Skip to content

feat(lab11): hardened nginx and WAF sidecar#5

Open
karmihkr wants to merge 1 commit into
mainfrom
feature/lab11
Open

feat(lab11): hardened nginx and WAF sidecar#5
karmihkr wants to merge 1 commit into
mainfrom
feature/lab11

Conversation

@karmihkr

Copy link
Copy Markdown
Owner

Goal

Complete Lab 11 by hardening an Nginx reverse proxy with TLS 1.3, security headers, rate limiting, and an OWASP CRS WAF configuration.

Changes

  • Hardened labs/lab11/reverse-proxy/nginx.conf with TLS 1.3, HTTPS redirect, security headers, rate limiting, timeouts, and cipher hardening
  • Added OWASP CRS WAF configuration in labs/lab11/waf/docker-compose.override.yml
  • Added validation results and submissions/lab11.md

Testing

Commands executed:

docker compose up -d
curl -I http://localhost
curl -kI https://localhost
openssl s_client -connect localhost:443 -tls1_3
seq 1 60 | xargs ...
curl -k "https://localhost/rest/products/search?q=%27%20OR%201=1--"

Observed results:

  • HTTP requests are redirected to HTTPS
  • TLS 1.3 is negotiated successfully
  • Required security headers are present
  • Rate limiting returns HTTP 429
  • Timeout protection is enforced
  • TLS cipher and X25519 are in use
  • WAF blocks the SQL injection payload with HTTP 403
  • OWASP CRS audit log records the matching rule

Artifacts & Screenshots

  • submissions/lab11.md
  • labs/lab11/reverse-proxy/nginx.conf
  • labs/lab11/results/
  • labs/lab11/waf/docker-compose.override.yml

Checklist

  • Title is clear (feat(lab11): hardened nginx and WAF sidecar)
  • No secrets/large temp files committed
  • Submission file at submissions/lab11.md exists

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant