Nova Traefik Middleware
Nova can be deployed as a Traefik middleware, functioning as a full Layer 7 web application firewall for any Ingresses defined in Traefik. This allows you to protect your applications in Kubernetes and other environments.
Deploying Nova as a middleware for Traefik uses the Traefik Plugin system, as a part of Traefik Pilot.
This allows you to annotate ingresses as needing to go through the WAF, and causes Nova to reject any dangerous or malicious requests, bot traffic, DoS attacks and more.
You will deploy one (or more) Nova instances in your cluster, and install the Nova Traefik Plugin, and then you can do the following on any Ingress:
And the ingress will be protected!
This system relies on Nova AutoJoin to allow your cluster to automatically provision any number of Nova nodes (for scaling) and to have them automatically apply all your WAF rules and preferences, and collect telemetry. This guide will explain all you need to know, but you may wish to read up on Nova AutoJoin.
We provide several demo environments for testing, or copy/pasting configurations from on our GitHub page for the Traefik Nova Plugin.
We have a docker-compose demo environment for you to launch and test with. It has instructions and a demo container to test traffic against, and is available here: https://github.com/snapt/traefik-nova-plugin/tree/main/examples/docker
We have multiple Kubernetes demo applications available as well:
This guide will take you through the steps required to deploy Nova as a Traefik middleware and protect your first Ingress. It requires that you have Traefik enabled already on your Kubernetes cluster.
Step 1: Nova ADC
The first step is to create a Traefik ADC on Nova. Head to your ADC create page, and choose the Traefik ADC type. The defaults are fine on the configuration page, but make sure to go to the Security tab and Enable the Nova WAF!
Once you Save your new ADC, you will be given an AutoJoin Key. Save this key for use in your deployment later.
Step 2: Install the Plugin
You now need to enable the Traefik Nova WAF plugin on your cluster. This is done by editing your Traefik configuration. You can find installation instructions on the Traefik Plugin page or you may follow our simplified version below.
To load our middleware onto Traefik you need to enable several components:
- Traefik Pilot
- The Traefik Nova Plugin
- The middleware below.
To enable Pilot you need to register and set up Pilot to work with your Traefik install: https://pilot.traefik.io/. Plugins do not work without Pilot!
During this you will need to configure Pilot, and you can also enable the Nova plugins. Edit your Traefik deployment and add the following:
kubectl edit deployment.v1.apps/traefik
Add these lines (and fill in the requirements) to the
--pilot.token=YOUR_PILOT_TOKEN --experimental.plugins.traefik-nova-plugin.modulename=github.com/snapt/traefik-nova-plugin --experimental.plugins.traefik-nova-plugin.version=v1.1.2
If you are going to be using a public cloud Kubernetes we recommend also adding:
And then using the PROXY protocol on your external Load Balancers in order to see client IPs.
Once you have completed the above you can load the Nova middleware by running:
cat <<EOF | kubectl apply -f - apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: nova spec: plugin: traefik-nova-plugin: novaContainerUrl: http://nova-waf:80 EOF
Step 3: Deploy Nova
We can now create your Nova service, which will scan requests for the middleware we created above. You must fill in your AutoJoin key from above to replace the "ENTER_AUTO_CONF_KEY" value below.
cat <<EOF | kubectl apply -f - apiVersion: apps/v1 kind: Deployment metadata: name: nova namespace: default spec: replicas: 2 selector: matchLabels: nova: nova template: metadata: labels: nova: nova spec: containers: - name: nova image: novaadc/nova-client:latest env: - name: NOVA_AUTO_CONF value: "ENTER_AUTO_CONF_KEY" - name: NOVA_AUTO_CONF_HOST value: nova.snapt.net - name: NODE_HOST value: poll.nova-adc.com --- apiVersion: v1 kind: Service metadata: name: nova-waf namespace: default spec: type: NodePort selector: nova: nova ports: - port: 80 targetPort: 80 EOF
This will create a deployment with 2 replicas, and a service that will be accept traffic from the middleware.
Check Nova User Interface
At this point you'll see two new Nodes get created automatically on your Nova Portal!
Step 4: Use Nova on an Ingress
Now that you have Nova up and running in your cluster, and the plugin loaded for Traefik, you can utilize it on any Ingresses you like.
Below is a full example of an Ingress for the example blog demo (linked above and on our GitHub):
kind: Ingress apiVersion: networking.k8s.io/v1 metadata: name: blog-ingress namespace: blog annotations: traefik.ingress.kubernetes.io/router.entrypoints: web traefik.ingress.kubernetes.io/router.middlewares: default-nova@kubernetescrd spec: rules: - host: traefik.nova-adc.com http: paths: - path: / pathType: Prefix backend: service: name: blog-svc port: number: 80
As you can see the important part is the middleware turning on Nova:
At this stage you should be able to see Nova as the HTTP middleware on your HTTP Router in Traefik, as shown in this example screenshot:
Now you have Nova protecting your services. You can send test traffic and you should see it on your ADC dashboard in Nova, and you can easily trigger blocks by adding
?test=/etc/passwd onto any web request to your service.
Below is an example of our dashboard for the demo Traefik ADC: