You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
WAF filter configuration in Gloo EE using k8s ConfigMap works with VirtualService object, works on "routes" level, but does not work with Gateway object.
Expected Behavior
WAF filtering works
Steps to reproduce the bug
Create ConfigMap from the file "wafip.conf":
SecRuleEngine On
SecRule REMOTE_ADDR "!@ipMatch 173.175.0.0/16,10.10.11.101" "phase:1,deny,status:403,id:1,msg:'block ip'"
kubectl create cm mywaf --from-file=wafip.conf -n gloo-system
Edit Gateway object:
apiVersion: gateway.solo.io/v1
kind: Gateway
metadata:
labels:
app: gloo
name: gateway-proxy
namespace: gloo-system
spec:
bindAddress: '::'
bindPort: 8080
httpGateway:
options: # < --- add this line
waf: # < --- add this line
configMapRuleSets: # < --- add this line
- configMapRef: # < --- add this line
name: mywaf # < --- add this line
namespace: gloo-system # < --- add this line
options:
accessLoggingService:
accessLog:
- fileSink:
path: /dev/stdout
stringFormat: |
[%START_TIME%] %REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH)% %REQ(:PATH)% %RESP(:PATH)% %PROTOCOL% %RESPONSE_CODE% %RESPONSE_FLAGS% %RESPONSE_CODE_DETAILS% %UPSTREAM_HOST% %UPSTREAM_CLUSTER%
proxyNames:
- gateway-proxy
ssl: false
useProxyProto: false
Gloo Edge Product
Enterprise
Gloo Edge Version
1.16.7
Kubernetes Version
1.28.5
Describe the bug
WAF filter configuration in Gloo EE using k8s ConfigMap works with VirtualService object, works on "routes" level, but does not work with Gateway object.
Expected Behavior
WAF filtering works
Steps to reproduce the bug
kubectl create cm mywaf --from-file=wafip.conf -n gloo-system
Using the same ConfigMap in VirtualService, works as expected:
Using WAF directly in Gateway, works as expected:
Additional Environment Detail
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: