Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions ai-edge/proxy-waf.mdx
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
---
title: "HTTPProxy and WAF Capabilities"

Check warning on line 2 in ai-edge/proxy-waf.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/proxy-waf.mdx#L2

Did you really mean 'HTTPProxy'?
description: "Reference overview of the HTTPProxy and TrafficProtectionPolicy resources that make up Datum's AI Edge."

Check warning on line 3 in ai-edge/proxy-waf.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/proxy-waf.mdx#L3

Did you really mean 'HTTPProxy'?
---

Datum's AI Edge consists of two resources that work together:
Expand All @@ -12,17 +12,17 @@

---

## HTTPProxy

Check warning on line 15 in ai-edge/proxy-waf.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/proxy-waf.mdx#L15

Did you really mean 'HTTPProxy'?

The `HTTPProxy` resource handles Layer 7 routing and request processing. It supports hostname routing, path and header matching, redirects, rewrites, CORS, header manipulation, traffic mirroring, and TLS configuration to origin.

Check warning on line 17 in ai-edge/proxy-waf.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/proxy-waf.mdx#L17

Did you really mean 'hostname'?

### Inspect the Schema
### Inspect the schema

```bash
datumctl explain httpproxy --recursive
```

### List and Inspect Proxies
### List and inspect proxies

```bash
# List all proxies
Expand All @@ -32,7 +32,7 @@
datumctl get httpproxy <name> --namespace default -o yaml
```

### Feature Reference
### Feature reference

```text
HTTPProxy
Expand Down Expand Up @@ -84,13 +84,13 @@

The `TrafficProtectionPolicy` resource provides application-layer security using the OWASP Core Rule Set. It attaches to the `gateway.networking.k8s.io/v1 HTTPRoute` that NSO creates from an `HTTPProxy` (using the same name), scoping the WAF to that proxy's traffic. Use `sectionName` to target a specific named rule.

### Inspect the Schema
### Inspect the schema

```bash
datumctl explain trafficprotectionpolicy --recursive
```

### List and Inspect WAF Policies
### List and inspect WAF policies

```bash
# List all WAF policies
Expand All @@ -100,7 +100,7 @@
datumctl get trafficprotectionpolicy <name> --namespace default -o yaml
```

### Feature Reference
### Feature reference

```text
TrafficProtectionPolicy
Expand Down Expand Up @@ -136,11 +136,11 @@

**Paranoia levels** control how aggressively rules are applied. Higher levels catch more threats but increase false-positive risk. Separate levels can be set for detection (logging) and blocking.

**`samplingPercentage`** controls what fraction of traffic is evaluated by the WAF. Useful for gradual rollout or high-throughput environments.

Check warning on line 139 in ai-edge/proxy-waf.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/proxy-waf.mdx#L139

Did you really mean 'rollout'?

---

## Next Steps
## Next steps

- [Path-Based Routing](/ai-edge/path-routing) — Route requests to different backends by URL path
- [HTTP Basic Authentication](/ai-edge/basic-auth) — Add username/password protection to a route
Expand Down
24 changes: 12 additions & 12 deletions ai-edge/waf-configuration.mdx
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
---
title: "WAF Configuration with TrafficProtectionPolicy"
description: "Enable and configure the Coraza OWASP WAF for a Datum AI Edge using TrafficProtectionPolicy."

Check warning on line 3 in ai-edge/waf-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/waf-configuration.mdx#L3

Did you really mean 'Coraza'?
---

This guide shows how to attach and configure a Web Application Firewall (WAF) to a Datum `HTTPProxy` using a `TrafficProtectionPolicy` resource.

When NSO reconciles an `HTTPProxy`, it creates a `gateway.networking.k8s.io/v1 HTTPRoute` with the same name and namespace. The `TrafficProtectionPolicy` targets this `HTTPRoute` — targeting the `HTTPProxy` directly is not supported.

Check warning on line 8 in ai-edge/waf-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/waf-configuration.mdx#L8

Did you really mean 'namespace'?

The WAF is powered by [Coraza](https://www.coraza.io/) and the OWASP Core Rule Set (CRS). It inspects HTTP requests and responses for common attack patterns including SQL injection, XSS, and other OWASP Top 10 threats.

Expand All @@ -17,7 +17,7 @@

1. Creates a `TrafficProtectionPolicy` in `Observe` mode to baseline traffic without blocking
2. Reviews detected violations
3. Transitions to `Enforce` mode once the ruleset is tuned

Check warning on line 20 in ai-edge/waf-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/waf-configuration.mdx#L20

Did you really mean 'ruleset'?

<Note>
WAF policies default to `Observe` mode when `mode` is not specified. Always start in `Observe` mode before enforcing — this prevents unexpected blocking of legitimate traffic.
Expand All @@ -39,9 +39,9 @@

---

## Configuration Steps
## Configuration steps

### Step 1: Set Variables
### Step 1: Set variables

#### Windows (PowerShell)

Expand All @@ -63,7 +63,7 @@

---

### Step 2: Apply WAF in Observe Mode
### Step 2: Apply WAF in observe mode

Start by attaching the WAF in `Observe` mode. Violations are logged but traffic is not blocked.

Expand Down Expand Up @@ -123,7 +123,7 @@

---

### Step 3: Verify Policy Attachment
### Step 3: Verify policy attachment

```bash
datumctl get trafficprotectionpolicy $WAF_NAME \
Expand All @@ -134,7 +134,7 @@

---

### Step 4: Switch to Enforce Mode
### Step 4: Switch to enforce mode

After observing traffic and confirming no false positives, switch the mode to `Enforce`.

Expand Down Expand Up @@ -194,9 +194,9 @@

---

## Configuration Reference
## Configuration reference

### Paranoia Levels
### Paranoia levels

Paranoia level controls how aggressively the CRS applies rules. Higher levels catch more threats but increase false-positive risk.

Expand All @@ -211,7 +211,7 @@

---

### Score Thresholds
### Score thresholds

The OWASP CRS uses anomaly scoring — each rule match adds to a running score. The request is blocked when the score exceeds the threshold.

Expand All @@ -224,7 +224,7 @@

---

### Rule Exclusions
### Rule exclusions

Use rule exclusions to suppress specific rules causing false positives. Exclusions apply globally to the policy.

Expand All @@ -243,7 +243,7 @@

---

### Targeting a Specific Rule (sectionName)
### Targeting a specific rule (sectionName)

Check warning on line 246 in ai-edge/waf-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/waf-configuration.mdx#L246

Did you really mean 'sectionName'?

By default, a `TrafficProtectionPolicy` applies to the entire `HTTPProxy`. To scope it to a single named rule, use `sectionName`:

Expand All @@ -261,7 +261,7 @@

## Verification

### Test with a Known Attack Pattern
### Test with a known attack pattern

Send a request containing a SQL injection pattern to confirm the WAF detects it:

Expand Down Expand Up @@ -305,7 +305,7 @@

---

## Best Practices
## Best practices

- Always start in `Observe` mode and run for at least a few days of representative traffic before enforcing
- Set `detection` one level higher than `blocking` to preview the impact of stricter rules before applying them
Expand All @@ -319,6 +319,6 @@

- WAF policies use `kind: TrafficProtectionPolicy` at `networking.datumapis.com/v1alpha`
- `mode` defaults to `Observe` — always confirm before assuming enforcement is active
- `ruleSets[].type` must be `OWASPCoreRuleSet` — it is currently the only supported ruleset type

Check warning on line 322 in ai-edge/waf-configuration.mdx

View check run for this annotation

Mintlify / Mintlify Validation (datum-4926dda5) - vale-spellcheck

ai-edge/waf-configuration.mdx#L322

Did you really mean 'ruleset'?
- `targetRefs` must use `group: gateway.networking.k8s.io` and `kind: HTTPRoute` — NSO creates an `HTTPRoute` with the same name as the `HTTPProxy`; use `sectionName` to scope to a single route rule
- Start with paranoia level 1 blocking, level 2 detection, and OWASP default score thresholds (5/4)