Merge pull request #41 from Cryptophobia/master

Deprecating Tcell WAF module support
teamhephy · Sep 11, 2019 · 94110a2 · 94110a2
2 parents 2ae9bf3 + d253929
commit 94110a2
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -248,9 +248,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="disable-server-tokens"></a>deis-router | deployment | [router.deis.io/nginx.disableServerTokens](#disable-server-tokens) | `"false"` | Enables or disables emitting nginx version in error messages and in the “Server” response header field. |
 | <a name="enforce-whitelists"></a>deis-router | deployment | [router.deis.io/nginx.enforceWhitelists](#enforce-whitelists) | `"false"` | Whether to _require_ application-level whitelists that explicitly enumerate allowed clients by IP / CIDR range.  With this enabled, each app will drop _all_ requests unless a whitelist has been defined. |
 | <a name="enable-regex-domains"></a>deis-router | deployment | [router.deis.io/nginx.enableRegexDomains](#enable-regex-domains) | `"false"` | Whether to _enable_ application-level regex domain that can be explicitly defined for specific applications.  With this option enabled, each app can have its own regex domain in server_name blocks of the nginx config.  This allows for useful domains like `store-number-\d*.example.com`.  |
-| <a name="load-tcell-module"></a>deis-router | deployment | [router.deis.io/nginx.loadTcellModule](#load-tcell-module) | `"false"` | Whether to _enable_ the dynamic security nginx module provided by [Tcell](https://tcell.io/) as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router. Note this requires that you purchase a Tcell account and have application configured in the Tcell UI.  The tcell_agent.config is passed through a configMap object through k8s.  Example of the configMap can be found in this [gist](https://gist.github.com/Cryptophobia/648b23f234eeb9538c87b478de401a53).  The open source alternative for this is Modsecurity dynamic module.  |
-| <a name="global-tcell-app-id"></a>deis-router | deployment | [router.deis.io/nginx.globalTcellAppID](#global-tcell-app-id) | N/A | This is the global app id to insert for the Tcell module in the top-most http{} block of the nginx config.  To configure an individual app id for each application, you need to use the application annotation below.  The application specific app id will take precedence over the global one.  |
-| <a name="load-modsecurity-module"></a>deis-router | deployment | [router.deis.io/nginx.loadModsecurityModule](#load-modsecurity-module) | `"false"` | Whether to _enable_ the open source dynamic security nginx module [Modsecurity](https://github.com/SpiderLabs/ModSecurity/tree/v3/master) globally for all apps as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router.  The rule set that Modsecurity will use by default is the [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) and Modsecurity will be turned on to block malicious traffic on all apps if this annotation is enabled.  This core rule set can be overwritten by configMap like in the example above for the Tcell module.  |
+| <a name="load-modsecurity-module"></a>deis-router | deployment | [router.deis.io/nginx.loadModsecurityModule](#load-modsecurity-module) | `"false"` | Whether to _enable_ the open source dynamic security nginx module [Modsecurity](https://github.com/SpiderLabs/ModSecurity/tree/v3/master) globally for all apps as a [WAF](https://en.wikipedia.org/wiki/Web_application_firewall) on the router.  The rule set that Modsecurity will use by default is the [OWASP ModSecurity Core Rule Set (CRS)](https://github.com/SpiderLabs/owasp-modsecurity-crs) and Modsecurity will be turned on to block malicious traffic on all apps if this annotation is enabled.  This core rule set can be overwritten by configMap and mounted as a volumeMount.  |
 | <a name="default-whitelist"></a>deis-router | deployment | [router.deis.io/nginx.defaultWhitelist](#default-whitelist) | N/A | A default (router-wide) whitelist expressed as  a comma-delimited list of addresses (using IP or CIDR notation).  Application-specific whitelists can either extend or override this default. |
 | <a name="whitelist-mode"></a>deis-router | deployment | [router.deis.io/nginx.whitelistMode](#whitelist-mode) | `"extend"` | Whether application-specific whitelists should extend or override the router-wide default whitelist (if defined).  Valid values are `"extend"` and `"override"`. |
 | <a name="default-service-enabled"></a>deis-router | deployment | [router.deis.io/nginx.defaultServiceEnabled](#default-service-enabled) | `"false"` | Enables default back-end service for traffic hitting /. In order to work correctly both `defaultServiceIP` and `DefaultAppName` MUST also be set.  |
@@ -280,7 +278,6 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`.  A
 | <a name="builder-tcp-timeout"></a>deis-builder | service | [router.deis.io/nginx.tcpTimeout](#builder-tcp-timeout) | `"1200s"` | nginx `proxy_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |
 | <a name="app-domains"></a>routable application | service | [router.deis.io/domains](#app-domains) | N/A | Comma-delimited list of domains for which traffic should be routed to the application.  These may be fully qualified (e.g. `foo.example.com`) or, if not containing any `.` character, will be considered subdomains of the router's domain, if that is defined. |
 | <a name="app-regex-domain"></a>routable application | service | [router.deis.io/regexDomain](#app-regex-domain) | N/A | A string that represents the regex domain for which traffic should be routed to the application.  This is the regex domain (e.g. `foo-store-\d*`) if not containing any `.` character and will be considered a subdomain of the router's domain, if that is defined. The regex domain cannot be a fully qualified name (e.g. `foo-store-\d*.example.com`) for safety and security right now.  This feature must be enabled on the router via enable-regex-domain annotation above. |
-| <a name="app-tcell-app-id"></a>routable application | service | [router.deis.io/tcellAppID](#app-tcell-app-id) | N/A | This is the individual app id to insert for the Tcell module in the server{} block of the nginx config for each app.  The application specific app id will take precedence over the global one if defined.  |
 | <a name="app-certificates"></a>routable application | service | [router.deis.io/certificates](#app-certificates) | N/A | Comma delimited list of mappings between domain names (see `router.deis.io/domains`) and the certificate to be used for each.  The domain name and certificate name must be separated by a colon.  See the [SSL section](#ssl) below for further details. |
 | <a name="app-whitelist"></a>routable application | service | [router.deis.io/whitelist](#app-whitelist) | N/A | Comma-delimited list of addresses permitted to access the application (using IP or CIDR notation).  These may either extend or override the router-wide default whitelist (if defined).  Requests from all other addresses are denied. |
 | <a name="app-connect-timeout"></a>routable application | service | [router.deis.io/connectTimeout](#app-connect-timeout) | `"30s"` | nginx `proxy_connect_timeout` setting expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |

diff --git a/model/model.go b/model/model.go
@@ -57,8 +57,6 @@ type RouterConfig struct {
 	DefaultWhitelist         []string    `key:"defaultWhitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"`
 	WhitelistMode            string      `key:"whitelistMode" constraint:"^(extend|override)$"`
 	EnableRegexDomains       bool        `key:"enableRegexDomains" constraint:"(?i)^(true|false)$"`
-	LoadTcellModule          bool        `key:"loadTcellModule" constraint:"(?i)^(true|false)$"`
-	GlobalTcellAppID         string      `key:"globalTcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"`
 	LoadModsecurityModule    bool        `key:"loadModsecurityModule" constraint:"(?i)^(true|false)$"`
 	DefaultServiceIP         string      `key:"defaultServiceIP"`
 	DefaultAppName           string      `key:"defaultAppName"`
@@ -99,7 +97,6 @@ func newRouterConfig() (*RouterConfig, error) {
 		EnforceWhitelists:        false,
 		WhitelistMode:            "extend",
 		EnableRegexDomains:       false,
-		LoadTcellModule:          false,
 		LoadModsecurityModule:    false,
 		RequestIDs:               false,
 		SSLConfig:                newSSLConfig(),
@@ -145,7 +142,6 @@ type AppConfig struct {
 	Name           string
 	Domains        []string `key:"domains" constraint:"(?i)^((([a-z0-9]+(-*[a-z0-9]+)*)|((\\*\\.)?[a-z0-9]+(-*[a-z0-9]+)*\\.)+[a-z0-9]+(-*[a-z0-9]+)+)(\\s*,\\s*)?)+$"`
 	RegexDomain    string   `key:"regexDomain"`
-	TcellAppID     string   `key:"tcellAppID" constraint:"(?i)^([a-z0-9]+(-[a-z0-9]+)*)+[a-z0-9]+$"`
 	Whitelist      []string `key:"whitelist" constraint:"^((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\\/([0-9]|[1-2][0-9]|3[0-2]))?(\\s*,\\s*)?)+$"`
 	ConnectTimeout string   `key:"connectTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"`
 	TCPTimeout     string   `key:"tcpTimeout" constraint:"^[1-9]\\d*(ms|[smhdwMy])?$"`

diff --git a/nginx/config.go b/nginx/config.go
@@ -16,11 +16,6 @@ const (
 pid /tmp/nginx.pid;
 worker_processes {{ $routerConfig.WorkerProcesses }};
 
-{{ if $routerConfig.LoadTcellModule -}}
-# Loading the Tcell nginx dynamic module
-load_module modules/ngx_http_tcell_agent_module.so;
-{{- end }}
-
 {{ if $routerConfig.LoadModsecurityModule -}}
 # Loading the Modsecurity connector nginx dynamic module
 load_module modules/ngx_http_modsecurity_module.so;
@@ -39,11 +34,6 @@ http {
 
 	vhost_traffic_status_zone shared:vhost_traffic_status:{{ $routerConfig.TrafficStatusZoneSize }};
 
-	{{ if and $routerConfig.LoadTcellModule $routerConfig.GlobalTcellAppID -}}
-	# Including the global Tcell AppID
-	tcell_app_id {{ $routerConfig.GlobalTcellAppID }};
-	{{- end }}
-
 	# The timeout value must be greater than the front facing load balancers timeout value.
 	# Default is the deis recommended timeout value for ELB - 1200 seconds + 100s extra.
 	keepalive_timeout {{ $routerConfig.DefaultTimeout }};
@@ -191,7 +181,7 @@ http {
 		# set header size limits
 		{{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }}
 		{{ if $routerConfig.HTTP2Enabled }} http2_max_field_size  {{ $routerConfig.HTTP2MaxFieldSize }};  {{ end }}
-		
+
 		set $app_name "router-default-vhost";
 		ssl_protocols {{ $sslConfig.Protocols }};
 		{{ if ne $sslConfig.Ciphers "" }}ssl_ciphers {{ $sslConfig.Ciphers }};{{ end }}
@@ -256,10 +246,6 @@ http {
 		port_in_redirect off;
 		set $app_name "{{ $appConfig.Name }}";
 
-		{{ if and $routerConfig.LoadTcellModule $appConfig.TcellAppID -}}
-		tcell_app_id {{ $appConfig.TcellAppID }};
-		{{- end }}
-
 		{{ if $routerConfig.LoadModsecurityModule -}}
 		# Turning on modsecurity if modsecurity module loaded
 		modsecurity on;
@@ -269,7 +255,7 @@ http {
 		# set header size limits
 		{{ if $routerConfig.HTTP2Enabled }} http2_max_header_size {{ $routerConfig.HTTP2MaxHeaderSize }}; {{ end }}
 		{{ if $routerConfig.HTTP2Enabled }} http2_max_field_size  {{ $routerConfig.HTTP2MaxFieldSize }};  {{ end }}
-        
+
 		{{ if index $appConfig.Certificates $domain }}
 		listen 6443 ssl {{ if $routerConfig.HTTP2Enabled }}http2{{ end }} {{ if $routerConfig.UseProxyProtocol }}proxy_protocol{{ end }};
 		ssl_protocols {{ $sslConfig.Protocols }};