Age | Commit message (Collapse) | Author | Files | Lines |
|
- Updates the rpm package download for snort. The docker build
is currently failing due a stale link.
Change-Id: If7cf6b0d29f39be9eb7d5f08b59d763f4715a4c1
Signed-off-by: earrage <eddie.arrage@huawei.com>
|
|
- Modify nginx server template to use clover-controller
in clover-system namespace for file upload
- Add ability to set nginx server paths and move uploaded files
in clover-controller and set/get file upload metadata
- Add cloverctl commands to set nginx server and lb configurations
- Add example yaml files to configure nginx server and
lb v1/v2 from cloverctl
- Modify service definition for http-lb versions to distinguish
the two versions for GRPC messaging from clover-controller in SDC
deployment yaml
Change-Id: I5c6866c5ff3de358939c58ea8c0bde64a69c6eca
Signed-off-by: earrage <eddie.arrage@huawei.com>
|
|
|
|
- A psutil dependency was added in the latest Clover server version
that was not added to the docker builds of the lb/proxy
Change-Id: Id48c3446a93d6b9cef65d453266d0bf15eddf6cc
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
This patch adds ModSecurity config guide.
This patch also deploy the modsecurity and ext_authz filter to clover-gateway namespace.
Change-Id: I5ab21e6337b8f8b839ddd028370df378686bd017
Signed-off-by: JingLu5 <lvjing5@huawei.com>
|
|
|
|
- Compile nginx from source in order to employ additional modules
- Add nginx-upload-module for high performance file upload that
avoids the need for file copies with a web application.
- File upload allows for placement of files for file download
for performance benchmarking.
- File upload can also be used directly for bi-directional throughput
testing having emulated clients upload files while file downloads
simultaneously occur.
- Nginx file upload stores files with hash to avoid conflicting
file names. Upload block in nginx config is configured to send
REST message to clover-controller with file metadata (original
filename, size, etc.) clover-controller will be responsible for
modifying the hashed filename and placing in a target directory
within an nginx server.
- Build also adds nginx-rtmp module to act as streaming media server
L7 loader will be extended to fetch streaming files from RTMP
servers.
- Add ability to create directories in server site root
and create the location directive(s) in nginx configuration
- Separated upload for configuration (download
files in various paths) from upload for testing (upload
to create bi-directional session throughput)
- Upload for testing does not sent upload metadata to
clover-controller
- Added ability to move upload files to file folders in the nginx site
root to use for download
- Delete files in upload folder
- Fixed issue with 426 Upgrade Required error message
when upload module sends upload metadata to clover-controller
- Added server name to metadata sent to clover-controller
Change-Id: Ib4cf6240f92360b82f378c062675f4fdaa19ca93
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
JIRA: CLOVER-68
1. Add Dockerfile and related files to build clover's modsecurity Docekr container
2. Add mainfest to install the Modsecurity in kubernetes cluster
Change-Id: Ia92926e730c04720f931999d7ec30565ce9e54be
Signed-off-by: JingLu5 <lvjing5@huawei.com>
|
|
there is a issue "No module named google.protobuf",
when trying to run the services docker.
Add the protobuf in services Dockerfile.
Change-Id: I280dc1d5908bcec784e9e1e7c4d07e145f092cdb
Signed-off-by: wutianwei <wutianwei1@huawei.com>
|
|
- Fix bug with addition of content field in rule definition
that causes rules with a blank content fields to inhibit
snort from starting successfully.
- Write more of the packet data for snort alert into Redis
- Above includes X-Real-IP, X-Forwarded-For header fields
for http traffic from proxy that shows source IP
Some packet data is missing in alerts from snort.
Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Exposed the 'content' field in the GRPC server AddRules method
- Allows the 'MALWARE-CNC User-Agent ASafaWeb Scan' signature
in the community rules to be copied to local rules
- Above ensures more deterministic alerts by snort each time
the signature is hit
- Added here to support the SDC configuration guide, which details
how to add this scan rule via GRPC client script
Change-Id: I6945c1e500075444134543bb9eb6003a03f1d5cc
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
- Modified snort-ids alert process to use k8s DNS name
'proxy-access-control' to align with SDC scenario naming
- Added default port 50054 to the manifest yaml template and
rendering script for communication with proxy-access-control
Change-Id: Ib04ee75e5d8ea9921b16b3b4469bed87b1cd2018
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Provide workaround to make nginx lb work properly
- nginx_client sample can modify default load balancing
from three to two servers at runtime
- Ensure port 9180 is used for default deploy for lb and
servers
- Modify render_yaml to specify deploy_name so that
clover-server1, 2, 3 can be used for default lb config
- Ensure proxy template is aligned to lb to allow the
source IP from originating host to be propagated to final
destination
- Fix default nginx proxy server_name to 'proxy-access-control'
and change default proxy destination to 'http-lb'
- Split lb service_type to 'lbv1' and 'lbv2' to provide an example
of how to modify the run-time configuration of the load balancer
after deployment - modify http-lb-v2 to use clover-server4/5 instead
of the defualt clover-server1/2/3 - modify http-lb-v1 to use
clover-server1/2 instead of 1/2/3
- Aligned pod IP retrival method with nginx_client.py
Change-Id: I73fa60a69c93ae1e82a477ef6283c00f67a21360
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
|
|
- Initial commit to show potential structure of a sample service
- This wil be part of a larger sample application currently dubbed
Service Delivery Controller
- Docker container needs to be built and employs open-source Linux packages
- Service is deployable in Istio service mesh using provided yaml
- Control snort daemon and add custom rules with GRPC messaging
- Process snort alerts actively and send to redis and upstream service
mesh components
- Integrates a web server for better HTTP signature detection
- Improved build script for CI with variables
- Render k8s yaml snort manifest dynamically with command
line options
- Improve snort_client sample script for runtime modifications
including passing args on CLI, error checking
- Update nginx proxy interface
- Added logging to snort server and alert process
Change-Id: Ic56f9fcd9ed21f64b84b85ac8ee280d69af7b7c9
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|
|
- Proxy allows ingress traffic to be sent to another element in
service mesh
- Mirroring is also in the default configuration
- Default configuration is to proxy to a clover-server and mirror
to snort-ids
- A location_path (URI in HTTP requests) can be reconfigured to
restrict proxing; default to '/'
- A proxy_path can be reconfigured to specify an alternate destination
- A mirror path can be reconfigured to specify where traffic
will be spanned
- The default server_port (listen port) for the proxy is 9180 but can be
reconfigured
- The default server_name is http-proxy but can be reconfigured
- Reconfiguration is done over GRPC with jinja2 template for nginx
- Currently snort ids sends alerts to proxy with stub code in GRPC
- Refactored the code to have a nginx base with subservices
- Proxy, Load Balancer (lb), and Server can share code - mainly GRPC
server
- Nginx subservices have separate docker builds
- Improved build scripts for CI
- Render yaml manifests dynamically
- Improve nginx_client for runtime modifications (but not really
useful yet)
Change-Id: Icbff6890021bcc8a8da4690c9261205d6e1ca43a
Signed-off-by: Eddie Arrage <eddie.arrage@huawei.com>
|