Example of Istio configuration for traffic mirroring¶
This article provides the example configuration required for Istio to mirror the traffic and route it to the Wallarm node.
Step 1: Configure Istio to mirror the traffic¶
For Istio to mirror the traffic, you can configure
VirtualService for mirroring routes either to the internal endpoint (internal for Istio, e.g. hosted in Kubernetes) or to the external endpoint with
To enable mirroring of in-cluster requests (e.g. between pods), add
To enable mirroring of external requests (e.g. via LoadBalancer or NodePort service), configure Istio
Gatewaycomponent and add the name of the component to
VirtualService. This option is presented in the example below.
--- ### Configuration of destination for mirrored traffic ### apiVersion: networking.istio.io/v1beta1 kind: ServiceEntry metadata: name: wallarm-external-svc spec: hosts: - some.external.service.tld # mirroring destination address location: MESH_EXTERNAL ports: - number: 8445 # mirroring destination port name: http protocol: HTTP resolution: DNS --- apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: httpbin spec: hosts: - ... gateways: ### Name of istio `Gateway` component. Required for handling traffic from ### external sources ### - httpbin-gateway ### Special label, enables this virtual service routes to work with requests ### from Kubernetes pods (in-cluster communication not via gateways) ### - mesh http: - route: - destination: host: httpbin port: number: 80 weight: 100 mirror: host: some.external.service.tld # mirroring destination address port: number: 8445 # mirroring destination port --- ### For handling external requests ### apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpbin-gateway spec: selector: istio: ingress app: istio-ingress servers: - port: number: 80 name: http protocol: HTTP hosts: - "httpbin.local"
Step 2: Configure Wallarm node to filter mirrored traffic¶
For the Wallarm node to process mirrored traffic, set the following configuration:
wallarm_force server_addr $http_x_server_addr; wallarm_force server_port $http_x_server_port; #Change 188.8.131.52 to the address of the mirroring server set_real_ip_from 184.108.40.206; real_ip_header X-Forwarded-For; #real_ip_recursive on; wallarm_force response_status 0; wallarm_force response_time 0; wallarm_force response_size 0;
real_ip_headerdirective is required to have Wallarm Console display the IP addresses of the attackers.
wallarm_force_response_*directives are required to disable analysis of all requests except for copies received from the mirrored traffic.
Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the
wallarm_modedirective or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).
Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:
If installing the node from DEB/RPM packages - in the
/etc/nginx/conf.d/default.confNGINX configuration file.
If deploying the node from the Docker image - mount the file with the provided configuration to the container.
If running the node as Ingress controller - mount the ConfigMap with the provided configuration to a pod.