Merge pull request #1819 from alphagov/publishing-ja3-denylist

Add a configurable JA3 denylist for publishing

terraform/projects/infra-public-wafs/README.md

@@ -53,6 +53,7 @@ No modules.
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS region | `string` | `"eu-west-1"` | no |
 | <a name="input_backend_public_base_rate_limit"></a> [backend\_public\_base\_rate\_limit](#input\_backend\_public\_base\_rate\_limit) | For the backend ALB. Number of requests to allow in a 5 minute period before rate limiting is applied. | `number` | n/a | yes |
 | <a name="input_backend_public_base_rate_warning"></a> [backend\_public\_base\_rate\_warning](#input\_backend\_public\_base\_rate\_warning) | For the backend ALB. Allows us to configure a warning level to detect what happens if we reduce the limit. | `number` | n/a | yes |
+| <a name="input_backend_public_ja3_denylist"></a> [backend\_public\_ja3\_denylist](#input\_backend\_public\_ja3\_denylist) | For the backend ALB. List of JA3 signatures for which we should block all requests. | `list(string)` | n/a | yes |
 | <a name="input_bouncer_public_base_rate_limit"></a> [bouncer\_public\_base\_rate\_limit](#input\_bouncer\_public\_base\_rate\_limit) | For the bouncer ALB. Number of requests to allow in a 5 minute period before rate limiting is applied. | `number` | n/a | yes |
 | <a name="input_bouncer_public_base_rate_warning"></a> [bouncer\_public\_base\_rate\_warning](#input\_bouncer\_public\_base\_rate\_warning) | For the bouncer ALB. Allows us to configure a warning level to detect what happens if we reduce the limit. | `number` | n/a | yes |
 | <a name="input_cache_public_base_rate_limit"></a> [cache\_public\_base\_rate\_limit](#input\_cache\_public\_base\_rate\_limit) | For the cache ALB. Number of requests to allow in a 5 minute period before rate limiting is applied. | `number` | n/a | yes |

terraform/projects/infra-public-wafs/backend_public_rule.tf

@@ -125,6 +125,47 @@ resource "aws_wafv2_web_acl" "backend_public" {
     }
   }
 
+  dynamic "rule" {
+    for_each = var.backend_public_ja3_denylist
+    iterator = signature
+
+    content {
+      name = "deny-ja3-${signature.value}"
+
+      # All rules require a unique priority, and the size of the JA3 denylist is potentially unbounded,
+      # so we add these rules to the end of the list to avoid collisions.
+      priority = 50 + signature.key
+
+      action {
+        block {}
+      }
+
+      statement {
+        byte_match_statement {
+          positional_constraint = "EXACTLY"
+          search_string         = signature.value
+
+          field_to_match {
+            ja3_fingerprint {
+              fallback_behavior = "NO_MATCH"
+            }
+          }
+
+          text_transformation {
+            type     = "NONE"
+            priority = 0
+          }
+        }
+      }
+
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "deny-ja3-${signature.value}"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
   custom_response_body {
     key     = "backend-public-rule-429"
     content = <<HTML

terraform/projects/infra-public-wafs/variables.tf

@@ -55,6 +55,11 @@ variable "backend_public_base_rate_limit" {
   description = "For the backend ALB. Number of requests to allow in a 5 minute period before rate limiting is applied."
 }
 
+variable "backend_public_ja3_denylist" {
+  type        = list(string)
+  description = "For the backend ALB. List of JA3 signatures for which we should block all requests."
+}
+
 variable "bouncer_public_base_rate_warning" {
   type        = number
   description = "For the bouncer ALB. Allows us to configure a warning level to detect what happens if we reduce the limit."