Skip to content

Example of Envoy configuration for traffic mirroring

This article provides the example configuration required for Envoy to mirror the traffic and route it to the Wallarm node.

Step 1: Configure Envoy to mirror the traffic

This example configures traffic mirroring with Envoy via the single listener listening to port 80 (without TLS) and having a single filter. Addresses of an original backend and additional backend receiving mirrored traffic are specified in the clusters block.

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 80
    filter_chains:
    - filters:
        - name: envoy.filters.network.http_connection_manager
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
            stat_prefix: ingress_http
            codec_type: AUTO
            route_config:
              name: local_route
              virtual_hosts:
              - name: backend
                domains:
                - "*"
                routes:
                - match:
                    prefix: "/"
                  route:
                    cluster: httpbin     # <-- link to the original cluster
                    request_mirror_policies:
                    - cluster: wallarm   # <-- link to the cluster receiving mirrored requests
                      runtime_fraction:
                        default_value:
                          numerator: 100
            http_filters:
            - name: envoy.filters.http.router
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

  clusters:
  ### Definition of original cluster
  ###
  - name: httpbin
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: httpbin
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              ### Address of the original endpoint. Address is DNS name
              ### or IP address, port_value is TCP port number
              ###
              socket_address:
                address: httpbin # <-- definition of the original cluster
                port_value: 80

  ### Definition of the cluster receiving mirrored requests
  ###
  - name: wallarm
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: wallarm
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              ### Address of the original endpoint. Address is DNS name
              ### or IP address, port_value is TCP port number. Wallarm
              ### mirror schema can be deployed with any port but the
              ### default value is TCP/8445.
              ###
              socket_address:
                address: wallarm
                port_value: 8445

Review the Envoy documentation

Step 2: Configure Wallarm node to filter mirrored traffic

For the Wallarm node to process mirrored traffic, set the following configuration:

wallarm_force server_addr $http_x_server_addr;
wallarm_force server_port $http_x_server_port;
#Change 222.222.222.22 to the address of the mirroring server
set_real_ip_from  222.222.222.22;
real_ip_header    X-Forwarded-For;
#real_ip_recursive on;
wallarm_force response_status 0;
wallarm_force response_time 0;
wallarm_force response_size 0;
  • The real_ip_header directive is required to have Wallarm Console display the IP addresses of the attackers.

  • The wallarm_force_response_* directives are required to disable analysis of all requests except for copies received from the mirrored traffic.

  • Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the wallarm_mode directive or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).

Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:

  • If installing the node from DEB/RPM packages - in the /etc/nginx/conf.d/default.conf NGINX configuration file.

  • If deploying the node from the AWS or GCP cloud image - in the /etc/nginx/nginx.conf NGINX configuration file.

  • If deploying the node from the Docker image - mount the file with the provided configuration to the container.

  • If running the node as Sidecar proxy or Ingress controller - mount the ConfigMap with the provided configuration to a pod.