Re: [mod-security-users] Deployment Options
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Deployment Options
|
From: Christian F. <chr...@ne...> - 2018-12-14 15:40:47
|
Oh, I see. Makes sense. Then your best option is Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application It's a proven and stable setup. Alternatively Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application but I think it still has too many rough edges for my taste. And the performance is not yet on-par with the traditional Apache setup. (But that's a wild field and not everybody agrees with me.) Either way, you may find my tutorials for Apache + ModSec and NGINX + ModSec on netnea.com helpful. Ahoj, Christian On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > Thank you for your prompt response. > > We currently have HAProxy serving our sites as a reverse proxy which doesn't nativily support modsecurity. > > What would you recommend in this scenario? > > -----Original Message----- > From: Christian Folini <chr...@ne...> > Sent: Friday, December 14, 2018 10:24 > To: mod...@li... > Subject: Re: [mod-security-users] Deployment Options > > Good evening to you, Kyle, > > ModSecurity is usually sitting inline on the proxy. But it's perfectly OK to > have the proxy serve several if not hundreds of backends. The problem is much > more a problem of overall throughput (expect ModSec to eat 10% of throughput > for an average internet site, but your mileage may vary greatly) and in > some cases a RAM problem with rule set duplication in memory. > > Generally: ModSec should not have any problem serving your scenario (if you > change it to "the proxy is the WAF") > > Cheers, > > Christian > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > Good morning all, > > > > Seeking advice on deploying a Web Application Firewall. > > > > I'm pretty familiar with WAFs and what they will do but stuck on an ideal deployment structure. > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > My idea would be to have: > > > > 1. Request hits proxy > > 2. Checks to see if it has been WAF'ed or not > > 3. Sends to WAF > > 4. If approved goes back to be proxied to correct backend > > > > Now, would it be okay to have 20 sites sent through a single WAF or should each site be configured for its own? > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar with its scalability yet. > > > > Hoping someone else has already gone down this path and could shed some light on it. > > > > B. Kyle Parrish > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
