Re: [mod-security-users] Deployment Options
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Deployment Options
|
From: Christian F. <chr...@ne...> - 2018-12-14 15:24:35
|
Good evening to you, Kyle, ModSecurity is usually sitting inline on the proxy. But it's perfectly OK to have the proxy serve several if not hundreds of backends. The problem is much more a problem of overall throughput (expect ModSec to eat 10% of throughput for an average internet site, but your mileage may vary greatly) and in some cases a RAM problem with rule set duplication in memory. Generally: ModSec should not have any problem serving your scenario (if you change it to "the proxy is the WAF") Cheers, Christian On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > Good morning all, > > Seeking advice on deploying a Web Application Firewall. > > I'm pretty familiar with WAFs and what they will do but stuck on an ideal deployment structure. > > Lets say there are 20 websites sitting behind a reverse proxy. > My idea would be to have: > > 1. Request hits proxy > 2. Checks to see if it has been WAF'ed or not > 3. Sends to WAF > 4. If approved goes back to be proxied to correct backend > > Now, would it be okay to have 20 sites sent through a single WAF or should each site be configured for its own? > > I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar with its scalability yet. > > Hoping someone else has already gone down this path and could shed some light on it. > > B. Kyle Parrish > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
