diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-06 12:10:29 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-02-06 12:10:29 +0000 |
| commit | 5564275a0b378298dc6281599cbfe71a937109ff (patch) | |
| tree | a468e1e60046356410219c35c23a8a428c5e2c5e /doc/topics | |
| parent | d87918510a866a5fcbbc2f899ad65c6938ebf5f5 (diff) | |
| download | gitlab-ce-5564275a0b378298dc6281599cbfe71a937109ff.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'doc/topics')
| -rw-r--r-- | doc/topics/autodevops/index.md | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index 4268e386425..cc9ef3ab5c5 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -762,6 +762,39 @@ networkPolicy: app.gitlab.com/managed_by: gitlab ``` +#### Web Application Firewall (ModSecurity) customization + +> [Introduced](https://gitlab.com/gitlab-org/charts/auto-deploy-app/-/merge_requests/44) in GitLab 12.8. + +Customization on an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) or on a deployment base is available for clusters with [ModSecurity installed](../../user/clusters/applications.md#web-application-firewall-modsecurity). + +To enable ModSecurity with Auto Deploy, you need to create a `.gitlab/auto-deploy-values.yaml` file in your project with the following attributes. + +|Attribute | Description | Default | +-----------|-------------|---------| +|`enabled` | Enables custom configuration for modsecurity, defaulting to the [Core Rule Set](https://coreruleset.org/) | `false` | +|`secRuleEngine` | Configures the [rules engine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleengine) | `DetectionOnly` | +|`secRules` | Creates one or more additional [rule](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRule) | `nil` | + +In the following `auto-deploy-values.yaml` example, some custom settings +are enabled for ModSecurity. Those include setting its engine to +process rules instead of only logging them, while adding two specific +rules which are header-based: + +```yaml +ingress: + modSecurity: + enabled: true + secRuleEngine: "On" + secRules: + - variable: "REQUEST_HEADERS:User-Agent" + operator: "printer" + action: "log,deny,id:'2010',status:403,msg:'printer is an invalid agent'" + - variable: "REQUEST_HEADERS:Content-Type" + operator: "text/plain" + action: "log,deny,id:'2011',status:403,msg:'Text is not supported as content type'" +``` + #### Running commands in the container Applications built with [Auto Build](#auto-build) using Herokuish, the default |