Skip to content

feat: Configurable detection thresholds #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nfebe merged 3 commits into from
Dec 23, 2025
Merged

feat: Configurable detection thresholds #47

nfebe merged 3 commits into from
Dec 23, 2025

Conversation

@nfebe
Copy link
Contributor

@nfebe nfebe commented Dec 23, 2025

No description provided.

nfebe added 2 commits December 23, 2025 14:29
@nfebe
feat(security): Add configurable detection thresholds
26cc043 
- Add detection threshold fields to SecurityConfig (detection_window,
  not_found_threshold, auth_failure_threshold, unique_paths_threshold,
  repeated_hits_threshold)
- Update API handler to accept and persist new threshold settings
- Apply thresholds to detector on startup and settings update
- Add SetDetectorThresholds method to security manager

Signed-off-by: nfebe <fenn25.fn@gmail.com>
@nfebe
fix(security): Make blocked-ips endpoint public for nginx access
6648a99 
Move GET /security/blocked-ips from protected routes to public routes
so nginx Lua can fetch the blocked IPs list without authentication.
@sourceant
Copy link

sourceant bot commented Dec 23, 2025
edited
Loading

Code Review Summary

✨ This pull request significantly enhances the security module by introducing an internal API token for secure communication between Nginx and the agent, and by adding more granular security detection thresholds. These changes improve both the security posture and the configurability of the agent's defense mechanisms.

🚀 Key Improvements

  • Introduction of InternalAPIToken in SecurityConfig for authenticated internal Nginx-Agent communication for blocked IP lists.
  • Nginx Lua scripts (templates/infra/nginx/lua/security.lua) now correctly use the InternalAPIToken when fetching blocked IPs from the agent's internal API.
  • Added extensive detection thresholds (DetectionWindow, NotFoundThreshold, AuthFailureThreshold, UniquePathsThreshold, RepeatedHitsThreshold) to the security configuration, allowing for more fine-tuned anomaly detection.
  • The updateSecuritySettings API endpoint in internal/api/security_handlers.go has been extended to support runtime configuration of these new security thresholds.

💡 Minor Suggestions

  • Consider using pointer types (e.g., *int, *string) for all optional fields in the updateSecuritySettings request struct to ensure consistent handling of partial updates and distinguish between zero values and omitted fields.

sourceant[bot]
sourceant bot approved these changes Dec 23, 2025
View reviewed changes
Copy link

@sourceant sourceant bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. No specific code suggestions were generated. See the overview comment for a summary.

sourceant[bot]
sourceant bot approved these changes Dec 23, 2025
View reviewed changes
Copy link

@sourceant sourceant bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

internal/api/security_handlers.go
Comment on lines +693 to +697
if req.DetectionWindow != "" {
if d, err := time.ParseDuration(req.DetectionWindow); err == nil {
s.config.Security.DetectionWindow = d
updatedFields = append(updatedFields, "detection_window")
}
Copy link

@sourceant sourceant bot Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consistent with previous duration parsing suggestions, explicitly handle errors for DetectionWindow to provide clear feedback to the API consumer.

Suggested change
if req.DetectionWindow != "" {
if d, err := time.ParseDuration(req.DetectionWindow); err == nil {
s.config.Security.DetectionWindow = d
updatedFields = append(updatedFields, "detection_window")
}
if req.DetectionWindow != "" {
d, err := time.ParseDuration(req.DetectionWindow)
if err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid detection_window duration format"})
return
}
s.config.Security.DetectionWindow = d
updatedFields = append(updatedFields, "detection_window")
}

@nfebe
feat(security): Add token-authenticated internal endpoint for nginx
fd179b6 
Add secure internal endpoint for nginx to fetch blocked IPs without
requiring user authentication credentials.

- Add InternalAPIToken to SecurityConfig, auto-generated if empty
- Create /_internal/blocked-ips endpoint with X-Internal-Token validation
- Update Lua templates to include token in requests
- Inject token into security.lua during template generation

Signed-off-by: nfebe <fenn25.fn@gmail.com>
@nfebe nfebe force-pushed the feat/configurable-detection-thresholds branch from c1566be to fd179b6 Compare December 23, 2025 14:10
sourceant[bot]
sourceant bot approved these changes Dec 23, 2025
View reviewed changes
Copy link

@sourceant sourceant bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review complete. See the overview comment for a summary.

internal/api/server.go
Comment on lines +95 to +102
securityManager.SetDetectorThresholds(
cfg.Security.RateThreshold,
cfg.Security.NotFoundThreshold,
cfg.Security.AuthFailureThreshold,
cfg.Security.UniquePathsThreshold,
cfg.Security.RepeatedHitsThreshold,
cfg.Security.DetectionWindow,
)
Copy link

@sourceant sourceant bot Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SetDetectorThresholds call here correctly initializes the security manager on startup. However, the exact same call is also made in updateSecuritySettings. While not strictly an error, it's slightly redundant. Consider if the initial setup should just apply default values (or values from the config file at startup) and the API handler should be the sole source of runtime updates. If the manager is re-initialized or config reloaded without an API call, this is necessary. Current approach is defensive.

Suggested change
securityManager.SetDetectorThresholds(
cfg.Security.RateThreshold,
cfg.Security.NotFoundThreshold,
cfg.Security.AuthFailureThreshold,
cfg.Security.UniquePathsThreshold,
cfg.Security.RepeatedHitsThreshold,
cfg.Security.DetectionWindow,
)
// Thresholds are applied dynamically via updateSecuritySettings, ensuring consistency.
// Initial values are sourced directly from config.Security.

@nfebe nfebe merged commit 96e9b1f into main Dec 23, 2025
5 checks passed
@nfebe nfebe deleted the feat/configurable-detection-thresholds branch December 23, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@sourceant sourceant[bot] sourceant[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nfebe