how to enable SIMULATE mode in lua-resty-waf ?

[vietwow]

Hi,

lua-resty-waf was implememented in ingress-ingress (#2304). I am very appreciated your effort. One of the most important feature (I think) of lua-resty-waf is enabling this:

waf:set_option("mode", "SIMULATE")

This mode let me activate lua-resty-waf but just only warning (logging), when there is a request that match the waf rules, not blocking the request. This mode is really necessary when we are in production mode and not yet ready for a stable rules (in experiment).

So how can I enable this mode in ingress-nginx ? is this supported ? Thank you so much.

Best Regards,
VietNC

[ElvinEfendi]

Hi VietNC,

it is not supported as of now, but will be supported soon - I have a WIP PR that will be ready soon.

[vietwow]

Hi @ElvinEfendi ,

Thank you so much. Really looking forward this, is it #2315 ? I have take a look this pull request, but still can't found the info relate to "waf:set_option" with "mode" ?

Best Regards,
VietNC

[ElvinEfendi]

no, https://github.com/kubernetes/ingress-nginx/pull/2317/files is the one.

[ElvinEfendi]

(unrelated to this issue, but thought I might ask this here)

@vietwow what storage_backend do you use in your production environment? If you're using Lua shared dictionary, how much memory do you allocate for it? We are currently setting it to 64M but I pulled it pretty much out of nowhere - I don't have operational experience with running lua-resty-waf in production. It'd be great if you can provide us some information so that we can come up with a better number.