Nova Traefik Middleware

Nova can be deployed as a Traefik middleware, functioning as a full Layer 7 web application firewall for any Ingresses defined in Traefik. This allows you to protect your applications in Kubernetes and other environments.

Core Concepts

Deploying Nova as a middleware for Traefik uses the Traefik Plugin system, as a part of Traefik Pilot.

This allows you to annotate ingresses as needing to go through the WAF, and causes Nova to reject any dangerous or malicious requests, bot traffic, DoS attacks and more.

You will deploy one (or more) Nova instances in your cluster, and install the Nova Traefik Plugin, and then you can do the following on any Ingress:

traefik.ingress.kubernetes.io/router.middlewares: default-nova@kubernetescrd

And the ingress will be protected!

Nova AutoJoin

This system relies on Nova AutoJoin to allow your cluster to automatically provision any number of Nova nodes (for scaling) and to have them automatically apply all your WAF rules and preferences, and collect telemetry. This guide will explain all you need to know, but you may wish to read up on Nova AutoJoin.

Demo Environments

We provide several demo environments for testing, or copy/pasting configurations from on our GitHub page for the Traefik Nova Pluginopen in new window.

docker-compose Demo

We have a docker-compose demo environment for you to launch and test with. It has instructions and a demo container to test traffic against, and is available here: https://github.com/snapt/traefik-nova-plugin/tree/main/examples/dockeropen in new window

Kubernetes Demos

We have multiple Kubernetes demo applications available as well:

Installation Guide

This guide will take you through the steps required to deploy Nova as a Traefik middleware and protect your first Ingress. It requires that you have Traefik enabled already on your Kubernetes cluster.

Step 1: Nova ADC

The first step is to create a Traefik ADC on Nova. Head to your ADC create pageopen in new window, and choose the Traefik ADC type. The defaults are fine on the configuration page, but make sure to go to the Security tab and Enable the Nova WAF!

Once you Save your new ADC, you will be given an AutoJoin Key. Save this key for use in your deployment later.

Step 2: Install the Plugin

You now need to enable the Traefik Nova WAF plugin on your cluster. This is done by editing your Traefik configuration. You can find installation instructions on the Traefik Plugin pageopen in new window or you may follow our simplified version below.

To load our middleware onto Traefik you need to enable several components:

  1. Traefik Pilot
  2. The Traefik Nova Plugin
  3. The middleware below.

To enable Pilot you need to register and set up Pilot to work with your Traefik install: https://pilot.traefik.io/. Plugins do not work without Pilot!

During this you will need to configure Pilot, and you can also enable the Nova plugins. Edit your Traefik deployment and add the following:

kubectl edit deployment.v1.apps/traefik

Add these lines (and fill in the requirements) to the spec.template.spec.containers.args array:

--pilot.token=YOUR_PILOT_TOKEN
--experimental.plugins.traefik-nova-plugin.modulename=github.com/snapt/traefik-nova-plugin
--experimental.plugins.traefik-nova-plugin.version=v1.1.2

If you are going to be using a public cloud Kubernetes we recommend also adding:

--entryPoints.web.proxyProtocol.insecure

And then using the PROXY protocol on your external Load Balancers in order to see client IPs.

Once you have completed the above you can load the Nova middleware by running:

cat <<EOF | kubectl apply -f -
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: nova
spec:
  plugin:
    traefik-nova-plugin:
      novaContainerUrl: http://nova-waf:80
EOF

Step 3: Deploy Nova

We can now create your Nova service, which will scan requests for the middleware we created above. You must fill in your AutoJoin key from above to replace the "ENTER_AUTO_CONF_KEY" value below.

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nova
  namespace: default
spec:
  replicas: 2
  selector:
    matchLabels:
      nova: nova
  template:
    metadata:
      labels:
        nova: nova
    spec:
      containers:
      - name: nova
        image: novaadc/nova-client:latest
        env:
        - name: NOVA_AUTO_CONF
          value: "ENTER_AUTO_CONF_KEY"
        - name: NOVA_AUTO_CONF_HOST
          value: nova.snapt.net
        - name: NODE_HOST
          value: poll.nova-adc.com
---
apiVersion: v1
kind: Service
metadata:
  name: nova-waf
  namespace: default
spec:
  type: NodePort
  selector:
    nova: nova
  ports:
  - port: 80
    targetPort: 80
EOF    

This will create a deployment with 2 replicas, and a service that will be accept traffic from the middleware.

Check Nova User Interface

At this point you'll see two new Nodes get created automatically on your Nova Portal!

Step 4: Use Nova on an Ingress

Now that you have Nova up and running in your cluster, and the plugin loaded for Traefik, you can utilize it on any Ingresses you like.

Below is a full example of an Ingress for the example blog demo (linked above and on our GitHub):

kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: blog-ingress
  namespace: blog
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
    traefik.ingress.kubernetes.io/router.middlewares: default-nova@kubernetescrd
    
spec:
  rules:
    - host: traefik.nova-adc.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: blog-svc
                port:
                  number: 80

As you can see the important part is the middleware turning on Nova:

traefik.ingress.kubernetes.io/router.middlewares: default-nova@kubernetescrd

At this stage you should be able to see Nova as the HTTP middleware on your HTTP Router in Traefik, as shown in this example screenshot:

What Next?

Now you have Nova protecting your services. You can send test traffic and you should see it on your ADC dashboard in Nova, and you can easily trigger blocks by adding ?test=/etc/passwd onto any web request to your service.

Below is an example of our dashboard for the demo Traefik ADC: