WAF rules in a stateless environment

  • Resolved raywalker

    (@raywalker)


    5 years, 10 months ago

    We’re running Wordfence on Kubernetes in GKE, where the WordPress file system is not persistent between deployments but recreated in the container for every release.

    The problem is that the wflogs directory is recreated for each pod on deploy, causing Wordfence to revert to ‘learning’ mode for 7 days. As our release cycle is approximately seven days, Wordfence’s application firewall is therefore never functional unless we were to manually enable it after every deployment. As we’re currently managing approximately ~120 installations this is too cumbersome to be a real solution.

    A workaround using NFS persistence with ReadWriteMany was trialled but not adequately performant.

    Can you suggest a workaround for this use-case? Is there any way to persist WAF rules and configuration to a KV store such as redis? Or perhaps a Wordfence API call, or wp-cli function which can enable firewall rules in CI?

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hey @raywalker,

    My apologies for the delayed response here, I spoke with the developer and thought I had replied.

    Their best recommendation is to use WP-CLI to enable the WAF on each deploy. You’ll need to set the constant below or the changes to the config won’t be allowed via CLI.

    wp eval "define('WFWAF_ALWAYS_ALLOW_FILE_WRITING',true); wfConfig::save(array('wafStatus'=>'enabled'));"

    I hope this helps.

    Thanks,

    Gerroald

    Thread Starter raywalker

    (@raywalker)

    Thanks Gerroald,

    This solution appears to work for a single pod. Unfortunately this seems to work only for the pod in which the command is executed and doesn’t affect all pods sharing a common DB. It also must be reapplied whenever pods are rescheduled, restarted, or the deployment scaled out. We’re running multiple pods for HA / performance and autoscaling according to load.

    We can workaround by applying this on container start, but is there any way to store this configuration option that will persist in the above scenarios?

    Hi @raywalker,

    This has been an issue for multiple users who are hosting their website in an instance such as with Amazon’s Elastic beanstalk, GAE, or GKE.

    There is a feature ticket that will move wflogs out of the file system and into the database. (Internal Ref: #FB6963) This will allow hosts which use instances instead of mutable file systems to work with Wordfence.

    So unfortunately right now, there is no way to store a persistent option for this setup.

    Dave

    Thread Starter raywalker

    (@raywalker)

    Okay thanks for the update Dave. We’ve applied the workaround on container start and it does the job for now.

    Hi,
    I have been searching a solution to use Wordfence in multiple servers, too.
    How about using a Redis based filesystem like this?
    https://github.com/MatthiasWinkelmann/redis-fs

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WAF rules in a stateless environment’ is closed to new replies.