Configuration Using Local Policy File
When using open-appsec for NGINX or Kong on Linux the configuration can be done in a declarative way using a single YAML file which holds all the relevant configuration objects. This way it is fully compatible for integration in GitOps CD-based processes.
Alternatively management can also soon be done centrally via the open-appsec WebUI (SaaS) (will be added soon!).
The default location of the declarative configuration file is here:
You can show and edit the full default declarative configuration file with the following command:
The default policy within the default configuration file, which is created during the installation, contains the following setting which sets the mode to
detect-learnfor all web resources provided by the NGINX or Kong Gateway:
If you want attacks instead to be prevented by default for all web resources you can change this as follows:
policies.specific-rulesallows you to create specific rule entries for specific hostnames, hostname-path combinations or paths which override the default policy.
It is recommended that once sufficient confidence was gained in
detect-learnmode that you add specific rules in the
policies.specific-rulessection for those hostnames, hostname-path combinations or paths for which you want to switch to
prevent-learnmode, see following example:
- host: "www.my-specific-host.com/my-specific-path"
Here you can also customize many other settings like selecting the logging configuration, the threat prevention practices configuration or selecting a custom-response like a specific response code or a custom block page. Note that these settings are all configured by referencing other elements which are defined separately in the configuration file as well, so that you can reuse them multiple times in a kind of object-oriented way.
On the next page you find the full description for the different configuration sections and elements that can be part of the declarative configuration file: