Re: [mod-security-users] Deployment Options
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Deployment Options
|
From: Eero V. <eer...@ik...> - 2018-12-15 11:52:01
|
Anyway. looks like there is some support for modsecurity 2.9.x in haproxy git? /Users/eero/haproxy/haproxy/contrib/modsecurity Support is provided using spoa? Not familiar what it means, but some information in readme file: "ModSecurity for HAProxy ----------------------- This is a third party deamon which speaks SPOE. It gives requests send by HAProxy to ModSecurity and returns the verdict. " Eero On Sat, Dec 15, 2018 at 12:25 PM Eero Volotinen <eer...@ik...> wrote: > Well. Not much modsecurity related stuff in that repo? > > ./LICENSE > > ./Dockerfile > > ./README.md > > ./.gitignore > > ./containerfiles/container-entrypoint.sh > > ./containerfiles/usr/local/etc/haproxy/haproxy.conf.template > > ./containerfiles/fix_get0privatekey_compat.diff > > ./.git/config > > ./.git/objects/pack/pack-b4c83d259e65bcc25c460c8db7a504c321849558.idx > > ./.git/objects/pack/pack-b4c83d259e65bcc25c460c8db7a504c321849558.pack > > ./.git/HEAD > > ./.git/info/exclude > > ./.git/logs/HEAD > > ./.git/logs/refs/heads/master > > ./.git/logs/refs/remotes/origin/HEAD > > ./.git/description > > ./.git/hooks/commit-msg.sample > > ./.git/hooks/pre-rebase.sample > > ./.git/hooks/pre-commit.sample > > ./.git/hooks/applypatch-msg.sample > > ./.git/hooks/fsmonitor-watchman.sample > > ./.git/hooks/pre-receive.sample > > ./.git/hooks/prepare-commit-msg.sample > > ./.git/hooks/post-update.sample > > ./.git/hooks/pre-applypatch.sample > > ./.git/hooks/pre-push.sample > > ./.git/hooks/update.sample > > ./.git/refs/heads/master > > ./.git/refs/remotes/origin/HEAD > > ./.git/index > > ./.git/packed-refs > > ./.travis.yml > > .. > > Eero > > On Sat, Dec 15, 2018 at 12:07 PM Osama Elnaggar <oel...@gm...> > wrote: > >> There is an open source patch to add this support to HAProxy as well - >> https://github.com/git001/haproxy-waf >> >> I haven't tried it myself but is was released in 2017 so it looks >> promising. >> >> On Sat, Dec 15, 2018, 9:01 PM Christian Folini < >> chr...@ne... wrote: >> >>> Thank you Eero. Sounds cool. >>> >>> It would be nice if you could share your test results. Off-list if that >>> is a >>> concern. >>> >>> Best, >>> >>> Christian >>> >>> On Sat, Dec 15, 2018 at 11:27:21AM +0200, Eero Volotinen wrote: >>> > https://www.haproxy.com/products/haproxy-enterprise-edition/ and I >>> asked >>> > trial from: Selma Nametak <sna...@ha...> >>> > >>> > They say that it is compatible with modsecurity. >>> > >>> > "Yes you can use the ModSecurity CRS rules. >>> > >>> > Our WAF supports 3 modes: >>> > >>> > 1) SQL Injection/XSS protection only >>> > >>> > 2) ModSecurity Ruleset >>> > >>> > 3) Whitelist only" >>> > >>> > We are currently testing the product. >>> > >>> > Eero >>> > >>> > >>> > >>> > On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < >>> > chr...@ne...> wrote: >>> > >>> > > Thanks Eero. Never came across this. Do you have contact? >>> > > >>> > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: >>> > > > or.. Haproxy enteprise that supports modsecurity waf internally. >>> (this >>> > > > costs something like 1700€/haproxy/year) >>> > > > >>> > > > Eero >>> > > > >>> > > > Christian Folini <chr...@ne...> kirjoitti pe 14. >>> jouluk. >>> > > > 2018 klo 17.41: >>> > > > >>> > > > > Oh, I see. Makes sense. >>> > > > > >>> > > > > Then your best option is >>> > > > > >>> > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application >>> > > > > >>> > > > > It's a proven and stable setup. Alternatively >>> > > > > >>> > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application >>> > > > > >>> > > > > but I think it still has too many rough edges for my taste. And >>> the >>> > > > > performance is not yet on-par with the traditional Apache setup. >>> > > > > (But that's a wild field and not everybody agrees with me.) >>> > > > > >>> > > > > Either way, you may find my tutorials for Apache + ModSec and >>> NGINX + >>> > > > > ModSec >>> > > > > on netnea.com helpful. >>> > > > > >>> > > > > Ahoj, >>> > > > > >>> > > > > Christian >>> > > > > >>> > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: >>> > > > > > Thank you for your prompt response. >>> > > > > > >>> > > > > > We currently have HAProxy serving our sites as a reverse proxy >>> which >>> > > > > doesn't nativily support modsecurity. >>> > > > > > >>> > > > > > What would you recommend in this scenario? >>> > > > > > >>> > > > > > -----Original Message----- >>> > > > > > From: Christian Folini <chr...@ne...> >>> > > > > > Sent: Friday, December 14, 2018 10:24 >>> > > > > > To: mod...@li... >>> > > > > > Subject: Re: [mod-security-users] Deployment Options >>> > > > > > >>> > > > > > Good evening to you, Kyle, >>> > > > > > >>> > > > > > ModSecurity is usually sitting inline on the proxy. But it's >>> > > perfectly >>> > > > > OK to >>> > > > > > have the proxy serve several if not hundreds of backends. The >>> > > problem is >>> > > > > much >>> > > > > > more a problem of overall throughput (expect ModSec to eat 10% >>> of >>> > > > > throughput >>> > > > > > for an average internet site, but your mileage may vary >>> greatly) and >>> > > in >>> > > > > > some cases a RAM problem with rule set duplication in memory. >>> > > > > > >>> > > > > > Generally: ModSec should not have any problem serving your >>> scenario >>> > > (if >>> > > > > you >>> > > > > > change it to "the proxy is the WAF") >>> > > > > > >>> > > > > > Cheers, >>> > > > > > >>> > > > > > Christian >>> > > > > > >>> > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: >>> > > > > > > Good morning all, >>> > > > > > > >>> > > > > > > Seeking advice on deploying a Web Application Firewall. >>> > > > > > > >>> > > > > > > I'm pretty familiar with WAFs and what they will do but >>> stuck on an >>> > > > > ideal deployment structure. >>> > > > > > > >>> > > > > > > Lets say there are 20 websites sitting behind a reverse >>> proxy. >>> > > > > > > My idea would be to have: >>> > > > > > > >>> > > > > > > 1. Request hits proxy >>> > > > > > > 2. Checks to see if it has been WAF'ed or not >>> > > > > > > 3. Sends to WAF >>> > > > > > > 4. If approved goes back to be proxied to correct backend >>> > > > > > > >>> > > > > > > Now, would it be okay to have 20 sites sent through a single >>> WAF or >>> > > > > should each site be configured for its own? >>> > > > > > > >>> > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset >>> but not >>> > > > > familiar with its scalability yet. >>> > > > > > > >>> > > > > > > Hoping someone else has already gone down this path and >>> could shed >>> > > > > some light on it. >>> > > > > > > >>> > > > > > > B. Kyle Parrish >>> > > > > > > >>> > > > > > > >>> > > > > > >>> > > > > > >>> > > > > > > _______________________________________________ >>> > > > > > > mod-security-users mailing list >>> > > > > > > mod...@li... >>> > > > > > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> > > SpiderLabs: >>> > > > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > _______________________________________________ >>> > > > > > mod-security-users mailing list >>> > > > > > mod...@li... >>> > > > > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > > >>> > > > > > >>> > > > > > _______________________________________________ >>> > > > > > mod-security-users mailing list >>> > > > > > mod...@li... >>> > > > > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > >>> > > > > >>> > > > > _______________________________________________ >>> > > > > mod-security-users mailing list >>> > > > > mod...@li... >>> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > >>> > > >>> > > >>> > > > _______________________________________________ >>> > > > mod-security-users mailing list >>> > > > mod...@li... >>> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > >>> > > >>> > > >>> > > _______________________________________________ >>> > > mod-security-users mailing list >>> > > mod...@li... >>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > http://www.modsecurity.org/projects/commercial/support/ >>> > > >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> |
