WAF 示例
源代码位于 examples/waf/。
仅审计(不拦截)
yaml
version: v1
port: 8080
# Safe demo: WAF runs in audit mode (log_only) so traffic is not blocked.
waf:
enabled: true
log_only: true
builtin: true
rules:
- host: waf-demo.example.com
backend:
service:
name: httpbin.org
port: 443
protocol: httpsIP 拒绝 + 自定义路径规则
yaml
version: v1
port: 8080
# Block a TEST-NET /24 from reaching the virtual host; disable embedded starters and add a custom path rule.
waf:
enabled: true
disable_builtin: true
deny:
- 203.0.113.0/24
rules:
- id: block-secret-path
name: block literal /internal path prefix
type: contains
pattern: /internal
targets:
- path
rules:
- host: waf-ip.example.com
backend:
service:
name: httpbin.org
port: 443
protocol: https路由级 rules[].waf 按规则 id 覆盖
yaml
version: v1
port: 8080
# Global custom rule "app-token" is overridden for one host (same id, different pattern).
waf:
enabled: true
disable_builtin: true
rules:
- id: app-token
type: contains
pattern: GLOBAL-SECRET
targets:
- query
rules:
- host: app-a.example.com
backend:
service:
name: httpbin.org
port: 443
protocol: https
- host: app-b.example.com
waf:
rules:
- id: app-token
type: contains
pattern: APPB-SECRET
targets:
- query
backend:
service:
name: httpbin.org
port: 443
protocol: https校验
bash
ingress validate -c examples/waf/log-only-audit.yaml详解见 WAF 指南。