `key:"defaultAppName"`
 	DefaultServiceEnabled    bool        `key:"defaultServiceEnabled" constraint:"(?i)^(true|false)$"`
@@ -93,6 +95,7 @@ func newRouterConfig() (*RouterConfig, error) {
 		EnforceWhitelists:        false,
 		WhitelistMode:            "extend",
 		EnableRegexDomains:       false,
+		LoadTcellModule:          false,
 		RequestIDs:               false,
 		SSLConfig:                newSSLConfig(),
 		DefaultServiceEnabled:    false,
@@ -134,6 +137,7 @@ type AppConfig struct {
 	Name           string
 	Domains        []string `key:"domains" constraint:"(?i)^((([a-z0-9]+(-*[a-z0-9]+)*)|((\\*\\.)?[a-z0-9]+(-*[a-z0-9]+)*\\.)+[a-z0-9]+(-*[a-z0-9]+)+)(\\s*,\\s*)?)+$"`
 	RegexDomain    string   `key:"regexDomain"`
+	TcellAppID     string   `key:"tcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"`
 	Whitelist      []string `key:"whitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"`
 	ConnectTimeout string   `key:"connectTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"`
 	TCPTimeout     string   `key:"tcpTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"`

nginx/config.go

@@ -16,6 +16,11 @@ const (
 pid /tmp/nginx.pid;
 worker_processes {{ $routerConfig.WorkerProcesses }};
 
+{{ if $routerConfig.LoadTcellModule -}}
+# Loading the Tcell nginx dynamic module
+load_module modules/ngx_http_tcell_agent_module.so;
+{{- end }}
+
 events {
 	worker_connections {{ $routerConfig.MaxWorkerConnections }};
 	# multi_accept on;
@@ -29,6 +34,11 @@ http {
 
 	vhost_traffic_status_zone shared:vhost_traffic_status:{{ $routerConfig.TrafficStatusZoneSize }};
 
+	{{ if and $routerConfig.LoadTcellModule $routerConfig.GlobalTcellAppID -}}
+	# Including the global Tcell AppID
+	tcell_app_id {{ $routerConfig.GlobalTcellAppID }};
+	{{- end }}
+
 	# The timeout value must be greater than the front facing load balancers timeout value.
 	# Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra.
 	keepalive_timeout {{ $routerConfig.DefaultTimeout }};
@@ -223,6 +233,10 @@ http {
 		port_in_redirect off;
 		set $app_name "{{ $appConfig.Name }}";
 
+		{{ if and $routerConfig.LoadTcellModule $appConfig.TcellAppID -}}
+		tcell_app_id {{ $appConfig.TcellAppID }};
+		{{- end }}
+
 		{{ if index $appConfig.Certificates $domain }}
 		listen 6443 ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
 		ssl_protocols {{ $sslConfig.Protocols }};

rootfs/Dockerfile

@@ -45,6 +45,12 @@ RUN buildDeps='gcc make libgeoip-dev libssl-dev libpcre3-dev'; \
     make && \
     make install && \
     rm -rf "$BUILD_PATH" && \
+    # include tcell dynamic nginx module
+    mkdir "$PREFIX/modules" && \
+    cd "$PREFIX/modules" && \
+    get_src 8c535a2e526a9684afca6c227dc2115eb06681c48103541b97c73716da9f0cf5 "https://s3.amazonaws.com/hephy-artifacts/hephy-router/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64.tar.gz" && \
+    mv "$PREFIX/modules/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64/ubuntu/xenial/nginx-1.13.7-custom_flags_ssl_1.0.2g/ngx_http_tcell_agent_module.so" . && \
+    rm -rf "$PREFIX/modules/nginx_tcellagent-1.0.7-agentonly-zuora-linux-x86_64" && \
     # cleanup
     apt-get purge -y --auto-remove $buildDeps && \
     apt-get autoremove -y && \