WAF examples
Sources live under examples/waf/.
Audit-only (do not block)
yaml
version: v1
port: 8080
# Safe demo: WAF runs in audit mode (log_only) so traffic is not blocked.
waf:
enabled: true
log_only: true
builtin: true
rules:
- host: waf-demo.example.com
backend:
service:
name: httpbin.org
port: 443
protocol: httpsIP deny list + custom path rule
yaml
version: v1
port: 8080
# Block a TEST-NET /24 from reaching the virtual host; disable embedded starters and add a custom path rule.
waf:
enabled: true
disable_builtin: true
deny:
- 203.0.113.0/24
rules:
- id: block-secret-path
name: block literal /internal path prefix
type: contains
pattern: /internal
targets:
- path
rules:
- host: waf-ip.example.com
backend:
service:
name: httpbin.org
port: 443
protocol: httpsRoute-level rules[].waf overrides by rule id
yaml
version: v1
port: 8080
# Global custom rule "app-token" is overridden for one host (same id, different pattern).
waf:
enabled: true
disable_builtin: true
rules:
- id: app-token
type: contains
pattern: GLOBAL-SECRET
targets:
- query
rules:
- host: app-a.example.com
backend:
service:
name: httpbin.org
port: 443
protocol: https
- host: app-b.example.com
waf:
rules:
- id: app-token
type: contains
pattern: APPB-SECRET
targets:
- query
backend:
service:
name: httpbin.org
port: 443
protocol: httpsValidate
bash
ingress validate -c examples/waf/log-only-audit.yamlSee WAF guide for semantics.