search

citrix / terraform-provider-citrixadc

Part of NetScaler Automation Toolkit | https://github.com/netscaler/automation-toolkit
https://registry.terraform.io/providers/citrix/citrixadc
Apache License 2.0
117 stars 59 forks source link

[FEATURE REQUEST] : AppFW Learning Data #1037

Closed kaiAsmOne closed 7 months ago

kaiAsmOne commented 1 year ago

Contact us

Feature Request

I Deploy and configure Netscaler with terraform in Azure. citrixadc provider has become really good. (Thank you) My main use cases are pre-authentication and WAF.

Currently there is no way to handle learning data. Due to lack of learningdata i will loose all learningdata when doing a terraform destroy and terraform apply. To implement Learning Data i need to use the Netscaler GUI.

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is.

Describe the solution you'd like A clear and concise description of what you want to happen.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

rohit-myali commented 10 months ago

Hello @kaiAsmOne Can you please provide us with equivalent CLI or API reference docs, so that we can implement the same?

kaiAsmOne commented 10 months ago

I usually do a network capture whenever i do not understand why my terraform code does not work. (i do the same thing in gui then the same thing in terraform and compare the packet captures) I did a network a network trace for an SQL Injection rule to put you on the right track.

I URL Decoded it to make it more easy to read and i modified the names to not expose my actual services.

Does this help ?

POST /nitro/v1/config/appfwprofile_sqlinjection_binding HTTP/1.1 Host: SURE_NOT_THAT_NOOB Pragma: no-cache Accept: / Sec-Fetch-Site: same-origin If-Modified-Since: Thu, 01 Jan 1970 05:30:00 GMT NITRO_WEB_APPLICATION: true Cache-Control: no-cache Sec-Fetch-Mode: cors Accept-Language: en-GB,en;q=0.9 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15 Content-Length: 581 Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Type: application/x-www-form-urlencoded Sec-Fetch-Dest: empty

object={"params":{"action":"add","warning":"YES"},"appfwprofile_sqlinjection_binding":{"state":"ENABLED","isregex_sql":"NOTREGEX","sqlinjection":"_fbp","formactionurl_sql":"^https://app\\.company\\.com/$","as_scan_location_sql":"COOKIE","as_value_type_sql":"Wildchar","isvalueregex_sql":"NOTREGEX","as_value_expr_sql":"_","comment":"Deployed from learned data","name":"waf_prf_app.company.com"}}GET/nitro/v1/config/appfwprofile_sqlinjection_binding?filter=name:waf_prf_app.company.com,sqlinjection:_fbp,formactionurl_sql:^https://app\.company\.no/$,as_scan_location_sql:COOKIE,as_value_type_sql:Wildchar,as_value_expr_sql:

kaiAsmOne commented 10 months ago

Looking at the https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/appfw/appfw it seems i need more or less all the "appfwprofile_***_binding" implemented to make proper DevOps futureproof implementations. This seems to be the only part i am missing to make our implementations shine.

I have complete complex heavy enterprise grade netscalers in production in Azure now 100% terraform managed. Management loves how they can audit anything exposed on the internet, hire external auditers, approve revisions.

Finally do complete blue/green and canary deployments.

kaiAsmOne commented 10 months ago

The load i am running in production on one of my clusters in Azure exceeds black friday for a big retail chain of bikes/training outfit/tents/camping gear..

I helped them put Netscaler MPX in front of their SAP Hybris with Netscaler and i used Netsclaer dynamic cache. They survived Black Friday for the first time ever. The site served 3 countries..

The warehouse doing all the shipping for the retail chain actually had to call management and said they would all quit if they did not shut that damn website down due to all the orders because they did not have the staff to handle it all.

Netscaler really bridges the gap.

kaiAsmOne commented 9 months ago

Hi,

Is this feature request on your soon to be realease roadmap ? Netscaler has a big advantage for large hybrid deploys in cloud but currently it is not possible to correctly configure Netscaler as a WAF properly without the ability to handle WAF Rules.

sumanth-lingappa commented 9 months ago

@kaiAsmOne, thank you for your request. We will get back here soon.