Announcing open-appsec WAF integration with Apache APISIX API Gateway

Introduction

open-appsec WAF is excited to announce a new integration with the open-source API Gateway solution Apache APISIX. This new collaboration between the open-appsec and API7 teams now allows users to protect their Web APIs and other Web Services exposed by APISIX Gateway against unknown and known attack types effectively based on open-appsec’s advanced machine-learning-based technology and also adds several more enhanced security capabilities.

APISIX API Gateway

APISIX is a modern, flexible, and high-performance open-source API gateway solution designed to handle various use-cases in microservices and cloud-native architectures. Its primary purpose is to facilitate API management by serving as a gateway for managing, securing, and optimizing API traffic between clients and backend services.

Further use-cases for APISIX as an API gateway include load balancing, rate limiting, authentication, and authorization. It provides comprehensive features such as traffic control, dynamic upstream, and plugin extensibility, enabling developers to customize and extend functionality according to their specific needs.

For more information visit:

APISIX website: apisix.apache.org

GitHub: www.github.com/apache/apisix 

Docs: apisix.apache.org/docs/

open-appsec

open-appsec WAF provides automatic, preemptive threat prevention and integrates with various types of reverse proxies like NGINX as well as API Gateways like APISIX. It is machine-learning-based, meaning it doesn’t require signatures (or updates) at all. This enables it to provide automatic, state-of-the-art threat prevention even for true zero-day attacks while significantly reducing both administrative effort and the amount of false-positives. In addition, open-appsec provides many additional security layers such as AntiBot, Rate Limiting, Schema Enforcement, Snort Signature Support, Custom Rules/Exceptions and more. open-appsec can be managed centrally using a Web UI provided as a SaaS service and also locally using a declarative configuration file.

For more information visit:

open-appsec Website: www.openappsec.io

GitHub: www.github.com/openappsec 

Docs: docs.openappsec.io 

Playgrounds: www.openappsec.io/playground 

Integrating APISIX with open-appsec

With this new integration APISIX API Gateway users will now have access to open-appsec WAF as an integrated, state-of-the-art Machine Learning-based WAF solution for protection of their Web APIs and Web Applications. They can now use e.g. open-appsec’s free and open-source “Community Edition” to get effective, AI-based protection against known but also unknown attacks for everything exposed by their APISIX API Gateway, while at the same time reducing the amount for false positives significantly unburdening the administrator from tedious tasks such as creating exceptions, updating traditional signature-based policies and more.

This integration will be available for all common platforms: Linux, Docker and Kubernetes. For Linux “embedded” deployments of APISIX, an open-appsec installer will add an “open-appsec attachment” module to the existing APISIX installation. It will also install the “open-appsec agent” alongside it, which will receive the traffic from the attachment, inspect it, and return the concluded action to block or allow the traffic back to the APISIX respectively the open-appsec attachment integrated with it.

Here's a simple architecture schematic for Linux deployment:

For Docker based-deployments of APISIX with open-appsec WAF there is a special APISIX container image available, to which the open-appsec attachment was already added and also an enhanced docker-compose file, which deploys both, the APISIX gateway container as well as an open-appsec agent that does the security inspection and returns the concluded decisions to the APISIX gateway to allow or block traffic.

Here's a simple architecture schematic for deployment on Docker:

For Kubernetes based-deployments of APISIX integrated with open-appsec there’s a helm chart available, which is based on the official APISIX helm chart and further enhanced to also include the open-appsec attachment in the APISIX gateway container and also deploys the open-appsec agent. Further, you will have the option to configure open-appsec in a declarative “DevOps-style” way using custom resources in K8s as an alternative to using the open-appsec central management WebUI.

Here’s a simple architecture schematic for deployment on Kubernetes:

Adding open-appsec WAF to APISIX on Linux

To install open-appsec on a Linux system with APISIX installed please follow these steps:

1. Prerequisites:

- Linux platform must be Ubuntu 22.04.

- Make sure to have APISIX installed.

You can find the list of supported APISIX versions here: https://downloads.openappsec.io/packages/supported-apisix.txt

If you don’t have APISIX installed yet, you can use the following commands to perform an APISIX installation in “traditional mode”. By running these commands you will first install the ETCD database for APISIX, then add the required repos before installing and starting the APISIX gateway:

Install ETCD database

ETCD_VERSION='3.5.4'
wget https://github.com/etcd-io/etcd/releases/download/v${ETCD_VERSION}/etcd-v${ETCD_VERSION}-linux-amd64.tar.gz
tar -xvf etcd-v${ETCD_VERSION}-linux-amd64.tar.gz && cd etcd-v${ETCD_VERSION}-linux-amd64
cp -a etcd etcdctl /usr/bin/
nohup etcd >/tmp/etcd.log 2>&1 &
etcd

Add and update package repositories

apt install gnupg
echo "deb http://openresty.org/package/debian bullseye openresty" | tee /etc/apt/sources.list.d/openresty.list
wget -O - https://openresty.org/package/pubkey.gpg | apt-key add -
wget -O - http://repos.apiseven.com/pubkey.gpg | apt-key add -
echo "deb http://repos.apiseven.com/packages/debian bullseye main" | tee /etc/apt/sources.list.d/apisix.list
apt update

Install, initiate, and start APISIX

apt install apisix=3.9.1-0
apisix init
apisix start

2. Download the open-appsec installer:

wget https://downloads.openappsec.io/open-appsec-install && chmod +x open-appsec-install

3. Install open-appsec to integrate with the existing APISIX installation: (Note that the --'Prevent' flag will install open-appsec with a default policy already set to 'Prevent' mode.)

./open-appsec-install --auto --prevent

4. Get the APISIX admin key from the APISIX config.yaml configuration file and store it in APISIX_KEY env variable:

export APISIX_KEY=$(awk '/key:/{ if ($2 ~ /^edd1/) print $2 }' /usr/local/apisix/conf/config.yaml )

5. Configure an example route in the APISIX gateway to expose an external web service or web API, in this example we will just use httpbin.org as example backend:

curl http://127.0.0.1:9180/apisix/admin/routes/100 -H "X-API-KEY:$APISIX_KEY" -X PUT -d '{
  "methods": [
    "GET"
  ],
  "uri": "/anything",
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "httpbin.org:80": 1
    }
  }
}'

6. Let’s see if this route works by accessing it:

curl -s -v -G --data-urlencode email=user@domain.abc http://localhost:9080/anything

7. Now let’s try to simulate an SQL injection attack (see ‘OR ‘1’=’1’ in the below HTTP request) against the httpin.org service exposed by the APISIX gateway which is now protected by the open-appsec WAF:

curl -s -v -G --data-urlencode email=user@domain.abc' OR '1'='1 http://localhost:9080/anything

This simulated attack now gets blocked successfully by open-appsec’s contextual machine-learning WAF engine.

8. Check out the corresponding log files showing the 'Prevent' for the HTTP request with the simulated attack that we just sent:

tail -f /var/log/nano_agent/cp-nano-http-transaction-handler.log*| grep -i user@domain.abc

Alternatively, you can use the “open-appsec-ctl” tool:

open-appsec-ctl --view-logs | grep -i user@domain.abc

9. Optionally you can connect your deployment now to https://my.openappsec.io for centrally managing open-appsec with an easy-to-use Web UI, monitoring security events and more, see section “How to manage your deployment centrally” further below for more info.

Congratulations, you successfully added open-appsec WAF to your existing APISIX installation and verified that your web services exposed by the APISIX Gateway are now protected against web attacks. 

-----

Deploying APISIX with open-appsec WAF on containerized platforms (Docker)

To install APISIX integrated with open-appsec on Docker you can follow the steps shown below.

Opposite to the above example, here we are deploying APISIX in “standalone mode”, which means it’s declaratively configured using a docker volume mount with a yaml file which holds the config and therefore won’t require an ETCD database deployment. Note that APISIX supports both traditional as well as standalone modes in all deployment types (Linux, Docker, …)

1. Prerequisite: Make sure to have a Linux platform with both, Docker and docker-compose tools installed.

2. Within the directory that you want to use for the deployment:

   Create a folder appsec-localconfig which will hold the appsec declarative configuration file.

mkdir ./appsec-localconfig

3. Download the initial declarative configuration file for open-appsec into that folder:

wget https://raw.githubusercontent.com/openappsec/openappsec/main/config/linux/latest/prevent/local_policy.yaml -O appsec-localconfig/local_policy.yaml

Note that this example declarative configuration file is already set to 'Prevent' attacks.

4. Create another folder apisix-localconfig which will hold the declarative configuration file for APISIX:

mkdir ./apisix-localconfig

5. Let’s download a simple declarative configuration file also for APISIX so we can verify open-appsec protection after the deployment:

wget https://raw.githubusercontent.com/openappsec/openappsec/main/deployment/apisix/apisix-example-config/apisix-standalone.yaml -O ./apisix-localconfig/apisix-standalone.yaml

6. Create a docker-compose.yaml file with the content below, it can be downloaded as follows:

wget https://raw.githubusercontent.com/openappsec/openappsec/main/deployment/apisix/docker-compose.yaml

version: "3"

services:
  apisix:
    container_name: apisix
    image: "ghcr.io/openappsec/apisix-attachment:latest"
    ipc: service:appsec-agent
    restart: always
    volumes:
      - ./apisix-localconfig/apisix-standalone.yaml:/usr/local/apisix/conf/apisix.yaml:ro
    environment:
      - APISIX_STAND_ALONE=true
    ports:
      - "9180:9180/tcp"
      - "9080:9080/tcp"
      - "9091:9091/tcp"
      - "9443:9443/tcp"

  appsec-agent:
    container_name: appsec-agent
    image: 'ghcr.io/openappsec/agent:latest'
    ipc: shareable
    restart: unless-stopped
    environment:
      # adjust with your own email below
      - user_email=user@email.com
      - registered_server="APISIX Server"
    volumes:
      - ./appsec-config:/etc/cp/conf
      - ./appsec-data:/etc/cp/data
      - ./appsec-logs:/var/log/nano_agent
      - ./appsec-localconfig:/ext/appsec
    command: /cp-nano-agent

7. Edit the docker-compose.yaml file and replace "user@email.com" with your own email address, so we can provide assistance in case of any issues with the specific deployment in the future and provide information proactively regarding open-appsec. This is an optional parameter and can be removed. If we send automatic emails there will also be an opt-out option included for receiving similar communication in the future.

8. Run docker-compose up to start the deployment of all relevant containers:

docker-compose up -d

9. Check if the apisix-attachment and the appsec-agent containers are up and running:

docker ps

10. Let’s see if the standalone configuration works by accessing it:

curl -s -v -G --data-urlencode email=user@domain.abc http://localhost:9080/anything

11. Now let’s try to simulate an SQL injection attack against the httpin.org service exposed by the APISIX gateway container which is now protected by open-appsec:

curl -s -v -G --data-urlencode email=user@domain.abc' OR '1'='1 http://localhost:9080/anything

12. Optionally, you can connect your deployment now to https://my.openappsec.io for centrally managing open-appsec with an easy-to-use Web UI, monitoring security events and more, see the section “How to manage your deployment centrally” further below for more info.

Congratulations, you successfully deployed APISIX integrated with open-appsec WAF and verified that your web services exposed by the APISIX Gateway are now protected against attacks.

Deploying APISIX with open-appsec WAF on Kubernetes using Helm

1. Prerequisite: Kubernetes platform and Helm tool available

2. Download the open-appsec for APISIX helm chart here:

wget https://downloads.openappsec.io/packages/helm-charts/apisix/open-appsec-k8s-apisix-latest.tgz

3. Install the helm chart as follows:

   This example helm install command is installing the open-appsec for APISIX helm chart which is based on an extended version of the official APISIX helm chart. It will deploy the APISIX gateway as the APISIX ingress controller, as well as open-appsec WAF integrated with it. It also offers additional configuration option specifically for open-appsec WAF (see values.yaml inside the helm chart and open-appsec docs).

   
   

   After deployment, you can assign your K8s ingress resources to the APISIX gateway by configuring them to use the following ingress class: appsec-apisix

helm install open-appsec-k8s-apisix-latest.tgz \
--name-template=appsec-apisix \
--set rbac.create=true \
--set appsec.mode=standalone \
--set service.type=LoadBalancer \
--set appsec.persistence.enabled=false \
--set ingress-controller.enabled=true \
--set ingress-controller.config.ingressClass=appsec-apisix \
--set appsec.userEmail="<your-email-address>" \
--set appsec.agentToken= \
--create-namespace \
-n appsec-apisix

Replace <your-email-address> in the helm install command above with your own email address, so we can send you news and updates related to open-appsec and better support you with your deployment if needed! You can unsubscribe at any time or alternatively just remove that line if you prefer not to provide your email.

4. Validate that pods were properly deployed and are in 'ready' state:

kubectl get pods -n appsec-apisix

5. Create an open-appsec policy resource:

   Run the following command to create the "open-appsec-best-practice-policy" in K8s:(Note that this example policy is already preconfigured to prevent attacks)

kubectl apply -f https://raw.githubusercontent.com/openappsec/openappsec/main/config/k8s/v1beta1/open-appsec-k8s-prevent-config-v1beta1.yaml

(You can also create your own custom policy, here you find all the details.)

6. Find out the name of your relevant ingress resource which you want to protect:

kubectl get ing -A

7. Edit the ingress resource:

kubectl edit ing/<ingress name> -n <ingress namespace>

8. Change the ingressClassname to use open-appsec:

spec: ingressClassName: appsec-apisix

9. Add this annotation to the ingress resource to activate open-appsec for this ingress by specifying the desired open-appsec policy custom resource:

openappsec.io/policy: open-appsec-best-practice-policy

10. Let’s see if the standalone configuration works by accessing it:

curl -s -v -G --data-urlencode email=user@domain.abc http://[YOUR-INGRESS-HOSTNAME]

11. Now let’s try to simulate an SQL injection attack against the httpin.org service exposed by the APISIX gateway container which is now protected by open-appsec:

curl -s -v -G --data-urlencode email=user@domain.abc' OR '1'='1 http://[YOUR-INGRESS-HOSTNAME]

Replace [YOUR-INGRESS-HOSTNAME] in the command above with the hostname you set in the ingress resource which you protected with open-appsec WAF in the earlier steps, also change “http” to “https” if required.

Congratulations, you successfully deployed APISIX integrated with open-appsec WAF and verified that your web services exposed by the APISIX Gateway are now protected against attacks.

How to manage your open-appsec WAF deployment centrally

If you'd like you can also manage your open-appsec WAF deployment (integrated with APISIX) centrally using the open-appsec WebUI (SaaS Service) available at https://my.openappsec.io, by connecting the open-appsec agent to a deployment profile in the central WebUI.

You can alternatively continue to manage your deployment locally, but still connect to a central WebUI profile in “Declarative mode” so that you will be able to see the local configuration (read-only) in the WebUI.

Alongside the configuration of open-appsec the WebUI allows you to also see much more information like the status of deployed open-appsec agents, security logs, dashboards and more.

Below you can find some screenshots of the WebUI.

For instructions how to do this see the open-appsec docs available at https://docs.openappsec.io.

Summary

In this blog we explained how open-appsec can integrate with APISIX Gateway on all of the following: regular Linux-based deployments, containerized deployments (Docker) and also Kubernetes environments. Following the deployment steps for APISIX with open-appsec WAF we simulated an SQL injection attack, which was effectively prevented by open-appsec’s machine learning-based WAF technology. Additionally, it was explained, what the benefits are of connecting to open-appsec central WebUI for managing, monitoring, log analysis and reporting.

We hope these new integrations will prove very useful to enhance the security of your APISIX API gateway and its exposed Web APIs and Web applications with open-appsec machine learning-based WAF and we welcome you to contact us if you have any feedback, questions or might face some technical challenge that you want us to assist with. You can reach the open-appsec team via the chat on https://www.openappsec.io or via email to: info@openappsec.io 

open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions.

To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.