Commit 1467c9b7 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Merge branch 'updated_docs_with_modsecurity_settings' into 'master'

Documentation for ModSecurity UI settings

See merge request gitlab-org/gitlab!25077
parents 2e339418 b7a0c605
...@@ -14,16 +14,6 @@ need to ensure your own [Runners are configured](../../ci/runners/README.md) and ...@@ -14,16 +14,6 @@ need to ensure your own [Runners are configured](../../ci/runners/README.md) and
**Note**: GitLab's Web Application Firewall is deployed with [Ingress](../../user/clusters/applications.md#Ingress), **Note**: GitLab's Web Application Firewall is deployed with [Ingress](../../user/clusters/applications.md#Ingress),
so it will be available to your applications no matter how you deploy them to Kubernetes. so it will be available to your applications no matter how you deploy them to Kubernetes.
## Enable or disable ModSecurity
ModSecurity is enabled by default on GitLab.com. You can toggle the feature flag to false by running the following command in the Rails console:
```ruby
Feature.disable(:ingress_modsecurity)
```
Once disabled, you must uninstall and reinstall your Ingress application for the changes to take effect. See the [Feature Flag](../../user/project/operations/feature_flags.md) documentation for more information.
## Configuring your Google account ## Configuring your Google account
Before creating and connecting your Kubernetes cluster to your GitLab project, Before creating and connecting your Kubernetes cluster to your GitLab project,
...@@ -112,10 +102,9 @@ Once it is installed, the other applications that rely on it will each have thei ...@@ -112,10 +102,9 @@ Once it is installed, the other applications that rely on it will each have thei
For this guide, we need to install Ingress. Ingress provides load balancing, For this guide, we need to install Ingress. Ingress provides load balancing,
SSL termination, and name-based virtual hosting, using NGINX behind SSL termination, and name-based virtual hosting, using NGINX behind
the scenes. Make sure that the **Enable Web Application Firewall** button is checked the scenes. Make sure to switch the toogle to the enabled position before installing.
before installing.
![Cluster applications](./img/guide_waf_ingress_installation.png) ![Cluster applications](./img/guide_waf_ingress_installation_v12_9.png)
After Ingress is installed, wait a few seconds and copy the IP address that After Ingress is installed, wait a few seconds and copy the IP address that
is displayed in order to add in your base **Domain** at the top of the page. For is displayed in order to add in your base **Domain** at the top of the page. For
......
...@@ -279,21 +279,23 @@ This feature: ...@@ -279,21 +279,23 @@ This feature:
kubectl logs -n gitlab-managed-apps $(kubectl get pod -n gitlab-managed-apps -l app=nginx-ingress,component=controller --no-headers=true -o custom-columns=:metadata.name) modsecurity-log -f kubectl logs -n gitlab-managed-apps $(kubectl get pod -n gitlab-managed-apps -l app=nginx-ingress,component=controller --no-headers=true -o custom-columns=:metadata.name) modsecurity-log -f
``` ```
To enable ModSecurity, check the **Enable Web Application Firewall** checkbox To enable WAF, switch its respective toggle to the enabled position when installing or updating [Ingress application](#ingress).
when installing your [Ingress application](#ingress).
If this is your first time using GitLab's WAF, we recommend you follow the If this is your first time using GitLab's WAF, we recommend you follow the
[quick start guide](../../topics/web_application_firewall/quick_start_guide.md). [quick start guide](../../topics/web_application_firewall/quick_start_guide.md).
There is a small performance overhead by enabling ModSecurity. If this is There is a small performance overhead by enabling ModSecurity. If this is
considered significant for your application, you can disable ModSecurity's considered significant for your application, you can disable ModSecurity's
rule engine for your deployed application by setting rule engine for your deployed application in any of the following ways:
[the deployment variable](../../topics/autodevops/index.md)
1. Setting [the deployment variable](../../topics/autodevops/index.md)
`AUTO_DEVOPS_MODSECURITY_SEC_RULE_ENGINE` to `Off`. This will prevent ModSecurity `AUTO_DEVOPS_MODSECURITY_SEC_RULE_ENGINE` to `Off`. This will prevent ModSecurity
from processing any requests for the given application or environment. from processing any requests for the given application or environment.
To permanently disable it, you must [uninstall](#uninstalling-applications) and 1. Switching its respective toggle to the disabled position and applying changes through the **Save changes** button. This will reinstall
reinstall your Ingress application for the changes to take effect. Ingress with the recent changes.
![Disabling WAF](../../topics/web_application_firewall/img/guide_waf_ingress_save_changes_v12_9.png)
### JupyterHub ### JupyterHub
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment