Create config.yml

Update open-appsec-crd-v1beta2.yaml

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,34 @@
+---
+name: "Bug Report"
+description: "Report a bug with open-appsec"
+labels: [bug]
+---
+
+**Checklist**
+- Have you checked the open-appsec troubleshooting guides - https://docs.openappsec.io/troubleshooting/troubleshooting
+  - Yes / No
+- Have you checked the existing issues and discossions in github for the same issue
+  - Yes / No
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Run '...'
+3. See error '...'
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots or Logs**
+If applicable, add screenshots or logs to help explain the issue.
+
+**Environment (please complete the following information):**
+- open-appsec version: 
+- Deployment type (Docker, Kubernetes, etc.): 
+- OS:
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: "Documentation & FAQ"
+    url: "https://docs.openappsec.io/"
+    about: "Check the documentation before submitting an issue."
+  - name: "Feature Requests & Discussions"
+    url: "https://github.com/open-appsec/discussions"
+    about: "Please open a discussion for feature requests instead of an issue."

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: "Feature Request"
+description: "Suggest a new feature or improvement"
+labels: [enhancement]
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is.
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/nginx_version_support.md

@@ -0,0 +1,17 @@
+---
+name: "Nginx Version Support Request"
+description: "Check if a specific Nginx version is supported"
+---
+
+**Nginx & OS Version:**
+Which Nginx and OS version are you using? 
+
+**Output of nginx -V**
+Share the output of nginx -v
+
+**Expected Behavior:**
+What do you expect to happen with this version?
+
+**Checklist**
+- Have you considered a docker based deployment - find more information here https://docs.openappsec.io/getting-started/start-with-docker?
+  - Yes / No

config/crds/open-appsec-crd-v1beta2.yaml

@@ -137,6 +137,10 @@ spec:
                   type: array
                   items:
                     type: object
+                    required:
+                    - mode
+                    - threatPreventionPractices
+                    - accessControlPractices
                     properties:
                       name:
                         type: string
@@ -1216,7 +1220,7 @@ spec:
     kind: PolicyActivation
     shortNames:
       - policyactivation
-
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata :

examples/juiceshop/apisix/apisix.yaml

@@ -0,0 +1,9 @@
+routes:
+  -
+    uri: /
+    upstream:
+        nodes:
+            "juiceshop-backend:3000": 1
+        type: roundrobin
+
+#END

examples/juiceshop/envoy/envoy.yaml

@@ -0,0 +1,56 @@
+static_resources:
+  listeners:
+  - name: listener_0
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 80
+    filter_chains:
+    - filters:
+      - name: envoy.filters.network.http_connection_manager
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+          stat_prefix: ingress_http
+          http_filters:
+          ## The following 10 lines are required to load the envoy attachment filter for open-appsec
+          - name: envoy.filters.http.golang
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.golang.v3alpha.Config
+              library_id: cp_nano_filter
+              library_path: "/usr/lib/libenvoy_attachment.so"
+              plugin_name: cp_nano_filter
+              plugin_config:
+                "@type": type.googleapis.com/xds.type.v3.TypedStruct
+                value:
+                  prefix_localreply_body: "Configured local reply from go"
+          - name: envoy.filters.http.router
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+##
+## The following lines allow you to deploy routing of ingress traffic to the optional juice-shop example container available in the open-appsec docker-compose.yaml file.
+##
+          route_config:
+            name: local_route
+            virtual_hosts:
+            - name: local_service
+              domains: ["*"]
+              routes:
+              - match:
+                  prefix: "/"
+                route:
+                  cluster: juiceshop
+
+  clusters:
+  - name: juiceshop
+    type: STRICT_DNS
+    lb_policy: ROUND_ROBIN
+    load_assignment:
+      cluster_name: juiceshop
+      endpoints:
+      - lb_endpoints:
+        - endpoint:
+            address:
+              socket_address:
+                address: juiceshop-backend
+                port_value: 3000

examples/juiceshop/kong/kong.yml

@@ -0,0 +1,9 @@
+_format_version: "3.0"
+
+services:
+  - name: juiceshop-service
+    url: http://juiceshop-backend:3000
+    routes:
+      - name: juiceshop-route
+        paths:
+          - /

examples/juiceshop/swag/default.conf

@@ -0,0 +1,84 @@
+## Version 2024/07/16 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/site-confs/default.conf.sample
+
+# redirect all traffic to https
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# main server block
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    include /config/nginx/ssl.conf;
+
+#    root /config/www;
+#    index index.html index.htm index.php;
+
+    # enable subfolder method reverse proxy confs
+    include /config/nginx/proxy-confs/*.subfolder.conf;
+
+    # enable for ldap auth (requires ldap-location.conf in the location block)
+    #include /config/nginx/ldap-server.conf;
+
+    # enable for Authelia (requires authelia-location.conf in the location block)
+    #include /config/nginx/authelia-server.conf;
+
+    # enable for Authentik (requires authentik-location.conf in the location block)
+    #include /config/nginx/authentik-server.conf;
+
+    #location / {
+        # enable for basic auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+    #    try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
+    #}
+
+    location ~ ^(.+\.php)(.*)$ {
+        # enable the next two lines for http auth
+        #auth_basic "Restricted";
+        #auth_basic_user_file /config/nginx/.htpasswd;
+
+        # enable for ldap auth (requires ldap-server.conf in the server block)
+        #include /config/nginx/ldap-location.conf;
+
+        # enable for Authelia (requires authelia-server.conf in the server block)
+        #include /config/nginx/authelia-location.conf;
+
+        # enable for Authentik (requires authentik-server.conf in the server block)
+        #include /config/nginx/authentik-location.conf;
+
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+        if (!-f $document_root$fastcgi_script_name) { return 404; }
+        fastcgi_pass 127.0.0.1:9000;
+        fastcgi_index index.php;
+        include /etc/nginx/fastcgi_params;
+    }
+
+    # deny access to .htaccess/.htpasswd files
+    location ~ /\.ht {
+        deny all;
+    }
+}
+
+# enable subdomain method reverse proxy confs
+include /config/nginx/proxy-confs/*.subdomain.conf;
+# enable proxy cache for auth
+proxy_cache_path cache/ keys_zone=auth_cache:10m;

examples/juiceshop/swag/juiceshop.subfolder.conf

@@ -0,0 +1,22 @@
+location / {
+    # enable the next two lines for http auth
+    #auth_basic "Restricted";
+    #auth_basic_user_file /config/nginx/.htpasswd;
+
+    # enable for ldap auth (requires ldap-server.conf in the server block)
+    #include /config/nginx/ldap-location.conf;
+
+    # enable for Authelia (requires authelia-server.conf in the server block)
+    #include /config/nginx/authelia-location.conf;
+
+    # enable for Authentik (requires authentik-server.conf in the server block)
+    #include /config/nginx/authentik-location.conf;
+
+    include /config/nginx/proxy.conf;
+    include /config/nginx/resolver.conf;
+    set $upstream_app juiceshop-backend;
+    set $upstream_port 3000;
+    set $upstream_proto http;
+    proxy_pass $upstream_proto://$upstream_app:$upstream_port;
+
+}