Skip to content

Commit a922f6d

Browse files
committed
feat: disable ngwaf somewhat; add cert, header token,
1 parent dbf2764 commit a922f6d

File tree

6 files changed

+136
-146
lines changed

6 files changed

+136
-146
lines changed

infra/certs/psf.io.pem

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
-----BEGIN CERTIFICATE----- MIIEQzCCAyugAwIBAgIUYH38nEb2KLRgscKhjcNpBLRUz+UwDQYJKoZIhvcNAQEL BQAwgbAxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xEjAQBgNVBAcMCUJl YXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNvZnR3YXJlIEZvdW5kYXRpb24xHDAa BgNVBAsME0luZnJhc3RydWN0dXJlIFRlYW0xDzANBgNVBAMMBlBTRl9DQTEoMCYG CSqGSIb3DQEJARYZaW5mcmFzdHJ1Y3R1cmVAcHl0aG9uLm9yZzAeFw0yNDAyMTIx NzU0MDZaFw0yOTAyMTAxNzU0MDZaMIGwMQswCQYDVQQGEwJVUzEPMA0GA1UECAwG T3JlZ29uMRIwEAYDVQQHDAlCZWF2ZXJ0b24xIzAhBgNVBAoMGlB5dGhvbiBTb2Z0 d2FyZSBGb3VuZGF0aW9uMRwwGgYDVQQLDBNJbmZyYXN0cnVjdHVyZSBUZWFtMQ8w DQYDVQQDDAZQU0ZfQ0ExKDAmBgkqhkiG9w0BCQEWGWluZnJhc3RydWN0dXJlQHB5 dGhvbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCXAZagv2UK AEnnnnrK/WWcZIKo/l+HTgL01XhReu9CDNs3f3ESlRT3Y4Hbla/pYRu9VM8tMGYS xG5FGJQ2JPVnKCb3mIEC7wy9+VOaQIp3l8+o0lDQhsOZs78ZA8XQpNLD5OURsUHJ re1U6WOTryMJwxpO+DzSBU+oSwfdn2k0BAJqSeIU45hHXeHO24z7GePuk3I1wb+E vfhtdIF/tHvF1I6h7ntmHUeUWYrTKXKB9meMAFwEC1ZNoN1z05X68cSeK8dAsxYh ghmQnUZ4hHH8pLlhYW/QBTol0nutwgHPyC9FIJnZzX50xAMRx3TKP1IbIehWBwF2 CYJq6pRBZ1mfAgMBAAGjUzBRMB0GA1UdDgQWBBQrAQVRNWd6eVr6ZGn8vshzgS09 qDAfBgNVHSMEGDAWgBQrAQVRNWd6eVr6ZGn8vshzgS09qDAPBgNVHRMBAf8EBTAD AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBmtyljZ1q2manMvIMEtXtc9lq3gwxIP4Pq ic5hKuEHDSy5iN0vZRhoqfgPzXMy61zCrvLmvxv8nN2B4Us44KQRzWwDvi8SavfQ LxRZ4KLe5Bg7MNfIKM/ZqYqHIt1FtVFYR7UyEILN/yDCyQC+8n6s8RLmT5OtZHPL 0YAyHgdao4qCICkZShbCukq81ULvkq7i6QvHWZrVGAIc/1nN71QNEUMr9KtlTKO3 TeSd+l13+CDGwMXUpglDiFL329TmG5pKr/zoTCGDmRvEfRPtICwY3FgqGDpmIwhw dXq0JPGHrFODeVrchUMSGqXhAZ+k/9YdJlGLbv3WJmD1GwFTs3Wf -----END CERTIFICATE-----

infra/fastly.tf

Lines changed: 35 additions & 88 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,13 @@ resource "fastly_service_vcl" "test_python_org" {
1717

1818
backend {
1919
name = "cabotage"
20-
address = "test-pythondotorg.ingress.us-east-2.psfhosted.computer"
20+
address = "pythondotorg.ingress.us-east-2.psfhosted.computer"
2121
port = 443
2222
shield = "iad-va-us"
2323
auto_loadbalance = false
2424
ssl_check_cert = true
25-
ssl_cert_hostname = "test-pythondotorg.ingress.us-east-2.psfhosted.computer"
26-
ssl_sni_hostname = "test-pythondotorg.ingress.us-east-2.psfhosted.computer"
25+
ssl_cert_hostname = "pythondotorg.ingress.us-east-2.psfhosted.computer"
26+
ssl_sni_hostname = "pythondotorg.ingress.us-east-2.psfhosted.computer"
2727
weight = 100
2828
max_conn = 200
2929
connect_timeout = 1000
@@ -40,7 +40,7 @@ resource "fastly_service_vcl" "test_python_org" {
4040
ssl_check_cert = true
4141
ssl_cert_hostname = "lb.psf.io"
4242
ssl_sni_hostname = "lb.psf.io"
43-
ssl_ca_cert = "" # TODO(@ee)
43+
ssl_ca_cert = file("${path.module}/certs/psf.io.pem")
4444
weight = 100
4545
max_conn = 200
4646
connect_timeout = 1000
@@ -169,7 +169,7 @@ resource "fastly_service_vcl" "test_python_org" {
169169
name = "Is Download Director"
170170
priority = 10
171171
request_condition = "Is Download"
172-
source = "F_lb_nyc1_psf_io"
172+
source = "loadbalancer"
173173
type = "request"
174174
}
175175
header {
@@ -178,15 +178,15 @@ resource "fastly_service_vcl" "test_python_org" {
178178
name = "Is Not Download Backend"
179179
priority = 10
180180
request_condition = "Is Not Download"
181-
source = "F_cabotage"
181+
source = "cabotage"
182182
type = "request"
183183
}
184184
header {
185185
action = "set"
186186
destination = "http.Fastly-Token"
187187
name = "Fastly Token"
188188
priority = 10
189-
source = var.FASTLY_HEADER_TOKEN
189+
source = "\"${var.FASTLY_HEADER_TOKEN}\""
190190
type = "request"
191191
}
192192
header {
@@ -267,8 +267,8 @@ resource "fastly_service_vcl" "test_python_org" {
267267
redundancy = "standard"
268268
format_version = 2
269269
message_type = "classic"
270-
s3_access_key = var.S3_ACCESS_KEY
271-
s3_secret_key = var.S3_SECRET_KEY
270+
s3_access_key = var.AWS_ACCESS_KEY_ID
271+
s3_secret_key = var.AWS_SECRET_ACCESS_KEY
272272
}
273273

274274
logging_syslog {
@@ -347,90 +347,37 @@ resource "fastly_service_vcl" "test_python_org" {
347347
}
348348

349349
# NGWAF Dynamic Snippets
350-
dynamicsnippet {
351-
name = "ngwaf_config_init"
352-
type = "init"
353-
priority = 0
354-
}
355-
356-
dynamicsnippet {
357-
name = "ngwaf_config_miss"
358-
type = "miss"
359-
priority = 9000
360-
}
361-
362-
dynamicsnippet {
363-
name = "ngwaf_config_pass"
364-
type = "pass"
365-
priority = 9000
366-
}
367-
368-
dynamicsnippet {
369-
name = "ngwaf_config_deliver"
370-
type = "deliver"
371-
priority = 9000
372-
}
350+
# dynamicsnippet {
351+
# name = "ngwaf_config_init"
352+
# type = "init"
353+
# priority = 0
354+
# }
355+
#
356+
# dynamicsnippet {
357+
# name = "ngwaf_config_miss"
358+
# type = "miss"
359+
# priority = 9000
360+
# }
361+
#
362+
# dynamicsnippet {
363+
# name = "ngwaf_config_pass"
364+
# type = "pass"
365+
# priority = 9000
366+
# }
367+
#
368+
# dynamicsnippet {
369+
# name = "ngwaf_config_deliver"
370+
# type = "deliver"
371+
# priority = 9000
372+
# }
373373

374-
dictionary {
375-
name = var.Edge_Security_dictionary
376-
}
374+
# dictionary {
375+
# name = var.Edge_Security_dictionary
376+
# }
377377

378378
lifecycle {
379379
ignore_changes = [product_enablement]
380380
}
381381

382382
force_destroy = true
383383
}
384-
385-
# Fastly Service Dictionary Items
386-
resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
387-
for_each = {
388-
for d in fastly_service_vcl.test_python_org.dictionary : d.name => d if d.name == var.Edge_Security_dictionary
389-
}
390-
service_id = fastly_service_vcl.test_python_org.id
391-
dictionary_id = each.value.dictionary_id
392-
items = {
393-
Enabled : "100"
394-
}
395-
}
396-
397-
# Fastly Service Dynamic Snippet Contents
398-
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
399-
for_each = {
400-
for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
401-
}
402-
service_id = fastly_service_vcl.test_python_org.id
403-
snippet_id = each.value.snippet_id
404-
content = "### Fastly managed ngwaf_config_init"
405-
manage_snippets = false
406-
}
407-
408-
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
409-
for_each = {
410-
for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
411-
}
412-
service_id = fastly_service_vcl.test_python_org.id
413-
snippet_id = each.value.snippet_id
414-
content = "### Fastly managed ngwaf_config_miss"
415-
manage_snippets = false
416-
}
417-
418-
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
419-
for_each = {
420-
for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
421-
}
422-
service_id = fastly_service_vcl.test_python_org.id
423-
snippet_id = each.value.snippet_id
424-
content = "### Fastly managed ngwaf_config_pass"
425-
manage_snippets = false
426-
}
427-
428-
resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
429-
for_each = {
430-
for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
431-
}
432-
service_id = fastly_service_vcl.test_python_org.id
433-
snippet_id = each.value.snippet_id
434-
content = "### Fastly managed ngwaf_config_deliver"
435-
manage_snippets = false
436-
}

infra/ngwaf.tf

Lines changed: 84 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,29 +1,84 @@
1-
# NGWAF Edge Deployment
2-
resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
3-
site_short_name = var.NGWAF_SITE
4-
}
5-
6-
resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
7-
site_short_name = var.NGWAF_SITE
8-
fastly_sid = fastly_service_vcl.test_python_org.id
9-
activate_version = true
10-
percent_enabled = 100
11-
depends_on = [
12-
sigsci_edge_deployment.ngwaf_edge_site_service,
13-
fastly_service_vcl.test_python_org,
14-
fastly_service_dictionary_items.edge_security_dictionary_items,
15-
fastly_service_dynamic_snippet_content.ngwaf_config_init,
16-
fastly_service_dynamic_snippet_content.ngwaf_config_miss,
17-
fastly_service_dynamic_snippet_content.ngwaf_config_pass,
18-
fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
19-
]
20-
}
21-
22-
resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
23-
site_short_name = var.NGWAF_SITE
24-
fastly_sid = fastly_service_vcl.test_python_org.id
25-
fastly_service_vcl_active_version = fastly_service_vcl.test_python_org.active_version
26-
depends_on = [
27-
sigsci_edge_deployment_service.ngwaf_edge_service_link,
28-
]
29-
}
1+
# # NGWAF Edge Deployment
2+
#
3+
# # Fastly Service Dictionary Items
4+
# resource "fastly_service_dictionary_items" "edge_security_dictionary_items" {
5+
# for_each = {
6+
# for d in fastly_service_vcl.test_python_org.dictionary : d.name => d if d.name == var.Edge_Security_dictionary
7+
# }
8+
# service_id = fastly_service_vcl.test_python_org.id
9+
# dictionary_id = each.value.dictionary_id
10+
# items = {
11+
# Enabled : "100"
12+
# }
13+
# }
14+
#
15+
# # Fastly Service Dynamic Snippet Contents
16+
# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_init" {
17+
# for_each = {
18+
# for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_init"
19+
# }
20+
# service_id = fastly_service_vcl.test_python_org.id
21+
# snippet_id = each.value.snippet_id
22+
# content = "### Fastly managed ngwaf_config_init"
23+
# manage_snippets = false
24+
# }
25+
#
26+
# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_miss" {
27+
# for_each = {
28+
# for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_miss"
29+
# }
30+
# service_id = fastly_service_vcl.test_python_org.id
31+
# snippet_id = each.value.snippet_id
32+
# content = "### Fastly managed ngwaf_config_miss"
33+
# manage_snippets = false
34+
# }
35+
#
36+
# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_pass" {
37+
# for_each = {
38+
# for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_pass"
39+
# }
40+
# service_id = fastly_service_vcl.test_python_org.id
41+
# snippet_id = each.value.snippet_id
42+
# content = "### Fastly managed ngwaf_config_pass"
43+
# manage_snippets = false
44+
# }
45+
#
46+
# resource "fastly_service_dynamic_snippet_content" "ngwaf_config_deliver" {
47+
# for_each = {
48+
# for d in fastly_service_vcl.test_python_org.dynamicsnippet : d.name => d if d.name == "ngwaf_config_deliver"
49+
# }
50+
# service_id = fastly_service_vcl.test_python_org.id
51+
# snippet_id = each.value.snippet_id
52+
# content = "### Fastly managed ngwaf_config_deliver"
53+
# manage_snippets = false
54+
# }
55+
#
56+
#
57+
# resource "sigsci_edge_deployment" "ngwaf_edge_site_service" {
58+
# site_short_name = var.NGWAF_SITE
59+
# }
60+
#
61+
# resource "sigsci_edge_deployment_service" "ngwaf_edge_service_link" {
62+
# site_short_name = var.NGWAF_SITE
63+
# fastly_sid = fastly_service_vcl.test_python_org.id
64+
# activate_version = true
65+
# percent_enabled = 100
66+
# depends_on = [
67+
# sigsci_edge_deployment.ngwaf_edge_site_service,
68+
# fastly_service_vcl.test_python_org,
69+
# fastly_service_dictionary_items.edge_security_dictionary_items,
70+
# fastly_service_dynamic_snippet_content.ngwaf_config_init,
71+
# fastly_service_dynamic_snippet_content.ngwaf_config_miss,
72+
# fastly_service_dynamic_snippet_content.ngwaf_config_pass,
73+
# fastly_service_dynamic_snippet_content.ngwaf_config_deliver,
74+
# ]
75+
# }
76+
#
77+
# resource "sigsci_edge_deployment_service_backend" "ngwaf_edge_service_backend_sync" {
78+
# site_short_name = var.NGWAF_SITE
79+
# fastly_sid = fastly_service_vcl.test_python_org.id
80+
# fastly_service_vcl_active_version = fastly_service_vcl.test_python_org.active_version
81+
# depends_on = [
82+
# sigsci_edge_deployment_service.ngwaf_edge_service_link,
83+
# ]
84+
# }

infra/out.tf

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,16 @@
1-
output "testing-the_ngwaf" {
2-
value = <<tfmultiline
3-
#### Click the URL to go to the service ####
4-
https://cfg.fastly.com/${fastly_service_vcl.test_python_org.id}
5-
#### Send a test request with curl. ####
6-
curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
7-
#### Send an test as cmd exe request with curl. ####
8-
curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd'" -d foo=bar
9-
#### Troubleshoot the logging configuration if necessary. ####
10-
curl https://api.fastly.com/service/${fastly_service_vcl.test_python_org.id}/logging_status -H fastly-key:$FASTLY_API_KEY
11-
tfmultiline
12-
description = "Output hints on what to do next."
13-
depends_on = [
14-
sigsci_edge_deployment_service.ngwaf_edge_service_link
15-
]
16-
}
1+
# output "testing-the_ngwaf" {
2+
# value = <<tfmultiline
3+
# #### Click the URL to go to the service ####
4+
# https://cfg.fastly.com/${fastly_service_vcl.test_python_org.id}
5+
# #### Send a test request with curl. ####
6+
# curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/whydopirates?likeurls=theargs" -d foo=bar
7+
# #### Send an test as cmd exe request with curl. ####
8+
# curl -i "https://${var.USER_VCL_SERVICE_DOMAIN_NAME}/anything/myattackreq?i=../../../../etc/passwd'" -d foo=bar
9+
# #### Troubleshoot the logging configuration if necessary. ####
10+
# curl https://api.fastly.com/service/${fastly_service_vcl.test_python_org.id}/logging_status -H fastly-key:$FASTLY_API_KEY
11+
# tfmultiline
12+
# description = "Output hints on what to do next."
13+
# depends_on = [
14+
# sigsci_edge_deployment_service.ngwaf_edge_service_link
15+
# ]
16+
# }

infra/terraform.tfvars.example

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
AWS_ACCESS_KEY_ID = "NotARealKey"
22
AWS_SECRET_ACCESS_KEY = "NotARealKey"
3-
S3_ACCESS_KEY_ID = NotARealKey"
4-
S3_SECRET_KEY = "NotARealKey"
53

64
NGWAF_TOKEN = "NotARealKey"
75
FASTLY_API_KEY = "NotARealKey"

infra/variables.tf

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -65,17 +65,6 @@ variable "AWS_SECRET_ACCESS_KEY" {
6565
sensitive = true
6666
}
6767

68-
variable "S3_ACCESS_KEY" {
69-
type = string
70-
description = "Access key for the S3 bucket."
71-
sensitive = true
72-
}
73-
variable "S3_SECRET_KEY" {
74-
type = string
75-
description = "Secret access key for the S3 bucket."
76-
sensitive = true
77-
}
78-
7968
variable "route53_zone_id" {
8069
type = string
8170
description = "The Route 53 hosted zone ID"

0 commit comments

Comments
 (0)