115 questions
0
votes
1
answer
64
views
How best to update a cloudarmor rule using pulumi
We're using pulumi to manage our cloudarmor (WAF) solution.
When attempting to edit a rule, even with deleteBeforeReplace: true, we get the error:
CommandError: code: -2
stdout:
stderr: ...
- 1,423
0
votes
1
answer
100
views
Assign both backend- and edge-security-policy to a ingress
We use a Google Cloud CDN.
How can we assign both backend- and edge-security-policy to that CDN via helm?
It can be done via gcp-web-console: Assign the same Backend-Service as target to both Cloud ...
- 1
0
votes
1
answer
89
views
Structuring a GCP service to restrict access to a cloud run group by incoming hostname
I'm building a service where clients add a JS snippet to their sites. This then communicates with a REST API I host.
The API will be served via a container running on Google Cloud Run.
I plan to put ...
- 28.8k
0
votes
1
answer
170
views
Error using GCP CloudArmor "inIPRange" operator in Terraform
Using GCP CloudArmor and Terraform, I need to allow the request when host header is "myhost" and origin IP is "X.X.X.X/32". I have this configuration:
resource "...
- 26.4k
1
vote
2
answers
2k
views
How to allow/block multiple ip in GCP cloud armor?
I have a use case that requires creating policies to allow or block traffic based on a set of public IP addresses. From the GCP Cloud Armor console, I read that a single Cloud Armor policy only allows ...
- 23
0
votes
1
answer
318
views
SQL Character Anomaly Detection Error in OWASP CRS with next-auth Callback URL via Google Cloud Armor
I am encountering an error related to the OWASP Core Rule Set (CRS) when working with the next-auth library for authentication in my application. The error message is as follows:
Signature: owasp-crs-...
- 1,086
1
vote
1
answer
248
views
reCAPTCHA cookie is not being passed for subdomains, only the domain where the reCAPTCHA is being set
Domains are fictional :)
I have a website hosted at: app.sunsetland.com.au
In that website, on one page I <embed> another website which is hosted at subdomain.sunsetland.com.au
Our GCP Cloud ...
- 11
-1
votes
2
answers
293
views
Cloud Armour policy
Team,
Looking to lock down external load balancer from CDN CIDR EdgeLocation IPs.
I was able to create the policy in Cloud Armour to allow only the CIDR ranges from CDN and was able to see the the ...
- 9
0
votes
1
answer
495
views
How do I disable HTTP OPTIONS method for a static website hosted in a GCP bucket?
I have a static website hosted in a GCP bucket with an external Application Load Balancer to route the traffic. And I need to disable the HTTP OPTIONS method based on the advice from a vulnerability ...
- 1,334
0
votes
1
answer
749
views
How can I avoid false positives from user supplied text?
What should we be doing to handle false positives? Our users like to submit form text data which is occasionally denied by our Cloud Armor WAF.
Here is an example value submitted in the POST payload:
...
- 137
0
votes
2
answers
1k
views
Does External Passthrough Network LoadBalancer supports BackendConfig Configuration from GKE?
I have deployed the Nginx Controller via External Passthrough LoadBalancer in GCP. I want to attach a Cloud Armor Security Policy to the LoadBalancer. According to the BackendConfig documentation it ...
0
votes
1
answer
616
views
Regex pattern match is not working with Google Cloud Armor Security Policy
I am trying to implement rate limiting for GET and POST for the same API call. The only difference in both the request is extra ID we are passing with POST.
GET /rest/v1/add
POST /rest/v1/add/some-...
- 7,777
0
votes
1
answer
149
views
Can I combine recaptcha challenge key and recaptcha session key with Google Cloud Armor?
Has anyone managed to combine recaptcha challenge key and recaptcha session key within the same cloud armor, and make both types work on the same page.
I can only associate one recaptcha entreprise ...
0
votes
0
answers
101
views
Cloud Armor Ban duration inconsistency
I have set up a cloud armor rule to deny request coming from same ip after n attempts. My config is given below
rules config
I ran jmeter to hit the api continuously with 1 req per second.
start time -...
- 5
1
vote
1
answer
666
views
Cloud Armor with GKE to restrict access to Ingress
We are implementing Cloud Armor policies with GKE to restrict access to Ingress and allow only IP ranges whitelisted in armor policies.
Steps followed:
Created a cloud armor policy to whitelist ...
- 81
0
votes
0
answers
633
views
Cloud armor request.path.startswith lets traffic bypass random
In Google Cloud Armor I have multiple rules (+50). Below is the one with lowest priority number. It is based on bad_path URI example in Cloud Armor documentation
request.path.startsWith('/api/foo')
...
- 514
1
vote
1
answer
423
views
How to add targets (GKE Nodes) to Google Cloud Armor through Terraform?
resource "google_compute_security_policy" "my_security_policy" {
name = "my-security-policy"
project = var.project_id
Whitelist rule for your specific IP address
...
1
vote
1
answer
2k
views
How to add a GCP Cloud Armor rule that blocks "?" in urls?
I am trying to add a rule in a Cloud Armor security police to block requests when request path has question mark after the root the root address.
I understand that "?" marks the end of the ...
- 99
1
vote
0
answers
302
views
How to integrate Cloud Armor with Firebase host domain
We have hosted our static content in Firebase Hosting. I want to use Cloud Armor in front of it. So that I would be able to restrict IP accessing the domain. Could anyone share any info related to ...
- 13
0
votes
1
answer
2k
views
What is libinjection, and why does it only catch things on prod?
I have a backend python app running on Google Cloud Run. There are also a few sql injection rules placed in my load balancer / network security.
Here was my original WAF rule:
evaluatePreconfiguredWaf(...
- 246
0
votes
0
answers
1k
views
Cloud armor rules not working as expected, how can I see errors?
could you help me?
I have a website running on App Engine, and I have configured Load Balancer and Cloud Armor.
LB is working but Cloud Armor apparently isn't.
I created the Rules according to the WAF,...
0
votes
0
answers
88
views
Establish accessibility of on web app in the GKE cluster from the internal network (VPN)
I want to have an URL for my web app that is running in gke and that is only accessible from specific VPN.
The web application should be accessible via HTTPS, i.e. valid certificates are configured ...
- 19
1
vote
1
answer
1k
views
Add Cloud Armor To Cross-Project Backend Services
I have an external regional load balancer running on a shared VPC in project A and have backend services attached to it from project B and C. I would like to add Cloud Armor to my Cross-project ...
- 309
2
votes
2
answers
456
views
How to integrate Cloud Armor with Kong?
I'm looking to integrate Cloud Armor with Kong to enhance security in my setup.
Did some research but couldn't find anything like that apart from someone having the same issue, namely
create an kong ...
- 15.9k
1
vote
1
answer
2k
views
How to apply rate-based throttling in Google Cloud Armor for a specific URL?
I want to apply rate-based throttling using Google Cloud Armor. In the configuration for rules, there is a match parameter but that is for matching the IP ranges. I could not find a way to filter and ...
- 4,692
1
vote
1
answer
143
views
How to enforce rate limiting for an IP that received 403 errors repeatedly in a Security Policy in Google Cloud?
I want to enforce rate limiting (throttling) if an IP has repeatedly faced 403 errors, on the edge, using Google Cloud Armor.
I have been able to enforce rate-based limiting/throttling for any IP that ...
- 4,692
1
vote
1
answer
416
views
How to verify XFF_IP is from a known Proxy or CDN while enforcing key in Google Cloud Armor Security Policy?
I'm currently working on a project where I want to apply rate limiting at the load balancer level to each user's IP address. The idea is to throttle any user that crosses a certain request limit in a ...
- 4,692
0
votes
1
answer
548
views
How to view and configure log retention of Security Policies in Google Cloud Armor?
What is the retention for logs generated by Google Cloud Armor - Security Policies and Adaptive Protection?
The Request Logging Official Documentation states that Google Cloud Armor logs are part of ...
- 4,692
0
votes
1
answer
110
views
What is the minimum value for `interval_sec` and maximum value for `count` while configuring a rule for Security Policy in Google Cloud Armor?
While setting Rate Limit options to set rate-based throttling, the official documentation does not state the minimum value for interval_sec and the maximum value for count.
In the Google Cloud Console,...
- 4,692
2
votes
1
answer
624
views
How to implement rate based throttling per client determined by IP, in Google Cloud Armor?
I have created a rule and attached it to a policy that throttles requests based on the rate limit I set:
rules=[
gcp.compute.SecurityPolicyRuleArgs(
action="throttle",
...
- 4,692
1
vote
0
answers
78
views
Unable to attach a rule to a security policy in Google Cloud Armor using Pulumi
I want to attach a rate-based throttling rule to a security policy, all via Pulumi, in Google Cloud Armor, on Google Cloud Platform.
I am facing an error:
Diagnostics:
gcp:compute:SecurityPolicy (...
- 4,692
0
votes
2
answers
126
views
Redirect to Google Captcha after an X amount of req/seconds is hit
Currently we have an Cloud Armor protected backend. And this site is doing around 150 req/seconds accross all visitors. We would like to make an WAF rule when the amount of requests is for eg. 300 req/...
- 1
0
votes
1
answer
1k
views
Global external Application Load Balancer IP Block List
We use the new Google Cloud Global external Application Load Balancer in combination with Cloud Armor and Cloud Run.
Our public price APIs are target of automated crawler requests, so we collected a ...
- 737
0
votes
1
answer
504
views
Google Cloud Armor options with Network load balancer
I am working with Google Network Load balancer hosting an application. I need to enable Cloud Armor security policies for the NLB backend as target. I am currently using the Standard tier of Cloud ...
- 13
1
vote
0
answers
385
views
Cloud Armor targets for policy disappears
We're experiencing a strange behaviour since about 10 days ...
I had some targets for my Cloud Armor policy correctly working since 2 years.
Last week I saw that my backends are worldwide available... ...
0
votes
1
answer
298
views
If I implement a load balanced to have my domain. how do i block the automatically generated url for my api gateway?
I am implementing security to my Cloud Run services through an Api Gateway NEG and a load balanced
I need block the automatically generated url for my api gateway so that they only access my services ...
0
votes
1
answer
1k
views
Load Balancer: Inspecting traffic a specific cloud armor WAF rule is denying
Got a simple HTTPS Load Balancer with a backend security policy defined in Cloud Armor assigned to its backend. The security policy is a list of the Cloud Armor WAF rules at differing sensitivity ...
- 715
0
votes
1
answer
553
views
Cloud Armor rule for allowing traffic between API and Application on same load balancer
I have an Angular application hosted on App Engine and a FastAPI server hosted on Compute Engine both served via a single loadbalancer (separate host URLs, say demo-app.com and demo-api.com ...
- 67
2
votes
2
answers
655
views
Cloud Armor + Recaptcha with domain validation
Am trying to configure Recaptcha enterprise with WAF using cloud armor (with action tokens), but I have a problem, the cloud armor rule that validates the token/score never gets triggered if the ...
- 2,241
1
vote
2
answers
847
views
Terraform GCP Security Policy throwing "An argument named "enforce_on_key_configs" is not expected here."
I am writing terraform scripts for the security policy (GCP cloud armor) for an already existing policy "cloudarmor". i did import using terraform import but when i try to run the terraform ...
1
vote
1
answer
1k
views
Is it possible to set a rate limiting rule along preconfigured WAF rules for the same backend service in Cloud Armor?
I have a policy for a backend service with several preconfigured WAF rules. Also there is a rate limiting rule. If I set the preconfigured WAF rules with higher priority, it will only evaluate those ...
-3
votes
1
answer
138
views
How to programmatically set the GCP Cloud Armor Managed Protection to Plus tier?
(https://i.sstatic.net/GF2ck.png)
I'm trying to write a script (In any language) that demonstrates the clicking of the "CHANGE TO PLUS TIER" button.
I can't find any libraries with commands ...
-1
votes
1
answer
3k
views
Where does Cloud Armor start protecting from the set rules? (in this case SQLi)
I currently set up Load Balancing w/ Cloud Armor.
Here's my rule set (basically from the docs):
evaluatePreconfiguredExpr('xss-v33-stable',
['owasp-crs-v030301-id941101-xss',
'owasp-crs-v030301-...
- 246
2
votes
3
answers
2k
views
Google Cloud Armor for Firebase Hosting
I'm getting unwanted traffic in a website hosted in Firebase Hosting.
I know this because my Google Analytics instance shows countries that should not be there (we don't ship international orders). ...
- 487
0
votes
1
answer
1k
views
Add x-rate-limit response headers to the load balancer
I configured a Cloud Armor rate limiting rule and i would like to attach the following custom response headers to my global external HTTP(S) load balancer backend.
x-ratelimit-limit: The maximum ...
- 737
0
votes
1
answer
597
views
gcp external load balancer port blocking
I have GCP setup with external https load balancer and backend services with server less NEG. in front of the load balancer that has another cloud WAF. my requirement is when we blocking all IP ranges ...
- 28
0
votes
2
answers
269
views
Allow http requests from front-end GKE app in GCloud Armor WAF
I'm configuring a GCloud Armor to restrict access to my API which is deployed in GKE behind and ingress.
Some of the petitions come directly from de front-end which is also deployed in the GKE cluster ...
- 1
0
votes
1
answer
265
views
is there any google API to check and count number of Armor Policies rules defined under a project. i have to count number of custom rules
Is there any google API to check and count number of Armor Policies rules defined under a project. i have to count number of custom rules so that once it crosses the quota limit that is 20 then it ...
1
vote
1
answer
2k
views
Setting up Cloud Armor for load balancer/static website in Storage Bucket
I recently setup a Storage Bucket to serve a static website within the Google Cloud Platform. Costs were rising for a few days so I looked into what was causing this. I looked into Logging and found ...
- 11
0
votes
1
answer
173
views
GCP Cloud Armor deny main domain https://mma.mydomain.com/
Is there a way to deny https://mma.mydomain.com/ main domain and allow the below Web sevices in GCP Cloud armor.
1. https://mma.mydomain.com/v1/teststudio/developer - POST
2. https://mma.mydomain.com/...
- 29