Skip to content

lab11: hardened nginx reverse proxy and waf#1428

Open
Walkerino wants to merge 1 commit into
inno-devops-labs:mainfrom
Walkerino:lab11
Open

lab11: hardened nginx reverse proxy and waf#1428
Walkerino wants to merge 1 commit into
inno-devops-labs:mainfrom
Walkerino:lab11

Conversation

@Walkerino

Copy link
Copy Markdown

What changed

  • Hardened the Lab 11 Nginx reverse proxy:
    • TLS 1.3 only
    • HSTS and required security headers
    • rate limiting for login
    • connection limits and fail-closed timeouts
    • TLS session hardening
  • Added a ModSecurity v3 + OWASP CRS 4.28.0 WAF override in front of Nginx/Juice Shop.
  • Added submissions/lab11.md with verification output and analysis.

Validation

  • Verified HTTPS redirect with curl -sI http://localhost.
  • Verified TLS 1.3 and cipher negotiation with OpenSSL.
  • Verified required security headers with curl -skI https://localhost.
  • Verified rate limiting: 60 login requests produced 54 HTTP 429 responses.
  • Verified WAF behavior: SQLi payload reached Nginx alone but was blocked through WAF with HTTP 403.
  • Confirmed OWASP CRS rule 942100 fired for the SQLi payload.

Checklist

  • Task 1 - TLS 1.3 + security headers
  • Task 2 - production posture
  • Bonus - WAF + OWASP CRS blocking proof

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant