Update ingress class to modsec (#239)

* Update ingress class to modsec

* Pin nginx-module-builder version - to match whats available from nginxinc/nginx-unprivileged

* Update ingress.yml

Dockerfile

@@ -21,7 +21,7 @@ WORKDIR /var/www/html
 
 ###
 
-FROM nginx:1.26-alpine as nginx-module-builder
+FROM nginx:1.26.1-alpine AS nginx-module-builder
 
 SHELL ["/bin/ash", "-exo", "pipefail", "-c"]
 

deploy/development/ingress.yml

@@ -6,16 +6,15 @@ metadata:
   annotations:
     external-dns.alpha.kubernetes.io/set-identifier: justice-gov-uk-dev-ingress-justice-gov-uk-dev-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
+    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+    nginx.ingress.kubernetes.io/modsecurity-snippet: |
+      SecRuleEngine On
+      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
+      SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
     nginx.ingress.kubernetes.io/auth-type: basic
     nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
     nginx.ingress.kubernetes.io/auth-realm: 'Development User | Authentication Required'
     nginx.ingress.kubernetes.io/proxy-body-size: "200m"
-    # IP address entries. 1-4: Global Protect IPs.
-    # nginx.ingress.kubernetes.io/whitelist-source-range: |-
-    #   18.130.148.126/32,
-    #   18.169.147.172/32,
-    #   35.176.93.186/32,
-    #   35.176.148.126/32
     nginx.ingress.kubernetes.io/server-snippet: |
       if ($host = 'justice-gov-uk-dev.apps.live.cloud-platform.service.justice.gov.uk') {
         return 301 https://dev.justice.gov.uk;
@@ -32,7 +31,7 @@ metadata:
         return 301 https://raw.githubusercontent.com/ministryofjustice/security-guidance/main/contact/vulnerability-disclosure-security.txt;
       }
 spec:
-  ingressClassName: default
+  ingressClassName: modsec
   tls:
   - hosts:
     - justice-gov-uk-dev.apps.live.cloud-platform.service.justice.gov.uk

deploy/production/ingress.yml

@@ -5,7 +5,7 @@ metadata:
   namespace: justice-gov-uk-production
   annotations:
     external-dns.alpha.kubernetes.io/set-identifier: justice-gov-uk-production-ingress-justice-gov-uk-production-green
-    external-dns.alpha.kubernetes.io/aws-weight: "100"
+    external-dns.alpha.kubernetes.io/aws-weight: "0"
     nginx.ingress.kubernetes.io/proxy-body-size: "200m"
     # Squiz uses ThousandEyes for monitoring. Since migrating we no long need this so can block the requests here.
     nginx.ingress.kubernetes.io/server-snippet: |
@@ -40,3 +40,57 @@ spec:
             name: nginx-service
             port:
               number: 8080
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: justice-gov-uk-production-ingress-modsec
+  namespace: justice-gov-uk-production
+  annotations:
+    external-dns.alpha.kubernetes.io/set-identifier: justice-gov-uk-production-ingress-modsec-justice-gov-uk-production-green
+    external-dns.alpha.kubernetes.io/aws-weight: "100"
+    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+    nginx.ingress.kubernetes.io/modsecurity-snippet: |
+      SecRuleEngine On
+      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
+      SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
+      # HTTP header is restricted by policy (/accept-charset/)
+      SecRuleRemoveById 920450
+      # Request content type is not allowed by policy
+      SecRuleRemoveById 920420
+      # Illegal Accept header: charset parameter
+      SecRuleRemoveById 920600
+    nginx.ingress.kubernetes.io/proxy-body-size: "200m"
+    # Squiz uses ThousandEyes for monitoring. Since migrating we no long need this so can block the requests here.
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location = /health {
+        auth_basic off;
+        access_log off;
+        default_type text/plain;
+        add_header Content-Type text/plain;
+        return 200 "OK";
+      }
+      location = /.well-known/security.txt {
+        auth_basic off;
+        return 301 https://raw.githubusercontent.com/ministryofjustice/security-guidance/main/contact/vulnerability-disclosure-security.txt;
+      }
+      if ($http_x_thousandeyes_agent) {
+        return 403;
+      }
+spec:
+  ingressClassName: modsec
+  tls:
+  - hosts:
+    - www.justice.gov.uk
+    secretName: justice-gov-uk-production-cert-secret
+  rules:
+  - host: www.justice.gov.uk
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: nginx-service
+            port:
+              number: 8080

deploy/staging/ingress.yml

@@ -6,6 +6,11 @@ metadata:
   annotations:
     external-dns.alpha.kubernetes.io/set-identifier: justice-gov-uk-staging-ingress-justice-gov-uk-staging-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
+    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
+    nginx.ingress.kubernetes.io/modsecurity-snippet: |
+      SecRuleEngine On
+      SecDefaultAction "phase:2,pass,log,tag:github_team=central-digital-product-team"
+      SecDefaultAction "phase:4,pass,log,tag:github_team=central-digital-product-team"
     nginx.ingress.kubernetes.io/auth-type: basic
     nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
     nginx.ingress.kubernetes.io/auth-realm: 'Staging User | Authentication Required'
@@ -23,7 +28,7 @@ metadata:
         return 301 https://raw.githubusercontent.com/ministryofjustice/security-guidance/main/contact/vulnerability-disclosure-security.txt;
       }
 spec:
-  ingressClassName: default
+  ingressClassName: modsec
   # Note. `stage` not the typical `staging` subdomain, because that was unavailable.
   tls:
   - hosts: