Example of Envoy configuration for traffic mirroring¶
This article provides the example configuration required for Envoy to mirror the traffic and route it to the Wallarm node.
Step 1: Configure Envoy to mirror the traffic¶
This example configures traffic mirroring with Envoy via the single listener
listening to port 80 (without TLS) and having a single filter
. Addresses of an original backend and additional backend receiving mirrored traffic are specified in the clusters
block.
static_resources:
listeners:
- address:
socket_address:
address: 0.0.0.0
port_value: 80
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
codec_type: AUTO
route_config:
name: local_route
virtual_hosts:
- name: backend
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: httpbin # <-- link to the original cluster
request_mirror_policies:
- cluster: wallarm # <-- link to the cluster receiving mirrored requests
runtime_fraction:
default_value:
numerator: 100
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
### Definition of original cluster
###
- name: httpbin
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: httpbin
endpoints:
- lb_endpoints:
- endpoint:
address:
### Address of the original endpoint. Address is DNS name
### or IP address, port_value is TCP port number
###
socket_address:
address: httpbin # <-- definition of the original cluster
port_value: 80
### Definition of the cluster receiving mirrored requests
###
- name: wallarm
type: STRICT_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: wallarm
endpoints:
- lb_endpoints:
- endpoint:
address:
### Address of the original endpoint. Address is DNS name
### or IP address, port_value is TCP port number. Wallarm
### mirror schema can be deployed with any port but the
### default value is TCP/8445.
###
socket_address:
address: wallarm
port_value: 8445
Review the Envoy documentation
Step 2: Configure Wallarm node to filter mirrored traffic¶
For the Wallarm node to process mirrored traffic, set the following configuration:
wallarm_force server_addr $http_x_server_addr;
wallarm_force server_port $http_x_server_port;
#Change 222.222.222.22 to the address of the mirroring server
set_real_ip_from 222.222.222.22;
real_ip_header X-Forwarded-For;
#real_ip_recursive on;
wallarm_force response_status 0;
wallarm_force response_time 0;
wallarm_force response_size 0;
-
The
real_ip_header
directive is required to have Wallarm Console display the IP addresses of the attackers. -
The
wallarm_force_response_*
directives are required to disable analysis of all requests except for copies received from the mirrored traffic. -
Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the
wallarm_mode
directive or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).
Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:
-
If installing the node from DEB/RPM packages - in the
/etc/nginx/conf.d/default.conf
NGINX configuration file. -
If deploying the node from the AWS or GCP cloud image - in the
/etc/nginx/nginx.conf
NGINX configuration file. -
If deploying the node from the Docker image - mount the file with the provided configuration to the container.
-
If running the node as Ingress controller - mount the ConfigMap with the provided configuration to a pod.