Add documentation related to modSecurity:

As customizations for modSecurity are getting exposed through auto-deploy-app, it is nice to have some details documented under autodevops.

Add documentation related to modSecurity:
As customizations for modSecurity are getting exposed through auto-deploy-app, it is nice to have some details documented under autodevops.
9bf08836 · Zamir Martins Filho · Achilleas Pipinellis · 88609947 · 9bf08836
Commit 9bf08836 authored Feb 06, 2020 by Zamir Martins Filho Committed by Achilleas Pipinellis Feb 06, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 0 deletions

doc/topics/autodevops/index.md doc/topics/autodevops/index.md +33 -0

No files found.
--- a/doc/topics/autodevops/index.md
+++ b/doc/topics/autodevops/index.md
@@ -752,6 +752,39 @@ networkPolicy:
            app.gitlab.com/managed_by: gitlab
 ```

+#### Web Application Firewall (ModSecurity) customization
+
+> [Introduced](https://gitlab.com/gitlab-org/charts/auto-deploy-app/-/merge_requests/44) in GitLab 12.8.
+
+Customization on an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) or on a deployment base is available for clusters with [ModSecurity installed](../../user/clusters/applications.md#web-application-firewall-modsecurity).
+
+To enable ModSecurity with Auto Deploy, you need to create a `.gitlab/auto-deploy-values.yaml` file in your project with the following attributes.
+
+|Attribute | Description | Default |
+-----------|-------------|---------|
+|`enabled` | Enables custom configuration for modsecurity, defaulting to the [Core Rule Set](https://coreruleset.org/) | `false` |
+|`secRuleEngine` | Configures the [rules engine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleengine) | `DetectionOnly` |
+|`secRules` | Creates one or more additional [rule](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRule) | `nil` |
+
+In the following `auto-deploy-values.yaml` example, some custom settings
+are enabled for ModSecurity. Those include setting its engine to
+process rules instead of only logging them, while adding two specific
+rules which are header-based:
+
+```yaml
+ingress:
+  modSecurity:
+    enabled: true
+    secRuleEngine: "On"
+    secRules:
+      - variable: "REQUEST_HEADERS:User-Agent"
+        operator: "printer"
+        action: "log,deny,id:'2010',status:403,msg:'printer is an invalid agent'"
+      - variable: "REQUEST_HEADERS:Content-Type"
+        operator: "text/plain"
+        action: "log,deny,id:'2011',status:403,msg:'Text is not supported as content type'"
+```
+
 #### Running commands in the container

 Applications built with [Auto Build](#auto-build) using Herokuish, the default