When using open-appsec for NGINX or Kong on Linux the configuration can be done in a declarative way using a single YAML file which holds all the relevant configuration objects. This way it is fully compatible for integration in GitOps CD-based processes.

Alternatively management can also soon be done centrally via the open-appsec WebUI (SaaS) (will be added soon!).

Location of the declarative configuration file

The default location of the declarative configuration file is here:

/etc/cp/policy/open-appsec.yaml

You can show and edit the full default declarative configuration file with the following command:

vi /etc/cp/policy/open-appsec.yaml

or by using the interactive CLI tool open-appsec-ctl : Using the open-appsec-ctl Tool

Basic configuration

The default policy within the default configuration file, which is created during the installation, contains the following setting which sets the mode to detect-learn for all web resources provided by the NGINX or Kong Gateway:

policies.default.mode: detect-learn

If you want attacks instead to be prevented by default for all web resources you can change this as follows:

policies.default.mode: prevent-learn

The section policies.specific-rules allows you to create specific rule entries for specific hostnames, hostname-path combinations or paths which override the default policy.

It is recommended that once sufficient confidence was gained in detect-learn mode that you add specific rules in the policies.specific-rules section for those hostnames, hostname-path combinations or paths for which you want to switch to prevent-learn mode, see following example:

policies:
  specific-rules:
  - host: "www.my-specific-host.com/my-specific-path"
    triggers:
    - appsec-default-log-trigger
    mode: prevent-learn
    practices:
    - webapp-default-practice
    custom-response: appsec-default-web-user-response

Here you can also customize many other settings like selecting the logging configuration, the threat prevention practices configuration or selecting a custom-response like a specific response code or a custom block page. Note that these settings are all configured by referencing other elements which are defined separately in the configuration file as well, so that you can reuse them multiple times in a kind of object-oriented way.

On the next page you find the full description for the different configuration sections and elements that can be part of the declarative configuration file: