Re: [mod-security-users] Deployment Options
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Deployment Options
|
From: Manuel S. <spa...@gm...> - 2018-12-14 16:23:02
|
+1 to Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application El vie., 14 dic. 2018 a las 10:42, Christian Folini (< chr...@ne...>) escribió: > Oh, I see. Makes sense. > > Then your best option is > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > It's a proven and stable setup. Alternatively > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > but I think it still has too many rough edges for my taste. And the > performance is not yet on-par with the traditional Apache setup. > (But that's a wild field and not everybody agrees with me.) > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > ModSec > on netnea.com helpful. > > Ahoj, > > Christian > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > Thank you for your prompt response. > > > > We currently have HAProxy serving our sites as a reverse proxy which > doesn't nativily support modsecurity. > > > > What would you recommend in this scenario? > > > > -----Original Message----- > > From: Christian Folini <chr...@ne...> > > Sent: Friday, December 14, 2018 10:24 > > To: mod...@li... > > Subject: Re: [mod-security-users] Deployment Options > > > > Good evening to you, Kyle, > > > > ModSecurity is usually sitting inline on the proxy. But it's perfectly > OK to > > have the proxy serve several if not hundreds of backends. The problem is > much > > more a problem of overall throughput (expect ModSec to eat 10% of > throughput > > for an average internet site, but your mileage may vary greatly) and in > > some cases a RAM problem with rule set duplication in memory. > > > > Generally: ModSec should not have any problem serving your scenario (if > you > > change it to "the proxy is the WAF") > > > > Cheers, > > > > Christian > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > Good morning all, > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > ideal deployment structure. > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > My idea would be to have: > > > > > > 1. Request hits proxy > > > 2. Checks to see if it has been WAF'ed or not > > > 3. Sends to WAF > > > 4. If approved goes back to be proxied to correct backend > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > should each site be configured for its own? > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > familiar with its scalability yet. > > > > > > Hoping someone else has already gone down this path and could shed > some light on it. > > > > > > B. Kyle Parrish > > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
