Example of Istio configuration for traffic mirroring¶

This article provides the example configuration required for Istio to mirror the traffic and route it to the Wallarm node.

Step 1: Configure Istio to mirror the traffic¶

For Istio to mirror the traffic, you can configure VirtualService for mirroring routes either to the internal endpoint (internal for Istio, e.g. hosted in Kubernetes) or to the external endpoint with ServiceEntry:

To enable mirroring of in-cluster requests (e.g. between pods), add mesh to .spec.gateways.
To enable mirroring of external requests (e.g. via LoadBalancer or NodePort service), configure Istio Gateway component and add the name of the component to .spec.gateways of VirtualService. This option is presented in the example below.

---
### Configuration of destination for mirrored traffic
###
apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: wallarm-external-svc
spec:
  hosts:
    - some.external.service.tld # mirroring destination address
  location: MESH_EXTERNAL
  ports:
    - number: 8445 # mirroring destination port
      name: http
      protocol: HTTP
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
    - ...
  gateways:
    ### Name of istio `Gateway` component. Required for handling traffic from
    ### external sources
    ###
    - httpbin-gateway
    ### Special label, enables this virtual service routes to work with requests
    ### from Kubernetes pods (in-cluster communication not via gateways)
    ###
    - mesh
  http:
    - route:
        - destination:
            host: httpbin
            port:
              number: 80
          weight: 100
      mirror:
        host: some.external.service.tld # mirroring destination address
        port:
          number: 8445 # mirroring destination port
---
### For handling external requests
###
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingress
    app: istio-ingress
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "httpbin.local"

Review the Istio documentation

Step 2: Configure Wallarm node to filter mirrored traffic¶

For the Wallarm node to process mirrored traffic, set the following configuration:

wallarm_force server_addr $http_x_server_addr;
wallarm_force server_port $http_x_server_port;
#Change 222.222.222.22 to the address of the mirroring server
set_real_ip_from  222.222.222.22;
real_ip_header    X-Forwarded-For;
#real_ip_recursive on;
wallarm_force response_status 0;
wallarm_force response_time 0;
wallarm_force response_size 0;

The real_ip_header directive is required to have Wallarm Console display the IP addresses of the attackers.
The wallarm_force_response_* directives are required to disable analysis of all requests except for copies received from the mirrored traffic.
Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the wallarm_mode directive or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).

Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:

If installing the node from DEB/RPM packages - in the /etc/nginx/conf.d/default.conf NGINX configuration file.
If deploying the node from the AWS or GCP cloud image - in the /etc/nginx/nginx.conf NGINX configuration file.
If deploying the node from the Docker image - mount the file with the provided configuration to the container.
If running the node as Ingress controller - mount the ConfigMap with the provided configuration to a pod.