Skip to content

Latest commit

 

History

History
798 lines (570 loc) · 19.6 KB

nginx.md

File metadata and controls

798 lines (570 loc) · 19.6 KB
Raw
title description video_embed author marp theme class
Microservices Security Pattern in Kubernetes
How do I secure my APIs and apps to be production-ready? In this session, you'll learn about the sidecar pattern and policies that can make your services more secure and resilient, including a live hacking demo.
<iframe width="560" height="315" src="https://www.youtube.com/embed/k1TYMMxgldY" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
Chris Nesbitt-Smith
true
themes/cns
lead

bg

Microservices Security Pattern

Chris Nesbitt-Smith

LearnK8s | Appvia

👋

bg right

Chris Nesbitt-Smith

  • Learnk8s - Instructor
  • Appvia - Digital Transformation Consultant
  • Home Office (uk gov) - Consultant
  • Opensource:
    • OpenZWave
    • Z-Wave JS
    • Many small projects

🙋‍♀️🙋‍♂️🙋

bg

🧨

bg

<style scoped> h1 { background: rgba(255,255,255,0.9); padding:1em; } </style>

sql-injection-k8s.herokuapp.com

bg fit

bg

92.105.22.161 - - [14/Feb/2022:03:48:55 +0000] "POST /HNAP1/ HTTP/1.1" 404 134 "-" "Mozila/5.0"

7.53.212.184 - - [14/Feb/2022:04:11:57 +0000] "GET /.env HTTP/1.1" 404 162 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"

92.105.22.161 - - [14/Feb/2022:04:16:54 +0000] "GET /.env HTTP/1.1" 404 197 "-" "Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.40

24.99.105.22.161 - - [14/Feb/2022:04:16:55 +0000] "POST / HTTP/1.1" 405 568 "-" "Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"

7.51.240.114 - - [14/Feb/2022:04:18:57 +0000] "GET /dispatch.asp HTTP/1.1" 404 134 "-"
"Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X; en-US) AppleWebKit/531.5.2 (KHTML, like Gecko)
Version/4.0.5 Mobile/8B116 Safari/6531.5.2"

215.74.51.24 - - [14/Feb/2022:04:42:23 +0000] "HEAD / HTTP/1.0" 200 0 "-" "-"

193.246.247.130 - - [14/Feb/2022:07:38:40 +0000] "GET /icons/ubuntu-logo.png HTTP/1.1" 404 197
"http://79.155.234.179/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/98.0.4758.87 Safari/537.36"

193.246.247.130 - - [14/Feb/2022:07:38:42 +0000] "GET /favicon.ico HTTP/1.1" 404 197
"http://79.155.234.179/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/98.0.4758.87 Safari/537.36"

193.246.247.130 - - [14/Feb/2022:07:44:02 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.87
Safari/537.36"

193.246.247.130 - - [14/Feb/2022:07:44:02 +0000] "GET /icons/ubuntu-logo.png HTTP/1.1" 404 197
"http://79.155.234.179/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/98.0.4758.87 Safari/537.36"

bg fit

SELECT * FROM table;
+-----------+-----------+-----------+
| lastname  | firstname | jobtitle  |
+-----------+-----------+-----------+
| Jennings  | Leslie    | Sales Rep |
| Thompson  | Leslie    | Sales Rep |
| Gerard    | Martin    | Sales Rep |
+-----------+-----------+-----------+
3 rows in set (0.00 sec)
SELECT name, password FROM users WHERE email = '[email protected]';

+--------+-------------------+
| name   | password          |
+--------+-------------------+
| myuser | MySecretPassw0rd! |
+--------+-------------------+
1 rows in set (0.00 sec)
INSERT INTO users (name, password, email)
VALUES('anotheruser', 'letmein', '[email protected]');

1 row(s) affected

bg right

Real world

  • Tesla (2014)
  • Cisco Prime License Manager (2018)
  • Fortnite (2019)

🛡

<style scoped> p { position: absolute; bottom: 0; right:0; } </style>

bg fit

https://xkcd.com/327

bg

<style scoped> li { font-size: 2em; } </style>

bg right

  • GET
  • PUT
  • POST
  • PATCH
  • DELETE
  • ETC
POST /echo/post/json?query=hi HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 3

a=b

POST /echo/post/json?query=hi HTTP/1.1
a=b

$result = $con->query("SELECT * FROM products WHERE id = \"{$id}\"");
$result = $con->query("SELECT * FROM products WHERE id = \"{$_GET['id']}\"");
http://mydomain.com/products?id=unchecked things

SELECT * FROM products WHERE id = "unchecked bad things";

🤷 

http://mydomain.com/products?id=1" OR id="2"

SELECT * FROM products WHERE id = "1" OR id = "2";

Truncate a table

-- http://mydomain.com/products?id=1"; TRUNCATE TABLE products; -- //
SELECT * FROM products WHERE id = "1"; TRUNCATE TABLE products; --//";

Delete a row

-- http://mydomain.com/products?id=1"; DELETE FROM products WHERE id="1"; -- //
SELECT * FROM products WHERE id = "1"; DELETE FROM products WHERE id="1"; --//";

Insert a row

-- http://mydomain.com/products?id=1"; INSERT INTO payments(orderid, success) VALUES("123", "yes"); -- //
SELECT * FROM products WHERE id = "1"; INSERT INTO payments(orderid, success) VALUES("123", "yes"); --//";

Encrypt

UPDATE customers SET email = AES_ENCRYPT(email, PRIVATEKEY);

bg

bg fit

bg fit

SELECT '* * * * * root rm -rf /' INTO outfile /etc/cron.d/bad

😱 

$result = $mysqli->query(sprintf("SELECT * FROM products WHERE id ='%s'",
  $mysqli->real_escape_string($_GET['id'])));

bg

bg

bg

bg

bg

bg fit

bg fit

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
    - name: myapp
      image: myapp:v1.0.0
      ports:
        - containerPort: 80
apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
    - name: myapp
      image: myapp:v1.0.0
    - name: nginx # <-- sidecar
      image: nginx:1.14.2
      ports:
        - containerPort: 8080
      volumeMounts:
        - mountPath: /etc/nginx
          name: nginx-config
  volumes:
    - name: nginx-config
      configMap:
        name: myapp
apiVersion: v1
kind: ConfigMap
metadata:
  name: sidecar
data:
  nginx.conf: |-
    events {}
    http {
      server {
        listen 8080 default_server;
        listen [::]:8080 default_server;

        location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
            deny all;
        }

        location / {
            proxy_pass http://localhost:80/;
        }
      }
    }

kubectl apply

bg fit

bg fit

bg fit

apiVersion: v1
kind: Pod
metadata:
  name: myapp
spec:
  containers:
    - name: myapp
      image: myapp:v1.0.0
      ports:
        - containerPort: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
spec:
  ingressClassName: nginx
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              service:
                name: myapp
                port:
                  number: 80
            path: /
            pathType: Prefix
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp
  annotations:
    nginx.org/server-snippets: |
      location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
          deny all;
      }
spec:
  ingressClassName: nginx
  rules:
    - host: "example.com"
      http:
        paths:
          - backend:
              service:
                name: myapp
                port:
                  number: 80
            path: /
            pathType: Prefix

bg fit

bg

Live demo

bg fit

bg fit

bg fit

🙏 Thanks 🙏

bg right

  • cns.me
  • github.com/chrisns
  • nginx.com/blog
  • learnk8s.io/kubernetes-resources

Chris Nesbitt-Smith