security: add tenant allowlist and WAF canary proof

2026-06-18 16:21:08 -05:00
parent bd050c3d9b
commit 9cef99739a
5 changed files with 90 additions and 8 deletions
--- a/apps-gx10/fc-tenant-andrew/configmap-andrew-web-nginx-conf.json
+++ b/apps-gx10/fc-tenant-andrew/configmap-andrew-web-nginx-conf.json
@@ -1,8 +1,8 @@
 {
  "apiVersion": "v1",
  "data": {
-    "default.conf": "server {\n    listen 80;\n    server_name _;\n    root /usr/share/nginx/html;\n    index index.html;\n    location / { try_files $uri $uri/ =404; }\n    location /healthz { access_log off; return 200 \"ok\"; add_header Content-Type text/plain; }\n}\n"
-  },
+    "default.conf": "server {\n    listen 80;\n    server_name _;\n    root /usr/share/nginx/html;\n    index index.html;\n    location / { try_files $uri $uri/ =404; }\n    location = /lamp-canary/index.php { add_header Content-Type text/plain; return 200 \"lamp-index-ok\\n\"; }\n    location = /lamp-canary/wp-login.php { add_header Content-Type text/plain; return 200 \"wp-login-ok\\n\"; }\n    location = /lamp-canary/mediawiki/index.php { add_header Content-Type text/plain; return 200 \"mediawiki-ok\\n\"; }\n    location = /admin-allowlist-proof { add_header Content-Type text/plain; return 200 \"admin-allowlist-ok\\n\"; }\n    location /healthz { access_log off; return 200 \"ok\"; add_header Content-Type text/plain; }\n}\n"
+  },
  "kind": "ConfigMap",
  "metadata": {
    "name": "andrew-web-nginx-conf",
--- a/apps-gx10/fc-tenant-andrew/deployment-andrew-web.json
+++ b/apps-gx10/fc-tenant-andrew/deployment-andrew-web.json
@@ -24,12 +24,15 @@
      },
      "type": "RollingUpdate"
    },
-    "template": {
-      "metadata": {
-        "labels": {
-          "app": "andrew-web"
-        }
-      },
+    "template": {
+      "metadata": {
+        "annotations": {
+          "flowercore.io/config-revision": "whc4-lamp-allowlist-20260618"
+        },
+        "labels": {
+          "app": "andrew-web"
+        }
+      },
      "spec": {
        "containers": [
          {
--- a/apps-gx10/fc-tenant-andrew/ingressroute-andrew-web.json
+++ b/apps-gx10/fc-tenant-andrew/ingressroute-andrew-web.json
@@ -30,6 +30,31 @@
            "port": 8080
          }
        ]
+      },
+      {
+        "kind": "Rule",
+        "match": "(Host(`bluejay.dev`) || Host(`www.bluejay.dev`)) && PathPrefix(`/admin-allowlist-proof`)",
+        "middlewares": [
+          {
+            "name": "andrew-admin-ip-allowlist",
+            "namespace": "fc-tenant-andrew"
+          },
+          {
+            "name": "andrew-tenant-rate-limit",
+            "namespace": "fc-tenant-andrew"
+          },
+          {
+            "name": "andrew-tenant-secure-headers",
+            "namespace": "fc-tenant-andrew"
+          }
+        ],
+        "priority": 300,
+        "services": [
+          {
+            "name": "andrew-web-waf",
+            "port": 8080
+          }
+        ]
      }
    ],
    "tls": {
--- a/apps-gx10/fc-tenant-andrew/middleware-andrew-admin-ip-allowlist.json
+++ b/apps-gx10/fc-tenant-andrew/middleware-andrew-admin-ip-allowlist.json
@@ -0,0 +1,15 @@
+{
+  "apiVersion": "traefik.io/v1alpha1",
+  "kind": "Middleware",
+  "metadata": {
+    "name": "andrew-admin-ip-allowlist",
+    "namespace": "fc-tenant-andrew"
+  },
+  "spec": {
+    "ipAllowList": {
+      "sourceRange": [
+        "10.0.56.14/32"
+      ]
+    }
+  }
+}