Ingress-NGINX

Based on our custom NGINX version, this Kubernetes ingress controller provides the same advanced security features in containerized environments.

Overview

Ingress-NGINX is a Kubernetes-native ingress controller that brings all the advanced security features of Arxignis NGINX to containerized environments. It provides seamless integration with Kubernetes while maintaining enterprise-grade security capabilities.

Best For

• Kubernetes deployments
• Containerized applications
• Cloud-native architectures
• Microservices environments
• CI/CD pipelines

Features

• All features from Arxignis NGINX
• Kubernetes-native deployment and management
• Helm chart support for easy installation
• Automatic scaling and load balancing
• Integration with Kubernetes security policies
• JA4 Fingerprinting: Native TLS client fingerprinting support
• ModSecurity 3.0.14 WAF integration
• OpenTelemetry integration for observability

Requirements

System Requirements

• Kubernetes: Version 1.25 or higher
• Helm: Version 3.0 or higher
• Storage: Persistent volume support
• Memory: Minimum 512MB RAM per pod
• CPU: Minimum 100m CPU per pod

External Services

• Arxignis API Key: Get your API key from arxignis.com
• Domain: A domain you control and can configure DNS for
• OpenTelemetry Provider (Optional): For metrics collection

Installation

Helm Installation

Add the Repository

helm repo add arxignis https://charts.arxignis.com
helm repo update

Install the Ingress Controller

helm install arxignis-ingress arxignis/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace \
  --set controller.image.repository=ghcr.io/arxignis/nginx:1.0 \
  --set controller.image.tag=latest

Custom Configuration

helm install arxignis-ingress arxignis/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace \
  --set controller.image.repository=ghcr.io/arxignis/nginx:1.0 \
  --set controller.image.tag=latest \
  --set controller.config.ARXIGNIS_API_KEY=your-api-key \
  --set controller.config.ARXIGNIS_MODE=block \
  --set controller.config.JA4_ENABLED=true

Manual Deployment

kubectl apply -f https://raw.githubusercontent.com/arxignis/ingress-nginx/main/deploy/static/provider/baremetal/deploy.yaml

Values Configuration

Create a values.yaml file for custom configuration:

controller:
  image:
    repository: ghcr.io/arxignis/nginx
    tag: "1.0"

  config:
    # Arxignis configuration
    ARXIGNIS_API_KEY: "your-api-key"
    ARXIGNIS_API_URL: "https://api.arxignis.com/v1"
    ARXIGNIS_MODE: "block"
    JA4_ENABLED: "true"

    # Captcha configuration
    ARXIGNIS_CAPTCHA_SITE_KEY: "your-site-key"
    ARXIGNIS_CAPTCHA_SECRET_KEY: "your-secret-key"
    ARXIGNIS_CAPTCHA_PROVIDER: "recaptcha"

    # JA4 configuration
    ja4_enabled: "on"
    ja4_log_level: "info"
    ja4_log_format: "detailed"

    # ModSecurity configuration
    modsecurity: "on"
    modsecurity_rules_file: "/etc/nginx/modsec/main.conf"

  # Resource limits
  resources:
    requests:
      memory: "512Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
      cpu: "500m"

  # Service configuration
  service:
    type: LoadBalancer
    ports:
      http: 80
      https: 443

  # Ingress class
  ingressClassResource:
    name: arxignis
    enabled: true
    default: true

Configuration

Ingress Annotations

Basic Arxignis Protection

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: arxignis
    nginx.ingress.kubernetes.io/arxignis-enabled: "true"
    nginx.ingress.kubernetes.io/arxignis-mode: "block"
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app-service
            port:
              number: 80

JA4 Fingerprinting

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: arxignis
    nginx.ingress.kubernetes.io/arxignis-enabled: "true"
    nginx.ingress.kubernetes.io/ja4-enabled: "true"
    nginx.ingress.kubernetes.io/ja4-log-level: "info"
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app-service
            port:
              number: 80

ModSecurity WAF

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: arxignis
    nginx.ingress.kubernetes.io/modsecurity-enabled: "true"
    nginx.ingress.kubernetes.io/modsecurity-snippet: |
      SecRule REQUEST_HEADERS:User-Agent "@contains bot" \
        "id:1001,phase:1,block,msg:'Bot detected'"
spec:
  rules:
  - host: myapp.example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-app-service
            port:
              number: 80

ConfigMap Configuration

Create a ConfigMap for advanced configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: arxignis-config
  namespace: ingress-nginx
data:
  nginx.conf: |
    http {
        # JA4 configuration
        ja4_enabled on;
        ja4_log_level info;
        ja4_log_format detailed;

        # ModSecurity configuration
        modsecurity on;
        modsecurity_rules_file /etc/nginx/modsec/main.conf;

        # Arxignis configuration
        lua_shared_dict arxignis_cache 200m;
        lua_shared_dict arxignis_queue 50m;

        # Custom log formats
        log_format ja4 '$remote_addr - $remote_user [$time_local] '
                       '"$request" $status $body_bytes_sent '
                       '"$http_referer" "$http_user_agent" '
                       'ja4="$ja4_hash" ja4s="$ja4s_hash"';
    }

Advanced Configuration

Custom ModSecurity Rules

Create a ConfigMap with custom ModSecurity rules:

apiVersion: v1
kind: ConfigMap
metadata:
  name: modsecurity-rules
  namespace: ingress-nginx
data:
  custom-rules.conf: |
    # Custom ModSecurity rules
    SecRule REQUEST_HEADERS:User-Agent "@contains bot" \
        "id:1001,phase:1,block,msg:'Bot detected'"

    SecRule REQUEST_URI "@contains /admin" \
        "id:1002,phase:1,block,msg:'Admin access blocked'"

JA4 Analytics Configuration

apiVersion: v1
kind: ConfigMap
metadata:
  name: ja4-config
  namespace: ingress-nginx
data:
  ja4.conf: |
    # JA4 detailed logging
    log_format ja4_detailed '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" '
                           'ja4="$ja4_hash" ja4s="$ja4s_hash" '
                           'ja4_raw="$ja4_raw" ja4s_raw="$ja4s_raw"';

    # Enable JA4 for specific paths
    map $uri $ja4_enabled {
        ~^/api/ 1;
        default 0;
    }

OpenTelemetry Integration

apiVersion: v1
kind: ConfigMap
metadata:
  name: otel-config
  namespace: ingress-nginx
data:
  otel-collector.yaml: |
    receivers:
      otlp:
        protocols:
          grpc:
            endpoint: 0.0.0.0:4317
          http:
            endpoint: 0.0.0.0:4318

    processors:
      batch:

    exporters:
      logging:
        loglevel: debug
      otlp:
        endpoint: http://jaeger:14250
        tls:
          insecure: true

    service:
      pipelines:
        traces:
          receivers: [otlp]
          processors: [batch]
          exporters: [logging, otlp]

Monitoring and Analytics

Prometheus Metrics

The ingress controller exposes Prometheus metrics:

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx-metrics
  namespace: ingress-nginx
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "10254"
spec:
  ports:
  - name: metrics
    port: 10254
    targetPort: 10254
  selector:
    app.kubernetes.io/name: ingress-nginx

Grafana Dashboard

Import the Grafana dashboard for comprehensive monitoring:

apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-dashboard
  namespace: monitoring
data:
  arxignis-dashboard.json: |
    {
      "dashboard": {
        "title": "Arxignis Ingress Controller",
        "panels": [
          {
            "title": "Request Rate",
            "type": "graph",
            "targets": [
              {
                "expr": "rate(nginx_ingress_controller_requests[5m])"
              }
            ]
          }
        ]
      }
    }

JA4 Analytics

Monitor JA4 fingerprinting data:

apiVersion: v1
kind: ConfigMap
metadata:
  name: ja4-analytics
  namespace: ingress-nginx
data:
  ja4-analytics.yaml: |
    # JA4 analytics configuration
    analytics:
      enabled: true
      retention: 30d
      export:
        format: json
        destination: s3://ja4-analytics/

Scaling and Performance

Horizontal Pod Autoscaler

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: ingress-nginx-hpa
  namespace: ingress-nginx
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: ingress-nginx-controller
  minReplicas: 2
  maxReplicas: 10
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80

Resource Optimization

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
spec:
  template:
    spec:
      containers:
      - name: controller
        resources:
          requests:
            memory: "512Mi"
            cpu: "100m"
          limits:
            memory: "2Gi"
            cpu: "1000m"
        env:
        - name: ARXIGNIS_CACHE_SIZE
          value: "500m"
        - name: ARXIGNIS_WORKER_PROCESSES
          value: "auto"

Troubleshooting

Common Issues

Kubernetes Compatibility

• Version Check: Verify Kubernetes version compatibility
• RBAC: Ensure proper permissions are configured
• Network Policies: Check network policy restrictions

Helm Chart Issues

• Chart Version: Check chart version compatibility
• Values Validation: Validate values.yaml configuration
• Dependencies: Ensure all dependencies are installed

Debug Mode

Enable debug logging:

apiVersion: v1
kind: ConfigMap
metadata:
  name: debug-config
  namespace: ingress-nginx
data:
  nginx.conf: |
    error_log /var/log/nginx/error.log debug;

    http {
        ja4_log_level debug;

        # ModSecurity debug
        SecDebugLog /var/log/nginx/modsec_debug.log
        SecDebugLogLevel 9
    }

Log Analysis

# View controller logs
kubectl logs -n ingress-nginx deployment/ingress-nginx-controller

# View JA4 logs
kubectl logs -n ingress-nginx deployment/ingress-nginx-controller | grep ja4

# View ModSecurity logs
kubectl logs -n ingress-nginx deployment/ingress-nginx-controller | grep modsec

FAQ

Use Helm with 'helm install arxignis-ingress arxignis/ingress-nginx' or apply the deployment YAML manually. Ensure your Kubernetes version is 1.25 or higher for compatibility.

Yes, you can run multiple ingress controllers by using different ingress classes. Set the ingress class to 'arxignis' for routes that need Arxignis protection.

Use the 'nginx.ingress.kubernetes.io/ja4-enabled' annotation on your ingress resources to enable JA4 fingerprinting for specific routes.

The performance impact is minimal with proper resource allocation. Use HPA for automatic scaling and configure resource limits based on your traffic patterns.

Use Prometheus metrics, Grafana dashboards, and OpenTelemetry integration. The controller exposes comprehensive metrics for monitoring and alerting.

Yes, use the 'nginx.ingress.kubernetes.io/modsecurity-snippet' annotation to add custom ModSecurity rules for specific ingress resources.

License

This project is licensed under the terms specified in the LICENSE file.

Contributing

Contributions are welcome! Please read the contributing guidelines before submitting pull requests.

---

For more information, visit arxignis.com or join our Discord community.