This example will deploy all its resources into the project defined by the project_id variable.
Please note that we assume this project already exists.
Time to complete: About 10 minutes
Click the Start button to move to the next step.
- Run the prerequisites script to enable APIs and set Cloud Build permissions.
sh prereq.sh- Run the Cloud Build Job
gcloud builds submit . --config ./build/cloudbuild.yamlAt this point you should have successfully deployed the foundations to protect your High Availability workloads with Load Balancer and Cloud Armor.
Next we are going to test the architecture and finally clean up your environment.
- Verify that the Juice Shop Application is running
PUBLIC_SVC_IP="$(gcloud compute forwarding-rules describe juice-shop-http-lb --global --format="value(IPAddress)")"
echo $PUBLIC_SVC_IP
Paste the output IP Address into your url bar to see the application
- Verify that the Cloud Armor policies are blocking malicious attacks
LFI vulnerability
curl -Ii http://$PUBLIC_SVC_IP/?a=../
RCE Attack
curl -Ii http://$PUBLIC_SVC_IP/ftp?doc=/bin/ls
Well-known scanner detection
curl -Ii http://$PUBLIC_SVC_IP -H "User-Agent: blackwidow"
Protocol attack mitigation
curl -Ii "http://$PUBLIC_SVC_IP/index.html?foo=advanced%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2035%0d%0a%0d%0a<html>Sorry,%20System%20Down</html>"
Session fixation attempt
curl -Ii http://$PUBLIC_SVC_IP/?session_id=a
- All the above commands should return
HTTP/1.1 403 Forbidden
<..>
- You can view the logs in Cloud Armor policies to verify these.
Run the command below on Cloud Shell to destroy the resources.
gcloud builds submit . --config build/cloudbuild_destroy.yaml
The above command will delete the associated resources so there will be no billable charges made afterwards.
For full information on variables and outputs please refer to the README file.
You’re all set!