search

acouvreur / traefik-modsecurity-plugin

Traefik plugin to proxy requests to owasp/modsecurity-crs:apache container
https://plugins.traefik.io/plugins/628c9eadffc0cd18356a9799/modsecurity-plugin
Apache License 2.0
135 stars 24 forks source link

handling multiple domains? #21

Closed eriCCsan closed 5 months ago

eriCCsan commented 5 months ago

Hi thank you so much for this plugin! I think that this what iam looking for all the time. I just have one quick question i don't understand. I read the documentation and i said that every request is proxy to the desired container. But i have multiple containers with different domains. Do i have to applay the loadbalancing rule to the waf container directly and then proxy it or is there somthing smarter ? I have read and search for some documentation but wasn't able to find a proper solution which works :) Thanks for any reply ! :)

acouvreur commented 5 months ago

From the documentation:

version: "3.7"

services:
  traefik:
    image: traefik
    ports:
      - "8000:80"
      - "8080:8080"
    command:
      - --api.dashboard=true
      - --api.insecure=true
      - --experimental.plugins.traefik-modsecurity-plugin.modulename=github.com/acouvreur/traefik-modsecurity-plugin
      - --experimental.plugins.traefik-modsecurity-plugin.version=v1.3.0
      - --providers.docker=true
      - --entrypoints.http.address=:80
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
    labels:
      - traefik.enable=true
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:80
      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.maxBodySize=10485760

  waf:
    image: owasp/modsecurity-crs:apache
    environment:
      - PARANOIA=1
      - ANOMALY_INBOUND=10
      - ANOMALY_OUTBOUND=5
      - BACKEND=http://dummy

  dummy:
    image: containous/whoami

  website:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.website.rule=PathPrefix(`/website`)
      - traefik.http.routers.website.middlewares=waf@docker

If you add a new service, you can simply use the same middleware.

version: "3.7"

services:
  traefik:
    image: traefik
    ports:
      - "8000:80"
      - "8080:8080"
    command:
      - --api.dashboard=true
      - --api.insecure=true
      - --experimental.plugins.traefik-modsecurity-plugin.modulename=github.com/acouvreur/traefik-modsecurity-plugin
      - --experimental.plugins.traefik-modsecurity-plugin.version=v1.3.0
      - --providers.docker=true
      - --entrypoints.http.address=:80
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
    labels:
      - traefik.enable=true
      - traefik.http.services.traefik.loadbalancer.server.port=8080
      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.modSecurityUrl=http://waf:80
      - traefik.http.middlewares.waf.plugin.traefik-modsecurity-plugin.maxBodySize=10485760

  waf:
    image: owasp/modsecurity-crs:apache
    environment:
      - PARANOIA=1
      - ANOMALY_INBOUND=10
      - ANOMALY_OUTBOUND=5
      - BACKEND=http://dummy

  dummy:
    image: containous/whoami

  website:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.website.rule=PathPrefix(`/website`)
      - traefik.http.routers.website.middlewares=waf@docker

  my-second-website:
    image: containous/whoami
    labels:
      - traefik.enable=true
      - traefik.http.routers.my-second-website.rule=PathPrefix(`/my-second-website`)
      - traefik.http.routers.my-second-website.middlewares=waf@docker