By default, Ambassador Labs rules are configured to block malicious requests. However, when a Web Application Firewall is first deployed in a production environment, it is recommended to set it in a non-blocking mode and monitor its behavior to identify potential issues.
The following procedure can be followed to deploy Ambassador Edge Stack's Web Application Firewall in detection-only mode and customize the rules.
Enable Detection Only mode. Detection Only mode will run all rules, but won't execute any disruptive actions. This is configured using the directive SecRuleEngine.
You also want to enable debug logs, which are necessary to identify false positives. You can them in the
WebApplicationFirewallresource as described in the documentation.
Optionally, Coraza debug logs can be enabled by setting the directive SecDebugLogLevel. These logs are very verbose but can help identify issues when the
WebApplicationFirewalllogs don't show enough information.
The following example illustrates this:
Identify false positives. Ambassador Edge Stack's container logs will have one or more entries indicating which rules were applied to a request and why.
For example, the following log entry (formatted for readability) shows that a request to
https://184.108.40.206/backend/was blocked by rule 920350 because the Host header contains an IP address.
If you enabled Coraza debug logs, use the rule ID to identify entries that are not important as follows:
Rules in the range 900000 to 901999 define some Coraza behaviors and can be ignored.
Rules like the one below are used to skip other rules and can be ignored as well.
There are several options to configure if/when a rule runs:
- Disable a rule completely.
- Apply a rule to some requests.
To disable a rule, follow the instructions in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example, save the
configuration as a ConfigMap, and load it after
For example, let's say that we want to disable the rule with ID
913110. The first step is to create the configuration:
And then load it after
To apply a rule only to some requests, update it as described in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example and
load the new settings before
The following example shows how to disable all rules tagged
attack-sqli when the URI does not start with '/api/':