Hi,
Is it possible to disable all filtering (Deny Rules) for the Airlock Microgateway for a specific source IP address?
The purpose is to conduct a web penetration test.
Thanks,
Markus
Hi Markus
Yes, it is possible to disable all deny rules for a certain IP address. This can be accomplished if an exception is configured with a requestConditions matching the pentester IP address. Please use this setting carefully as mentioned in our documentation:
Documentation: Deny rule exceptions
The following example should illustrate how to create the configuration:
apiVersion: microgateway.airlock.com/v1alpha1
kind: DenyRules
metadata:
name: deny-rules-example
spec:
request:
builtIn:
exceptions:
- requestConditions:
remoteIP:
cidrRanges:
- <PENTESTER-IP-ADDRESS>/32
Be aware that the setting downstream.remoteIP within SidecarGateway is used to retrieve the remote IP address which is used in the deny rule exception.
apiVersion: microgateway.airlock.com/v1alpha1
kind: SidecarGateway
metadata:
name: sidecar-gateway-example
spec:
podSelector:
matchLabels:
# podSelector which matches the example app to protect.
app: example-app
applications:
- containerPort: 8080
routes:
- pathPrefix: /
secured:
contentSecurityRef:
name: content-security-example
downstream:
# Configure 'remoteIP' extraction.
remoteIP:
xff:
numTrustedHops: 1
The setting is briefly described here:
Documentation: Downstream remote IP settings
To ensure that downstream.remoteIP is configured properly, simply check the logs whether the correct IP address is logged in network.forwarded_ip. See log field reference:
Documentation: Access log field reference
I do hope that this does answer your question.
Cheers
Stefan
1 Like
fantastic, thanks a bunch!