Configuration

Tip:
Check out the complete NGINX Ingress Controller with App Protect DoS example for VirtualServer and the NGINX Ingress Controller with App Protect DoS example for Ingress.

App Protect DoS Configuration

A DosProtectedResource is a Custom Resource that holds the configuration of a collection of protected resources. An Ingress, VirtualServer and VirtualServerRoute can be protected by specifying a reference to the DosProtectedResource.

Create an DosProtectedResource Custom resource manifest. As an example:

apiVersion: appprotectdos.f5.com/v1beta1 kind: DosProtectedResource metadata:  name: dos-protected spec:  enable: true  name: "webapp.example.com"  apDosMonitor:  uri: "webapp.example.com"  protocol: "http1"  timeout: 5

Enable App Protect DoS for an Ingress resource by adding an annotation to the Ingress. Set the value of the annotation to the qualified identifier(namespace/name) of a DosProtectedResource:

 apiVersion: networking.k8s.io/v1  kind: Ingress  metadata:  name: webapp-ingress  annotations:  appprotectdos.f5.com/app-protect-dos-resource: "default/dos-protected"

Enable App Protect DoS on a VirtualServer resource by setting the dos field value to the qualified identifier(namespace/name) of a DosProtectedResource:

apiVersion: k8s.nginx.org/v1 kind: VirtualServer metadata:  name: webapp spec:  host: webapp.example.com  upstreams:  - name: webapp  service: webapp-svc  port: 80  routes:  - path: /  dos: dos-protected  action:  pass: webapp

DoS Policy Configuration

You can configure the policy for DoS by creating an APDosPolicy Custom Resource and specifying the qualified identifier(namespace/name) of the ApDosPolicy in the DosProtectedResource.

For example, say you want to use DoS Policy as shown below:

{  mitigation_mode: "standard",  signatures: "on",  bad_actors: "on",  automation_tools_detection: "on",  tls_fingerprint: "on",  }

Create an APDosPolicy resource with the policy defined in the spec, as shown below:

 apiVersion: appprotectdos.f5.com/v1beta1  kind: APDosPolicy  metadata:  name: dospolicy  spec:  mitigation_mode: "standard"  signatures: "on"  bad_actors: "on"  automation_tools_detection: "on"  tls_fingerprint: "on"

Then add a reference in the DosProtectedResource to the ApDosPolicy:

 apiVersion: appprotectdos.f5.com/v1beta1  kind: DosProtectedResource  metadata:  name: dos-protected  spec:  enable: true  name: "my-dos"  apDosMonitor:  uri: "webapp.example.com"  apDosPolicy: "default/dospolicy"

App Protect DoS Logs

You can set the App Protect DoS Log configuration by creating an APDosLogConf Custom Resource and specifying the qualified identifier(namespace/name) of the ApDosLogConf in the DosProtectedResource.

For example, say you want to log state changing requests for your Ingress resources using App Protect DoS. The App Protect DoS log configuration looks like this:

{  "filter": {  "traffic-mitigation-stats": "all",  "bad-actors": "top 10",  "attack-signatures": "top 10"  } }

You would add that config in the spec of your APDosLogConf resource as follows:

apiVersion: appprotectdos.f5.com/v1beta1 kind: APDosLogConf metadata:  name: doslogconf spec:  filter:  traffic-mitigation-stats: all  bad-actors: top 10  attack-signatures: top 10

Then add a reference in the DosProtectedResource to the APDosLogConf:

 apiVersion: appprotectdos.f5.com/v1beta1  kind: DosProtectedResource  metadata:  name: dos-protected  spec:  enable: true  name: "my-dos"  apDosMonitor:  uri: "webapp.example.com"  dosSecurityLog:  enable: true  apDosLogConf: "doslogconf"  dosLogDest: "syslog-svc.default.svc.cluster.local:514"

Global Configuration

NGINX Ingress Controller has a set of global configuration parameters that align with those available in the NGINX App Protect DoS module. See ConfigMap keys for the complete list. The App Protect parameters use the app-protect-dos* prefix.