Example of Istio configuration for traffic mirroring¶
This article provides the example configuration required for Istio to mirror the traffic and route it to the Wallarm node.
Step 1: Configure Istio to mirror the traffic¶
For Istio to mirror the traffic, you can configure VirtualService
for mirroring routes either to the internal endpoint (internal for Istio, e.g. hosted in Kubernetes) or to the external endpoint with ServiceEntry
:
-
To enable mirroring of in-cluster requests (e.g. between pods), add
mesh
to.spec.gateways
. -
To enable mirroring of external requests (e.g. via LoadBalancer or NodePort service), configure Istio
Gateway
component and add the name of the component to.spec.gateways
ofVirtualService
. This option is presented in the example below.
---
### Configuration of destination for mirrored traffic
###
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: wallarm-external-svc
spec:
hosts:
- some.external.service.tld # mirroring destination address
location: MESH_EXTERNAL
ports:
- number: 8445 # mirroring destination port
name: http
protocol: HTTP
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: httpbin
spec:
hosts:
- ...
gateways:
### Name of istio `Gateway` component. Required for handling traffic from
### external sources
###
- httpbin-gateway
### Special label, enables this virtual service routes to work with requests
### from Kubernetes pods (in-cluster communication not via gateways)
###
- mesh
http:
- route:
- destination:
host: httpbin
port:
number: 80
weight: 100
mirror:
host: some.external.service.tld # mirroring destination address
port:
number: 8445 # mirroring destination port
---
### For handling external requests
###
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: httpbin-gateway
spec:
selector:
istio: ingress
app: istio-ingress
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "httpbin.local"
Review the Istio documentation
Step 2: Configure Wallarm node to filter mirrored traffic¶
For the Wallarm node to process mirrored traffic, set the following configuration:
wallarm_force server_addr $http_x_server_addr;
wallarm_force server_port $http_x_server_port;
#Change 222.222.222.22 to the address of the mirroring server
set_real_ip_from 222.222.222.22;
real_ip_header X-Forwarded-For;
#real_ip_recursive on;
wallarm_force response_status 0;
wallarm_force response_time 0;
wallarm_force response_size 0;
-
The
real_ip_header
directive is required to have Wallarm Console display the IP addresses of the attackers. -
The
wallarm_force_response_*
directives are required to disable analysis of all requests except for copies received from the mirrored traffic. -
Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the
wallarm_mode
directive or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).
Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:
-
If installing the node from DEB/RPM packages - in the
/etc/nginx/conf.d/default.conf
NGINX configuration file. -
If deploying the node from the AWS or GCP cloud image - in the
/etc/nginx/nginx.conf
NGINX configuration file. -
If deploying the node from the Docker image - mount the file with the provided configuration to the container.
-
If running the node as Ingress controller - mount the ConfigMap with the provided configuration to a pod.