This article starts with the author's public Number: Network Security life cycle
Original link: Create an open source WAF gateway
Background
In the Internet industry, Google will secure the infrastructure inside, has always been the major companies to learn the role model, in the Web, through GFE (Google front-end) unified external release, the business only need to register in GFE, GFE will be transferred to the correct certificate, Secure your TLS connection to GFE.
On the web side, Microsoft has a product called Azure Application gateway that provides unified Web routing, load Balancing, and WAF (Web application firewall) capabilities.
Unfortunately, none of these products can be used for privatization deployments, and Google front-end and Azure application gateway only serve their own businesses and their own cloud customers. If you want to use their products, you have to use their cloud services, or else you can only feel powerless.
"Benchmarking and Product Solution design"
In view of this, I would like to draw on GFE and Azure application gateway to create an application security infrastructure-level products for their own personal site defense, this product needs to have:
1. Unified Network Portal, can have multiple nodes, with load balancer scheduling, i.e. application Gateway (application Gateway);
2.WAF (Web application firewall) function to intercept common web intrusion behavior (such as SQL injection/command injection/xss/webshell upload or connection), data leakage event, etc.;
The middle Red Fork part indicates the interception of malicious attacks.
3. The CC attack and simple brush scene can be used to intercept or display the verification code when the set threshold is reached.
Featured
Of course, these are basic functions. I also hope this is a feature, differentiated products:
1. Do not install the agent
The agent is cumbersome to maintain, and a browser configuration can be simpler, such as configuring the application:
2. Support HTTPS
Also to be able to manage the certificate, the private key protection, no longer the certificate file, the private key file directly in the server directory (to prevent hackers to steal the private key); Just let the Gateway Manager request and configure the certificate, the business people can enable HTTPS without contacting the certificate file.
3. Linkage
Many WAF policies can only check one place (such as GET or post parameter values), if the request needs to be combined with a response to determine (or more than one combination of conditions), it can not be done, it must be a breakthrough, so that multiple checkpoints can be combined, In particular, requests and responses (Response) can be associated (combined) together.
4. Illegal Domain name interception
Once someone used a domain name such as fuck_your_domain.com to the your_domain.com site, if the server is improperly configured, it is possible to respond normally to the request, to the company to bring PR risk. Therefore, when the illegal domain name points over, you should reject the response.
5. Certificate Quality
Not all HTTPS is secure, error configuration, algorithm selection can be trampled, such as SSL 1.0, SSL 2.0, SSL 3.0, and TLS 1.0 have a vulnerability. Typically, if your business involves the payment of funds, PCI-DSS certification has special requirements for certificate quality, such as the need to use a protocol version of TLS 1.1 or later, and the need to use a forward security algorithm (Forward security) for secure key exchange. As a result, the gateway needs to enable security by default.
Open source
Yes, I used to spend the weekend with my kids to build a version of this basic function (JANUSEC application Gateway) and use it on your personal website. Now share with you:
Https://github.com/Janusec/janusec
This is a Golang-based application security gateway, with WAF (Web application firewall) capabilities and a combination of policy configurations, natural support for HTTPS (compliant with PCI-DSS certification requirements), no agent, private key encryption stored in the database, providing load balancing and a unified web management portal.
Still in the process of improvement, welcome star, fork, pull request, submit issue, or download release experience, together to enhance the application security defense capabilities.
Notes
This product does not solve all security problems, can not replace the anti-DDoS attack products, can not replace the HIDs products, but also can not replace the daily security operations. But when you plan to build a three-dimensional security defense system from scratch, especially when applying security defenses, you can cut off a typical intrusion attempt on a critical path, blocking most of the probing payload, greatly improving intrusion challenges, and being able to use this as a gateway infrastructure to promote HTTPS from the outset , to protect the security of data transmission outside the network.
Welcome to the public number: Network security life cycle, jointly explore the construction of network security system ~