Hi Lasha,
Let me firstly refer directly to the list you provided:
- SSL configuration with TLSv1.3 and specific ciphers.
Fully supported starting from v14.4.
- Client certificate validation.
Fully supported.
- Detailed proxy settings and header manipulations.
I don't know exactly what do you mean by "detailed proxy setting". If you mean - routing the request to multiple backend microservices based on request URL then this is supported in Reverse Proxy rules. Header manipulations are not supported on WAF Gateway, but it is supported on Cloud WAF.
- Access and error logging configurations.
Access log is not supported. The log entry (Security Event) can be generated in case of security violation (like detecting malicious activity).
- Specific location block for /payments with custom proxy settings.
The specific location can be blocked by security rule and the specific URL/prefix can be routed to specific backend service with Reverse Proxy rules.
- Security directives like hiding server tokens and limiting methods.
Yes, this is fully supported.
Please note, that Imperva WAF gateway is a WAF solution. The primary goal is to block malicious attempts to attack the application, not to implement Ingress Controller functions, hence customers usually do not replace NIGINX with our WAF solution. We do have an Envoy (Istio) integration to by able to add WAF functionalities to Ingress Controller/Service Mesh deployments. Moreover, we do plan to support Nginx integration soon.
------------------------------
Bartosz Chmielewski
SE
Imperva
------------------------------
Original Message:
Sent: 11-17-2023 04:17
From: Lasha Lomjaria
Subject: Replace NGINX (without load balancing) with Imperva's on-prem WAF
Hello Imperva Community,
I am exploring the possibility of replacing our current NGINX setup with an on-premises WAF solution and would appreciate your insights on this matter. Below is a summary of our current NGINX configuration:
# Configuration Highlights
- SSL configuration with TLSv1.3 and specific ciphers.
- Client certificate validation.
- Detailed proxy settings and header manipulations.
- Access and error logging configurations.
- Specific location block for /payments with custom proxy settings.
- Security directives like hiding server tokens and limiting methods.
Given this setup, my question is: Can an on-premises WAF from Imperva fully replace this NGINX configuration, particularly with respect to SSL/TLS handling, client certificate validation, and the detailed proxy and header settings we currently have in place?
Additionally, how would the Imperva WAF handle the following aspects:
- Complex SSL/TLS setups and client authentication.
- Detailed access control and logging.
- Proxying requests with specific header modifications.
- Security measures like method restriction and server information obfuscation.
I am particularly interested in understanding any limitations or additional considerations that may be relevant in transitioning to an on-prem WAF solution.
Thank you in advance!
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Lasha Lomjaria
Cybersecurity engineer
Green Systems LLC
Tbilisi
------------------------------