[mod-security-users] Handling multiple clients with modsecurity

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Folks,

Here is my requirement and seeking any heads up from community -

   - I already have nginx server running for our multiple customers in
   reverse proxy mode
   - So Nginx reverse proxy is sending requests to customer web servers
   - lets say -

   - Customer-1 exmaple.com -> web site example.com
   - Customer-2 www.test.com -. www.test.com
   - Customer3-  acme.com -> www.acme.com

   - Now I am trying to integrate modsecurity with Nginx
   - So my question is - Do I need to create a separate config file for
   every customer location?
   - like /etc/nginx/modsec/example.com/main.conf

/etc/nginx/modsec/example.com/modsecurity.conf
/etc/nginx/modsec/example.com/coreruleset/rules/*.conf
/etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf
##################
/etc/nginx/modsec/test.com/main.conf
/etc/nginx/modsec/test.com/modsecurity.conf
/etc/nginx/modsec/test.com/coreruleset/rules/*.conf
/etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf
##################
/etc/nginx/modsec/acme.com/main.conf
/etc/nginx/modsec/acme.com/modsecurity.conf
/etc/nginx/modsec/acme.com/coreruleset/rules/*.conf
/etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf

   - Is this correct method to manage
   rules/exceptions/blacklisting/whitelisting for multiple customers? Or is
   there any other alternative?
   - Plus logs should be separate for every customer which I am thinking to
   generate in json file

   - Please let me know if this is the correct option considering around
   15-20 sites protected by nginx and customers.

   - SecAuditEngine RelevantOnly
   - SecAuditLogRelevantStatus "^(?:5|4(?!04))"

   - SecAuditLogParts ABIJDEFHZ
   - SecAuditLogFormat JSON
   - SecAuditLog /var/log/modsec_audit.log

TIA
Blason R