how to make Google Cloud Armor interpret recaptcha score
I have GKE applications in following setup:
- front app works on
example.com - backend app works on
api.example.com
I expose those loads via Ingress and all looks cool. I want to protect application with Cloud Armor. I added annotation to api service. I can confirm that if policy has just one rule "deny all IPs" I cannot reach backend endpoints and if I change rule to "allow all IPs" I can. So GCA itself works ok.
I tried to connect reCaptcha Enterprise and interpret it's score with Google Cloud Armor but I cannot make it work. I created following rules but whatever values I add token.recaptcha.score doesn't seem to be interpreted at all.
So in presented example I will always be blocked even if I make rule ridiculously small like "> 0.1". Front sends X-Recaptcha-Token to backend so it looks like I did everything correctly.
Only thing I'm not sure about is if this allow rule is correctly defined. GCP Logging shows that policy was applied but I don't know exactly which rule:
{
"insertId": "uxxxv",
"jsonPayload": {
"enforcedSecurityPolicy": {
"outcome": "DENY",
"configuredAction": "DENY",
"priority": 2147483647,
"name": "login-security-policy"
},
"@type": "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry",
"statusDetails": "denied_by_security_policy"
},
"httpRequest": {
"requestMethod": "OPTIONS",
"requestUrl": "https://api.example.com/v1/graphs?pageSize=10&orderBy=created_at%20desc&key=AXXXXXXE",
"requestSize": "330",
"status": 403,
"responseSize": "228",
"userAgent": "XXX",
"remoteIp": "XX.XX.XX.XX",
"referer": "https://example.com/",
"latency": "0.220009s"
},
"resource": {
"type": "http_load_balancer",
"labels": {
"zone": "global",
"target_proxy_name": "k8s2-ts-dxxxd-default-main-ixxxq",
"backend_service_name": "k8s-be-3xxx9--9xxx9",
"forwarding_rule_name": "k8s2-fs-dxxxd-default-main-ixxxq",
"project_id": "xxx",
"url_map_name": "k8s2-um-dxxxd-default-main-ixxxq"
}
},
"timestamp": "2021-12-21T12:22:28.505728Z",
"severity": "WARNING",
"logName": "projects/xxx/logs/requests",
"trace": "projects/xxx/traces/bxxx4",
"receiveTimestamp": "2021-12-21T12:22:28.925285233Z",
"spanId": "cxxx4"
}
I just assume that field jsonPayload.enforcedSecurityPolicy.priority is pointing to default rule which means that Allow rule doesn't work.
Also reCaptcha key has been enabled by emailing Google according to documentation.
The HTTP method that is falling through to the default rule is OPTIONS. The OPTIONS method is often used by CORS, so you normally want those requests to get through.
Add a rule that allows HTTP method OPTIONS based upon request.method == 'OPTIONS'.
Or modify your existing rule to to only check if the method is GET, PUT, POST (specify the methods you need to validate reCaptcha).
- Use Cloud Armor with Cloud Run and avoid bypass
- Does External Passthrough Network LoadBalancer supports BackendConfig Configuration from GKE?
- Regex pattern match is not working with Google Cloud Armor Security Policy
- Global load balancer (HTTPS Loadbalancer) in front of GKE Nginx Ingress Controller
- Google Cloud Armor/Kubernetes : BackendConfig ignored by ingress
- Cloud Armor | allow multiple request paths in one line
- Add Cloud Armor To Cross-Project Backend Services
- How to enforce rate limiting for an IP that received 403 errors repeatedly in a Security Policy in Google Cloud?
- How to view and configure log retention of Security Policies in Google Cloud Armor?
- Google Cloud Armor options with Network load balancer
- Load Balancer: Inspecting traffic a specific cloud armor WAF rule is denying
- Cloud Armor + Recaptcha with domain validation
- Cloud Armor Waf - How to forward rate based ban to recaptcha?
- Add x-rate-limit response headers to the load balancer
- GCP Cloud armor Quota 'SECURITY_POLICY_RULES' exceeded. Limit: 0.0 globally error for Free tier account
- Google Cloud Armor: Cannot get the match expression to work for "in" operator and list ".exists"
- Cloud Armor Rate-Limiting Pricing
- Error : API break when values("=?", "nc") passes in stage where cloud armor rules are defined
- Is there a workaround to attach a Cloud Armor policy to a load balancer created via kubernetes ingress with terraform?
- how to make Google Cloud Armor interpret recaptcha score
- How to rate limit a firebase function with Cloud Armor
- How to protect your GCP apps from bad bots using Cloud Armor and Load Balancer?
- Why some rule actions are disabled in google cloud armor?
- Using RE2 expressions in matches in GCP Cloud Armor rule
- Cloud Armor logs aren't very clear when rule is set as "Preview only"
- The Python script for updating rules in the Cloud Armor in Google Cloud Platform by REST API
- How do I configure DDoS with cloudarmor for my gke ingress?
- Detail mod security rules on Cloud Armor WAF
- How to know if the attack hit the preconfigure rules on google cloud armor?
- How to use Cloud Armor with GAE Flex?