Re: [mod-security-users] Deployment Options
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Deployment Options
|
From: Parrish, K. <Kyl...@Th...> - 2018-12-17 13:16:50
|
I have seen references to that feature using SPOA but have yet to find instructions on how to configure it. Has anyone attempted setting this up? B. Kyle Parrish Cyber Security Engineer | The Villages® Technology Solutions Group Direct: 352.674.1508 | Support: 352.674.1530 From: Eero Volotinen <eer...@ik...> Sent: Saturday, December 15, 2018 15:33 To: mod...@li... Subject: Re: [mod-security-users] Deployment Options Anyway, looking at ha proxy git source there is support for modsecurity 2.9.x via spoa protocol? it is something like modsecurity standalone binary. Eero Christian Folini <chr...@ne...<mailto:chr...@ne...>> kirjoitti la 15. jouluk. 2018 klo 11.17: Thanks Eero. Never came across this. Do you have contact? On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: > or.. Haproxy enteprise that supports modsecurity waf internally. (this > costs something like 1700€/haproxy/year) > > Eero > > Christian Folini <chr...@ne...<mailto:chr...@ne...>> kirjoitti pe 14. jouluk. > 2018 klo 17.41: > > > Oh, I see. Makes sense. > > > > Then your best option is > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > > > It's a proven and stable setup. Alternatively > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > > > but I think it still has too many rough edges for my taste. And the > > performance is not yet on-par with the traditional Apache setup. > > (But that's a wild field and not everybody agrees with me.) > > > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > > ModSec > > on netnea.com<http://netnea.com> helpful. > > > > Ahoj, > > > > Christian > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > > Thank you for your prompt response. > > > > > > We currently have HAProxy serving our sites as a reverse proxy which > > doesn't nativily support modsecurity. > > > > > > What would you recommend in this scenario? > > > > > > -----Original Message----- > > > From: Christian Folini <chr...@ne...<mailto:chr...@ne...>> > > > Sent: Friday, December 14, 2018 10:24 > > > To: mod...@li...<mailto:mod...@li...> > > > Subject: Re: [mod-security-users] Deployment Options > > > > > > Good evening to you, Kyle, > > > > > > ModSecurity is usually sitting inline on the proxy. But it's perfectly > > OK to > > > have the proxy serve several if not hundreds of backends. The problem is > > much > > > more a problem of overall throughput (expect ModSec to eat 10% of > > throughput > > > for an average internet site, but your mileage may vary greatly) and in > > > some cases a RAM problem with rule set duplication in memory. > > > > > > Generally: ModSec should not have any problem serving your scenario (if > > you > > > change it to "the proxy is the WAF") > > > > > > Cheers, > > > > > > Christian > > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > > Good morning all, > > > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > > ideal deployment structure. > > > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > > My idea would be to have: > > > > > > > > 1. Request hits proxy > > > > 2. Checks to see if it has been WAF'ed or not > > > > 3. Sends to WAF > > > > 4. If approved goes back to be proxied to correct backend > > > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > > should each site be configured for its own? > > > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > > familiar with its scalability yet. > > > > > > > > Hoping someone else has already gone down this path and could shed > > some light on it. > > > > > > > > B. Kyle Parrish > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li...<mailto:mod...@li...> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li...<mailto:mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li...<mailto:mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li...<mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li...<mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
