Skip to content

MEIER-327: Add WAF protection and Docker GHA build caching#21

Merged
andymeierdev merged 3 commits intomainfrom
andymeierdev/MEIER-327/add-waf-and-docker-gha-caching
Mar 24, 2026
Merged

MEIER-327: Add WAF protection and Docker GHA build caching#21
andymeierdev merged 3 commits intomainfrom
andymeierdev/MEIER-327/add-waf-and-docker-gha-caching

Conversation

@andymeierdev
Copy link
Copy Markdown
Collaborator

@andymeierdev andymeierdev commented Mar 24, 2026

Summary

Adds two infrastructure improvements ported from the andymeier project:

WAF Protection (pulumi/src/cloudflare/waf.ts)

New Cloudflare custom firewall ruleset that blocks common vulnerability scanner paths and file extensions. This includes:

  • Sensitive dotfiles/directories: .env, .git, .aws, .ssh, .terraform
  • CMS/framework probes: WordPress, phpMyAdmin, xmlrpc
  • Admin/server management paths: /admin, /cgi-bin, /actuator, /solr, /telescope, /vendor
  • Credential/config probes: /credentials, /known_hosts, sendgrid, codecommit
  • Dangerous file extensions: .php, .asp, .jsp, .cgi, .yml, .xml, .bak, .rb

Docker GHA Build Caching (pulumi/src/docker/image.ts)

When running in GitHub Actions (detected via GITHUB_ACTIONS env var), Docker builds now use GitHub's cache backend for layer caching:

  • cacheFrom pulls from GHA cache
  • cacheTo pushes all layers (Max mode) with ignoreError: true for resilience

This should significantly speed up CI Docker builds after the first run. Locally, caching is a no-op.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 24, 2026
edited
Loading

🍹 preview on fsharp-view-engine/prod

Pulumi report

View in Pulumi Cloud

  Previewing update (prod)

View Live: https://app.pulumi.com/meiermade/fsharp-view-engine/prod/previews/ceddddcf-d858-4b49-a745-c1a9d85a92da

pulumi:pulumi:Stack: (same)
  [urn=urn:pulumi:prod::fsharp-view-engine::pulumi:pulumi:Stack::fsharp-view-engine-prod]
  ~ docker-build:index:Image: (update)
      [id=sha256:7dce1dac725cac480a57d3912a6d0747a6e506fead31a37c5d0e1cf2750b1959]
      [urn=urn:pulumi:prod::fsharp-view-engine::docker-build:index:Image::fsharpviewengine]
    + cacheFrom  : [
    +     [0]: {
            + disabled: false
            + gha     : {
                + scope: "buildkit"
              }
            + raw     : ""
          }
      ]
    + cacheTo    : [
    +     [0]: {
            + disabled: false
            + gha     : {
                + ignoreError: true
                + mode       : "max"
                + scope      : "buildkit"
              }
            + raw     : ""
          }
      ]
    ~ context    : {
        ~ location: "C:\\Users\\ameier\\repos\\github\\meiermade\\FSharp.ViewEngine\\sln" => "/home/runner/work/FSharp.ViewEngine/FSharp.ViewEngine/sln"
      }
    - contextHash: "497c795efc4aab38aa21d6d2683e809f0801012dc7b035ae14b8669a2f022d91"
    ~ dockerfile : {
        ~ location: "C:\\Users\\ameier\\repos\\github\\meiermade\\FSharp.ViewEngine\\sln\\Dockerfile" => "/home/runner/work/FSharp.ViewEngine/FSharp.ViewEngine/sln/Dockerfile"
      }
  ~ cloudflare:index/zeroTrustTunnelCloudflaredConfig:ZeroTrustTunnelCloudflaredConfig: (update)
      [id=29a22278-9fe7-4d10-a3a4-69834d0dffc0]
      [urn=urn:pulumi:prod::fsharp-view-engine::cloudflare:index/zeroTrustTunnelCloudflaredConfig:ZeroTrustTunnelCloudflaredConfig::fsharpviewengine]
    ~ config: {
        ~ ingresses: [
            ~ [0]: {
                      hostname: "fsharpviewengine.meiermade.com"
                    ~ service : "http://fsharpviewengine.fsharpviewengine.svc.cluster.local:80" => "http://localhost:80"
                  }
              [1]: {
                      service: "http_status:404"
                  }
          ]
      }
  ~ kubernetes:apps/v1:Deployment: (update)
      [id=fsharpviewengine/fsharpviewengine]
      [urn=urn:pulumi:prod::fsharp-view-engine::kubernetes:apps/v1:Deployment::fsharpviewengine]
    ~ spec: {
        ~ template: {
            ~ spec: {
                ~ containers: [
                    ~ [0]: {
                            ~ image: "us-east1-docker.pkg.dev/meiermade-platform/platform/fsharpviewengine:latest@sha256:ec195b7211e17d82d42127323d1e9ef89fc8f77395da67b66d5b188fd6b3c5dc" => [unknown]
                          }
                  ]
              }
          }
      }
  + cloudflare:index/ruleset:Ruleset: (create)
      [urn=urn:pulumi:prod::fsharp-view-engine::cloudflare:index/ruleset:Ruleset::fsharpviewengine-waf]
      kind  : "zone"
      name  : "Block vulnerability scanners"
      phase : "http_request_firewall_custom"
      rules : [
          [0]: {
              action     : "block"
              description: "Block common vulnerability scanner paths and file extensions"
              enabled    : true
              expression : "(http.request.uri.path contains \"/.env\") or (http.request.uri.path contains \"/.git\") or (http.request.uri.path contains \"/.aws\") or (http.request.uri...."
              ref        : "block_scan_probes"
          }
      ]
      zoneId: "1d09a5f3c5efd0a617f98a9ac32abfc4"
Resources:
  + 1 to create
  ~ 3 to update
  4 changes. 6 unchanged

@andymeierdev andymeierdev merged commit acc2fa2 into main Mar 24, 2026
2 checks passed
@andymeierdev andymeierdev deleted the andymeierdev/MEIER-327/add-waf-and-docker-gha-caching branch March 24, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andymeierdev