MEIER-354: Add Serilog with OpenTelemetry sink and harden WAF rules

pulumi/src/cloudflare/tunnel.ts

@@ -16,7 +16,7 @@ new cloudflare.ZeroTrustTunnelCloudflaredConfig(config.identifier, {
         ingresses: [
             {
                 hostname: `${config.identifier}.${config.cloudflareConfig.zoneName}`,
-                service: 'http://localhost:80'
+                service: 'http://localhost:5000'
             },
             {
                 service: 'http_status:404'

pulumi/src/cloudflare/waf.ts

@@ -3,48 +3,59 @@ import { provider } from './provider'
 import * as config from '../config'
 import { zone } from './zone'
 
+// Use lower(url_decode()) to normalize both case and percent-encoding.
+// Scanners use mixed case (e.g. /ReAcT/.EnV) and URL encoding (e.g. %2F)
+// to bypass WAF rules. Cloudflare does NOT decode reserved chars like %2F
+// during standard normalization, so url_decode() is required.
+const p = 'lower(url_decode(http.request.uri.path))'
+
 const expression = [
     // Sensitive dotfiles and directories
-    '(http.request.uri.path contains "/.env")',
-    '(http.request.uri.path contains "/.git")',
-    '(http.request.uri.path contains "/.aws")',
-    '(http.request.uri.path contains "/.ssh")',
-    '(http.request.uri.path contains "/.terraform")',
+    `(${p} contains "/.env")`,
+    `(${p} contains "/.git")`,
+    `(${p} contains "/.aws")`,
+    `(${p} contains "/.ssh")`,
+    `(${p} contains "/.terraform")`,
 
     // CMS and framework probes
-    '(http.request.uri.path contains "/wp-")',
-    '(http.request.uri.path contains "/wordpress")',
-    '(http.request.uri.path contains "/xmlrpc")',
-    '(http.request.uri.path contains "/phpMyAdmin")',
-    '(http.request.uri.path contains "/phpmyadmin")',
-    '(http.request.uri.path contains "/pma")',
+    `(${p} contains "/wp-")`,
+    `(${p} contains "/wordpress")`,
+    `(${p} contains "/xmlrpc")`,
+    `(${p} contains "/phpmyadmin")`,
+    `(${p} contains "/pma")`,
 
     // Admin and server management
-    '(http.request.uri.path contains "/admin")',
-    '(http.request.uri.path contains "/cgi-bin")',
-    '(http.request.uri.path contains "/actuator")',
-    '(http.request.uri.path contains "/solr")',
-    '(http.request.uri.path contains "/telescope")',
-    '(http.request.uri.path contains "/vendor")',
-    '(http.request.uri.path contains "/invoker")',
-    '(http.request.uri.path contains "/balancer-manager")',
+    `(${p} contains "/admin")`,
+    `(${p} contains "/cgi-bin")`,
+    `(${p} contains "/actuator")`,
+    `(${p} contains "/solr")`,
+    `(${p} contains "/telescope")`,
+    `(${p} contains "/vendor")`,
+    `(${p} contains "/invoker")`,
+    `(${p} contains "/balancer-manager")`,
+    `(${p} contains "/login")`,
 
     // Credential and config probes
-    '(http.request.uri.path contains "/credentials")',
-    '(http.request.uri.path contains "/known_hosts")',
-    '(http.request.uri.path contains "sendgrid")',
-    '(http.request.uri.path contains "codecommit")',
-    '(http.request.uri.path contains "/env.cfg")',
+    `(${p} contains "/credentials")`,
+    `(${p} contains "/known_hosts")`,
+    `(${p} contains "sendgrid")`,
+    `(${p} contains "codecommit")`,
+    `(${p} contains "/env.cfg")`,
+    `(${p} contains "/api/config")`,
+    `(${p} contains "/careers_not_hosted")`,
 
     // Dangerous file extensions
-    '(http.request.uri.path contains ".php")',
-    '(http.request.uri.path contains ".asp")',
-    '(http.request.uri.path contains ".jsp")',
-    '(http.request.uri.path contains ".cgi")',
-    '(http.request.uri.path contains ".yml")',
-    '(http.request.uri.path contains ".xml")',
-    '(http.request.uri.path contains ".bak")',
-    '(http.request.uri.path contains ".rb")',
+    `(${p} contains ".php")`,
+    `(${p} contains ".asp")`,
+    `(${p} contains ".jsp")`,
+    `(${p} contains ".cgi")`,
+    `(${p} contains ".yml")`,
+    `(${p} contains ".xml")`,
+    `(${p} contains ".bak")`,
+    `(${p} contains ".rb")`,
+
+    // Env file variants (with dots in name like .env.sample, .env.prod)
+    `(${p} contains ".env.")`,
 ].join(' or ')
 
 new cloudflare.Ruleset(`${config.identifier}-waf`, {

pulumi/src/config.ts

@@ -26,3 +26,9 @@ const rawK8sConfig = new pulumi.Config('k8s')
 export const k8sConfig = {
     namespace: rawK8sConfig.require('namespace'),
 }
+
+const rawSeqConfig = new pulumi.Config('seq')
+
+export const seqConfig = {
+    endpoint: rawSeqConfig.require('endpoint'),
+}

pulumi/src/k8s/deployment.ts

@@ -11,7 +11,8 @@ let appConfigMap = new k8s.core.v1.ConfigMap(config.identifier, {
     },
     immutable: true,
     data: {
-        SERVER_URL: 'http://0.0.0.0:5000'
+        SERVER_URL: 'http://0.0.0.0:5000',
+        SEQ_ENDPOINT: config.seqConfig.endpoint,
     }
 }, { provider })
 

sln/paket.dependencies

@@ -11,3 +11,7 @@ nuget FSharp.Core
 nuget Giraffe.ViewEngine
 nuget Feliz.ViewEngine
 nuget Oxpecker.ViewEngine
+nuget Serilog
+nuget Serilog.AspNetCore
+nuget Serilog.Sinks.Console
+nuget Serilog.Sinks.OpenTelemetry