Skip to content

feat(lab11): hardened nginx + WAF sidecar#11

Merged
RII6 merged 1 commit into
mainfrom
feature/lab11
Jun 30, 2026
Merged

feat(lab11): hardened nginx + WAF sidecar#11
RII6 merged 1 commit into
mainfrom
feature/lab11

Conversation

@RII6

@RII6 RII6 commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Goal

This PR hardens the Nginx reverse proxy with TLS 1.3 and security headers, applies production-grade limits, and deploys a ModSecurity WAF sidecar with OWASP CRS to block attacks.

Changes

  • Generated self-signed certificates and configured Nginx to enforce TLS 1.3 with Mozilla Modern ciphers and an X25519 curve.
  • Added 6 production security headers (HSTS, CSP, Permissions-Policy, etc.) and enforced rate/connection limits (10 req/min, 50 conns) and strict timeouts.
  • Configured a ModSecurity WAF sidecar (v3) with OWASP CRS (Paranoia Level 1) to inspect traffic before reaching Juice Shop.
  • Drafted the final Lab 11 submission report containing the certificate rotation runbook, OCSP stapling explanation, WAF tradeoff analysis, and proof of testing.

Testing

  • Verified HTTP to HTTPS redirects and TLS 1.3 negotiation using curl and openssl s_client.
  • Verified rate limits (54 requests successfully blocked with HTTP 429) using seq/xargs and connection timeouts by sending partial payloads.
  • Confirmed the ModSecurity WAF successfully blocks SQL injection payloads (?q=' OR 1=1--) with an HTTP 403 Forbidden (Rule 942100), while pure Nginx allowed the same payload to hit the backend.

Artifacts & Screenshots

  • Please refer to submissions/lab11.md for full command outputs, test evidence, and audit logs.

Checklist

  • Task 1 — TLS 1.3 + 6 security headers (with proof)
  • Task 2 — Rate limit + timeouts + cipher hardening + cert-rotation runbook
  • Bonus — Coraza/ModSec WAF + OWASP CRS catching a payload Nginx-alone passes

@RII6 RII6 merged commit 1ec3c3c into main Jun 30, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant