Example of Envoy configuration for traffic mirroring¶
This article provides the example configuration required for Envoy to mirror the traffic and route it to the Wallarm node.
Step 1: Configure Envoy to mirror the traffic¶
This example configures traffic mirroring with Envoy via the single
listener listening to port 80 (without TLS) and having a single
filter. Addresses of an original backend and additional backend receiving mirrored traffic are specified in the
static_resources: listeners: - address: socket_address: address: 0.0.0.0 port_value: 80 filter_chains: - filters: - name: envoy.filters.network.http_connection_manager typed_config: "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager stat_prefix: ingress_http codec_type: AUTO route_config: name: local_route virtual_hosts: - name: backend domains: - "*" routes: - match: prefix: "/" route: cluster: httpbin # <-- link to the original cluster request_mirror_policies: - cluster: wallarm # <-- link to the cluster receiving mirrored requests runtime_fraction: default_value: numerator: 100 http_filters: - name: envoy.filters.http.router typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router clusters: ### Definition of original cluster ### - name: httpbin type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: httpbin endpoints: - lb_endpoints: - endpoint: address: ### Address of the original endpoint. Address is DNS name ### or IP address, port_value is TCP port number ### socket_address: address: httpbin # <-- definition of the original cluster port_value: 80 ### Definition of the cluster receiving mirrored requests ### - name: wallarm type: STRICT_DNS lb_policy: ROUND_ROBIN load_assignment: cluster_name: wallarm endpoints: - lb_endpoints: - endpoint: address: ### Address of the original endpoint. Address is DNS name ### or IP address, port_value is TCP port number. Wallarm ### mirror schema can be deployed with any port but the ### default value is TCP/8445. ### socket_address: address: wallarm port_value: 8445
Step 2: Configure Wallarm node to filter mirrored traffic¶
For the Wallarm node to process mirrored traffic, set the following configuration:
wallarm_force server_addr $http_x_server_addr; wallarm_force server_port $http_x_server_port; #Change 126.96.36.199 to the address of the mirroring server set_real_ip_from 188.8.131.52; real_ip_header X-Forwarded-For; #real_ip_recursive on; wallarm_force response_status 0; wallarm_force response_time 0; wallarm_force response_size 0;
real_ip_headerdirective is required to have Wallarm Console display the IP addresses of the attackers.
wallarm_force_response_*directives are required to disable analysis of all requests except for copies received from the mirrored traffic.
Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the
wallarm_modedirective or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).
Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:
If installing the node from DEB/RPM packages - in the
/etc/nginx/conf.d/default.confNGINX configuration file.
If deploying the node from the Docker image - mount the file with the provided configuration to the container.
If running the node as Ingress controller - mount the ConfigMap with the provided configuration to a pod.