Integrate Anubis as a WAF/Reverse Proxy to secure traffic
and challenge AI scrapers.
[ SELinux policy ]
Allow nginx to connect to UNIX socket.
Ref T2193.
Details
Details
- Reviewers
dereckson - Maniphest Tasks
- T2193: Investigate Anubis
- Commits
- rOPS8e97c6834d3b: Deploy Anubis for DevCentral
Initial proof of concept verified on Dwellers.
Tests for production:
- Anubis service starts and populates socket
- Sockets permissions are correct
- It's possible to connect to the socket and get challenge, then site
- Bot policies correctly filter and challenge traffic via curl tests
- nginx redirects correctly to Anubis instead of the site directly
Diff Detail
Diff Detail
- Repository
- rOPS Nasqueron Operations
- Lint
Lint Not Applicable - Unit
Tests Not Applicable
Event Timeline
There are a very large number of changes, so older changes are hidden. Show Older Changes
This comment was removed by ptdradmin.
| pillar/paas/docker/docker-002/main.sls | ||
|---|---|---|
| 312 ↗ | (On Diff #10126) | It's under docker_images, so make sense only if we deploy Anubis as a Docker image. (In that case, could be complicated to get the socket path) If the goal is to give a new configuration for Anubis deployed outside Docker, this pillar is fine, but we need to put it at the same level than docker_images (so one less tab) |
| 313 ↗ | (On Diff #10126) | Format is: docker_images:
<service name>:
<container name>:The container name devcentral is already used, so I guess that would be something like anubis_devcentral (but only if we use Docker) |
| roles/paas-docker/anubis.sls | ||
| 1 ↗ | (On Diff #10126) | Should be put in a roles/paas-docker/anubis/ directory. We can use:
I see we're at +- 40 lines so one file is good |
| 11 ↗ | (On Diff #10126) | That's the name of the pillar entry, so in that case, in pillar/paas/docker/docker-002/main.sls we should have something like: anubis_instances: devcentral: socket: /run/anubis/devcentral.sock policies_file: /usr/local/etc/anubis/devcentral.yaml |
| roles/paas-docker/anubis/files/env.j2 | ||
| 1 ↗ | (On Diff #10126) | Ansible convention is to use .j2 extension for Jinja2 templates. In our Salt repository, I see two conventions:
Here it would be safe to use something like "instance.env" as filename. |
| 7 ↗ | (On Diff #10126) | So we have a target key in the anubis_instances pillar. At this stage I imagine something like: anubis_instances:
devcentral:
socket: /run/anubis/devcentral.sock
policies_file: /usr/local/etc/anubis/devcentral.yaml
target: http://localhost:31080Or: anubis_instances:
devcentral:
socket: /run/anubis/devcentral.sock
policies_file: /usr/local/etc/anubis/devcentral.yaml
target:
type: docker # we ignore it for now, but in the future if we've a no Docker we can add target logic
service: phabricator
container: devcentralThe target would then be http://localhost:{{ docker_containers[config[service]][config[container]]["app_port"] }} And we automatically grab app_port from docker_containers pillar. |
| 10 ↗ | (On Diff #10126) | Same logic than app_port grabbing, but host instead |
| 15 ↗ | (On Diff #10126) | We need to provide logic to provision those two credentials into Vault. Something like in fix_anubis_devcentral.sh, but with a write in Vault to run before provisioning this. |
| 18 ↗ | (On Diff #10126) | Can we try with a UNIX socket? Like in /run/anubis/metrics/? (That's perhaps that one we didn't succeed to query) If we can do that, that will avoid to maintain a new ports table for the Anubis metrics. |
| roles/paas-docker/anubis/files/policies.yaml.j2 | ||
| 11 ↗ | (On Diff #10126) | No, no, no, we're especially heavily attacked on the files :/ |
| 14 ↗ | (On Diff #10126) | Same, they query A LOT the source code files in Diffusion. I guess the intent of the LLM is to get "public access", but our software isn't intended to be downloaded from DevCentral directly so we're good there |
| 17 ↗ | (On Diff #10126) | We're in two scenarii:
So that rule to allow all traffic isn't useful neither |
| 20 ↗ | (On Diff #10126) | Hmmmm, those aren't really annoying, the ones that are annoying are the stealth ones, the ones that masquerade themselves as legit browser traffic |
| roles/paas-docker/nginx/files/vhosts/phabricator.conf | ||
| 47 ↗ | (On Diff #10126) | |
| scripts/fix_anubis_devcentral.sh | ||
| 1 ↗ | (On Diff #10126) | Hmmm Actually, that one conflicts with everything else. For example lines 19 to 34 offers to do the job we already do with the env file above. What we would need is perhaps to document or script the keys generation part, the two openssl rand -base64 32, and write it to Vault afterwards (vault kv write). |
Comment Actions
Summary: Refactored Anubis deployment according to review feedback.
- Moved to roles/paas-docker/anubis/init.sls
- Fixed pillar indentation and schema
- Added dynamic port detection from docker_containers
- Switched metrics to UNIX socket
- Simplified provisioning script for Vault only
- Cleaned up bot policies
.
- Refactor Anubis deployment based on review feedback. Highlights: fixed pillar indentation, moved to init.sls, added dynamic port detection, and configured metrics socket.
- Updating D3908: Deploy Anubis for DevCentral #
- Enter a brief description of the changes included in this update.
- The first line is used as subject, next lines as comment. #
- If you intended to create a new revision, use:
- $ arc diff --create
:wq
^O
^X
| roles/paas-docker/nginx/files/vhosts/phabricator.conf | ||
|---|---|---|
| 47 ↗ | (On Diff #10127) | |
Comment Actions
Next step: validate the Dwellers part and ensure it matches our current configuration there.
Peering deployment between @ptdradmin and @dereckson for that activity.
| roles/paas-docker/anubis/files/instance.env | ||
|---|---|---|
| 2 | We noticed a lot of hallucinations in this template. For reference, here what we used for deck.nasqueron.org -> Orbeon in Decemmber: /etc/anubis/site.env TARGET=http://127.0.0.1:16080 POLICY_FNAME=/etc/anubis/botPolicies.yaml ED25519_PRIVATE_KEY_HEX_FILE=/etc/anubis/private.key ANUBIS_TARGET_URL seems to match expected value for TARGET ANUBIS_METRICS_ADDR seems to match expected value for METRICS_BIND | |
| roles/paas-docker/anubis/files/policies.yaml | ||
| 2 | Should be re conciliated with content in P390 currently deployed on Dwellers. | |
| roles/paas-docker/anubis/init.sls | ||
| 22 | Outside the for loop, as we can try a unique policies file to avoid repeat the same information | |
| scripts/fix_anubis_devcentral.sh | ||
| 1 ↗ | (On Diff #10480) | Can be removed, we noticed Anubis doesn't document format for the key or a way to provide one, so our best shot is to let Anubis generate one, then store it manually in Vault. Automation can be investigated later, probably by filing a bug request on Anubis tracker to get an option to generate a key (or doc to do so ourselves). |
| roles/paas-docker/anubis/files/instance.env | ||
|---|---|---|
| 2 | The two examples we've on Dwellers: name=Orbeon (service "anubis", our first test) TARGET=http://127.0.0.1:16080 POLICY_FNAME=/etc/anubis/botPolicies.yaml ED25519_PRIVATE_KEY_HEX_FILE=/etc/anubis/private.key Bar (serviceanubis-bar) TARGET=https://windriver.nasqueron.org POLICY_FNAME=/etc/anubis/botPolicies.yaml BIND=127.0.0.1:8924 METRICS_BIND=172.27.27.4:9091 ED25519_PRIVATE_KEY_HEX_FILE=/etc/anubis/private.key | |
Comment Actions
Fix Anubis deployment: unify env vars, reconcile policies with P390, and align Nginx config
| roles/paas-docker/anubis/files/instance.env | ||
|---|---|---|
| 3 | Default value is harmful here: we can't have two services listening to the same TCP port. So better to fail loudly with an error bind or metrics_bind haven't been defined in config. | |
| roles/paas-docker/anubis/files/policies.yaml | ||
| 2 | Add the usual header here. Anything in files directory should start by that template header: https://devcentral.nasqueron.org/source/snippets/browse/main/salt/file.conf (lines 1-14 are always used, lines 16-18 are only useful when we want to divide a long configuration in sections). There are several goals we want to achieve:
| |
| roles/paas-docker/nginx/files/vhosts/phabricator.conf | ||
| 47 ↗ | (On Diff #10487) | Same here, to use a default port will fail at the second missing service. To provide a default value would work only in cases where there is only one. (Also, ports 1080 8000 and 8080 are for examples non-80 ports for TCP servers, totally fine inside an isolated container, not directly on the machine host) |
Comment Actions
@ptdradmin The provisioning of /etc/anubis/private.key we added here has disappeared: https://devcentral.nasqueron.org/D3908?vs=10478&id=10480#toc
That's the code we added in live Friday evening together to fetch the private key from Vault.
to add in init.sls
/etc/anubis/private.key: file.managed: - source: salt://roles/paas-docker/anubis/files/private.key - template: jinja - context: key: {{ salt["credentials.get_password"]("anubis/" + grains["id"]) }}
We also have the template:
roles/paas-docker/anubis/files/private.key
# -------------------------------------------------------------
# Anubis private key
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Source file: roles/paas-docker/anubis/files/private.key
# -------------------------------------------------------------
#
# <auto-generated>
# This file is managed by our rOPS SaltStack repository.
#
# Changes to this file may cause incorrect behavior
# and will be lost if the state is redeployed.
# </auto-generated>
{{ key }}Comment Actions
YAML/Jinaj Style: remove defaults to fail loudly on missing ports/bind as suggested by dereckson, plus add headers
Comment Actions
Apply dereckson feedback: add headers, remove defaults for bind/port to fail loudly if undefined
Comment Actions
Rebased. Removed comments for private key (not supported by Anubis). Provisioned systemd service template.
Comment Actions
Use web as shared group between nginx and anubis, so nginx can connect to anubis socket. Resolve target container port.