Skip to content

Example of Traefik configuration for traffic mirroring

This article provides the example configuration required for Traefik to mirror the traffic and route it to the Wallarm node.

Step 1: Configure Traefik to mirror the traffic

The following configuration example is based on the dynamic configuration file approach. The Traefik web server also supports other configuration modes, and you can easily adjust the provided one to any of them as they have a similar structure.

### Dynamic configuration file
### Note: entrypoints are described in static configuration file
http:
  services:
    ### This is how to map original and wallarm `services`.
    ### In further `routers` configuration (see below), please 
    ### use the name of this service (`with_mirroring`).
    ###
    with_mirroring:
      mirroring:
        service: "httpbin"
        mirrors:
          - name: "wallarm"
            percent: 100

    ### The `service` to mirror traffic to - the endpoint
    ### that should receive the requests mirrored (copied)
    ### from the original `service`.
    ###
    wallarm:
      loadBalancer:
        servers:
          - url: "http://wallarm:8445"

    ### Original `service`. This service should receive the
    ### original traffic.
    ###
    httpbin:
      loadBalancer:
        servers:
          - url: "http://httpbin:80/"

  routers:
    ### The router name must be the same as the `service` name
    ### for the traffic mirroring to work (with_mirroring).
    ###
    with_mirroring:
      entryPoints:
        - "web"
      rule: "Host(`mirrored.example.com`)"
      service: "with_mirroring"

    ### The router for the original traffic.
    ###
    just_to_original:
      entryPoints:
        - "web"
      rule: "Host(`original.example.local`)"
      service: "httpbin"

Review the Traefik documentation

Step 2: Configure Wallarm node to filter mirrored traffic

For the Wallarm node to process mirrored traffic, set the following configuration:

wallarm_force server_addr $http_x_server_addr;
wallarm_force server_port $http_x_server_port;
#Change 222.222.222.22 to the address of the mirroring server
set_real_ip_from  222.222.222.22;
real_ip_header    X-Forwarded-For;
#real_ip_recursive on;
wallarm_force response_status 0;
wallarm_force response_time 0;
wallarm_force response_size 0;
  • The real_ip_header directive is required to have Wallarm Console display the IP addresses of the attackers.

  • The wallarm_force_response_* directives are required to disable analysis of all requests except for copies received from the mirrored traffic.

  • Since malicious requests cannot be blocked, the Wallarm node always analyzes requests in the monitoring mode even if the wallarm_mode directive or Wallarm Cloud sets the safe or regular blocking mode (aside from the mode set to off).

Processing of mirrored traffic is supported only by the NGINX-based nodes. You can set the provided configuration as follows:

  • If installing the node from DEB/RPM packages - in the /etc/nginx/conf.d/default.conf NGINX configuration file.

  • If deploying the node from the AWS or GCP cloud image - in the /etc/nginx/nginx.conf NGINX configuration file.

  • If deploying the node from the Docker image - mount the file with the provided configuration to the container.

  • If running the node as Sidecar proxy or Ingress controller - mount the ConfigMap with the provided configuration to a pod.