Re: [mod-security-users] Deployment Options
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Deployment Options
|
From: Eero V. <eer...@ik...> - 2018-12-15 09:27:43
|
https://www.haproxy.com/products/haproxy-enterprise-edition/ and I asked trial from: Selma Nametak <sna...@ha...> They say that it is compatible with modsecurity. "Yes you can use the ModSecurity CRS rules. Our WAF supports 3 modes: 1) SQL Injection/XSS protection only 2) ModSecurity Ruleset 3) Whitelist only" We are currently testing the product. Eero On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < chr...@ne...> wrote: > Thanks Eero. Never came across this. Do you have contact? > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: > > or.. Haproxy enteprise that supports modsecurity waf internally. (this > > costs something like 1700€/haproxy/year) > > > > Eero > > > > Christian Folini <chr...@ne...> kirjoitti pe 14. jouluk. > > 2018 klo 17.41: > > > > > Oh, I see. Makes sense. > > > > > > Then your best option is > > > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > > > > > It's a proven and stable setup. Alternatively > > > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > > > > > but I think it still has too many rough edges for my taste. And the > > > performance is not yet on-par with the traditional Apache setup. > > > (But that's a wild field and not everybody agrees with me.) > > > > > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > > > ModSec > > > on netnea.com helpful. > > > > > > Ahoj, > > > > > > Christian > > > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > > > Thank you for your prompt response. > > > > > > > > We currently have HAProxy serving our sites as a reverse proxy which > > > doesn't nativily support modsecurity. > > > > > > > > What would you recommend in this scenario? > > > > > > > > -----Original Message----- > > > > From: Christian Folini <chr...@ne...> > > > > Sent: Friday, December 14, 2018 10:24 > > > > To: mod...@li... > > > > Subject: Re: [mod-security-users] Deployment Options > > > > > > > > Good evening to you, Kyle, > > > > > > > > ModSecurity is usually sitting inline on the proxy. But it's > perfectly > > > OK to > > > > have the proxy serve several if not hundreds of backends. The > problem is > > > much > > > > more a problem of overall throughput (expect ModSec to eat 10% of > > > throughput > > > > for an average internet site, but your mileage may vary greatly) and > in > > > > some cases a RAM problem with rule set duplication in memory. > > > > > > > > Generally: ModSec should not have any problem serving your scenario > (if > > > you > > > > change it to "the proxy is the WAF") > > > > > > > > Cheers, > > > > > > > > Christian > > > > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > > > Good morning all, > > > > > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > > > ideal deployment structure. > > > > > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > > > My idea would be to have: > > > > > > > > > > 1. Request hits proxy > > > > > 2. Checks to see if it has been WAF'ed or not > > > > > 3. Sends to WAF > > > > > 4. If approved goes back to be proxied to correct backend > > > > > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > > > should each site be configured for its own? > > > > > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > > > familiar with its scalability yet. > > > > > > > > > > Hoping someone else has already gone down this path and could shed > > > some light on it. > > > > > > > > > > B. Kyle Parrish > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
