mod-security-users Mailing List for ModSecurity (Page 36)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users — General discussion about mod_security
You can subscribe to this list here.
| 2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(17) |
Aug
(7) |
Sep
(8) |
Oct
(11) |
Nov
(14) |
Dec
(19) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2004 |
Jan
(46) |
Feb
(14) |
Mar
(20) |
Apr
(48) |
May
(15) |
Jun
(20) |
Jul
(36) |
Aug
(24) |
Sep
(31) |
Oct
(28) |
Nov
(23) |
Dec
(12) |
| 2005 |
Jan
(69) |
Feb
(61) |
Mar
(82) |
Apr
(53) |
May
(26) |
Jun
(71) |
Jul
(27) |
Aug
(52) |
Sep
(28) |
Oct
(49) |
Nov
(104) |
Dec
(74) |
| 2006 |
Jan
(61) |
Feb
(148) |
Mar
(82) |
Apr
(139) |
May
(65) |
Jun
(116) |
Jul
(92) |
Aug
(101) |
Sep
(84) |
Oct
(103) |
Nov
(174) |
Dec
(102) |
| 2007 |
Jan
(166) |
Feb
(161) |
Mar
(181) |
Apr
(152) |
May
(192) |
Jun
(250) |
Jul
(127) |
Aug
(165) |
Sep
(97) |
Oct
(135) |
Nov
(206) |
Dec
(56) |
| 2008 |
Jan
(160) |
Feb
(135) |
Mar
(98) |
Apr
(89) |
May
(115) |
Jun
(95) |
Jul
(188) |
Aug
(167) |
Sep
(153) |
Oct
(84) |
Nov
(82) |
Dec
(85) |
| 2009 |
Jan
(139) |
Feb
(133) |
Mar
(128) |
Apr
(105) |
May
(135) |
Jun
(79) |
Jul
(92) |
Aug
(134) |
Sep
(73) |
Oct
(112) |
Nov
(159) |
Dec
(80) |
| 2010 |
Jan
(100) |
Feb
(116) |
Mar
(130) |
Apr
(59) |
May
(88) |
Jun
(59) |
Jul
(69) |
Aug
(67) |
Sep
(82) |
Oct
(76) |
Nov
(59) |
Dec
(34) |
| 2011 |
Jan
(84) |
Feb
(74) |
Mar
(81) |
Apr
(94) |
May
(188) |
Jun
(72) |
Jul
(118) |
Aug
(109) |
Sep
(111) |
Oct
(80) |
Nov
(51) |
Dec
(44) |
| 2012 |
Jan
(80) |
Feb
(123) |
Mar
(46) |
Apr
(12) |
May
(40) |
Jun
(62) |
Jul
(95) |
Aug
(66) |
Sep
(65) |
Oct
(53) |
Nov
(42) |
Dec
(60) |
| 2013 |
Jan
(96) |
Feb
(96) |
Mar
(108) |
Apr
(72) |
May
(115) |
Jun
(111) |
Jul
(114) |
Aug
(87) |
Sep
(93) |
Oct
(97) |
Nov
(104) |
Dec
(82) |
| 2014 |
Jan
(96) |
Feb
(77) |
Mar
(71) |
Apr
(40) |
May
(48) |
Jun
(78) |
Jul
(54) |
Aug
(44) |
Sep
(58) |
Oct
(79) |
Nov
(51) |
Dec
(52) |
| 2015 |
Jan
(55) |
Feb
(59) |
Mar
(48) |
Apr
(40) |
May
(45) |
Jun
(63) |
Jul
(36) |
Aug
(49) |
Sep
(35) |
Oct
(58) |
Nov
(21) |
Dec
(47) |
| 2016 |
Jan
(35) |
Feb
(81) |
Mar
(43) |
Apr
(41) |
May
(77) |
Jun
(52) |
Jul
(39) |
Aug
(34) |
Sep
(107) |
Oct
(67) |
Nov
(54) |
Dec
(20) |
| 2017 |
Jan
(99) |
Feb
(37) |
Mar
(86) |
Apr
(47) |
May
(57) |
Jun
(55) |
Jul
(34) |
Aug
(31) |
Sep
(16) |
Oct
(49) |
Nov
(53) |
Dec
(33) |
| 2018 |
Jan
(25) |
Feb
(11) |
Mar
(79) |
Apr
(77) |
May
(5) |
Jun
(19) |
Jul
(17) |
Aug
(7) |
Sep
(13) |
Oct
(22) |
Nov
(13) |
Dec
(68) |
| 2019 |
Jan
(44) |
Feb
(17) |
Mar
(40) |
Apr
(39) |
May
(18) |
Jun
(14) |
Jul
(20) |
Aug
(31) |
Sep
(11) |
Oct
(35) |
Nov
(3) |
Dec
(10) |
| 2020 |
Jan
(32) |
Feb
(16) |
Mar
(10) |
Apr
(22) |
May
(2) |
Jun
(34) |
Jul
(1) |
Aug
(8) |
Sep
(36) |
Oct
(16) |
Nov
(13) |
Dec
(10) |
| 2021 |
Jan
(16) |
Feb
(23) |
Mar
(45) |
Apr
(28) |
May
(6) |
Jun
(17) |
Jul
(8) |
Aug
(1) |
Sep
(2) |
Oct
(35) |
Nov
|
Dec
(5) |
| 2022 |
Jan
|
Feb
(17) |
Mar
(23) |
Apr
(23) |
May
(9) |
Jun
(8) |
Jul
|
Aug
|
Sep
(7) |
Oct
(5) |
Nov
(16) |
Dec
(4) |
| 2023 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
(4) |
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2024 |
Jan
(7) |
Feb
(13) |
Mar
(18) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(5) |
Dec
(3) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
(12) |
May
(12) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Eero V. <eer...@ik...> - 2018-12-15 11:52:01
|
Anyway. looks like there is some support for modsecurity 2.9.x in haproxy git? /Users/eero/haproxy/haproxy/contrib/modsecurity Support is provided using spoa? Not familiar what it means, but some information in readme file: "ModSecurity for HAProxy ----------------------- This is a third party deamon which speaks SPOE. It gives requests send by HAProxy to ModSecurity and returns the verdict. " Eero On Sat, Dec 15, 2018 at 12:25 PM Eero Volotinen <eer...@ik...> wrote: > Well. Not much modsecurity related stuff in that repo? > > ./LICENSE > > ./Dockerfile > > ./README.md > > ./.gitignore > > ./containerfiles/container-entrypoint.sh > > ./containerfiles/usr/local/etc/haproxy/haproxy.conf.template > > ./containerfiles/fix_get0privatekey_compat.diff > > ./.git/config > > ./.git/objects/pack/pack-b4c83d259e65bcc25c460c8db7a504c321849558.idx > > ./.git/objects/pack/pack-b4c83d259e65bcc25c460c8db7a504c321849558.pack > > ./.git/HEAD > > ./.git/info/exclude > > ./.git/logs/HEAD > > ./.git/logs/refs/heads/master > > ./.git/logs/refs/remotes/origin/HEAD > > ./.git/description > > ./.git/hooks/commit-msg.sample > > ./.git/hooks/pre-rebase.sample > > ./.git/hooks/pre-commit.sample > > ./.git/hooks/applypatch-msg.sample > > ./.git/hooks/fsmonitor-watchman.sample > > ./.git/hooks/pre-receive.sample > > ./.git/hooks/prepare-commit-msg.sample > > ./.git/hooks/post-update.sample > > ./.git/hooks/pre-applypatch.sample > > ./.git/hooks/pre-push.sample > > ./.git/hooks/update.sample > > ./.git/refs/heads/master > > ./.git/refs/remotes/origin/HEAD > > ./.git/index > > ./.git/packed-refs > > ./.travis.yml > > .. > > Eero > > On Sat, Dec 15, 2018 at 12:07 PM Osama Elnaggar <oel...@gm...> > wrote: > >> There is an open source patch to add this support to HAProxy as well - >> https://github.com/git001/haproxy-waf >> >> I haven't tried it myself but is was released in 2017 so it looks >> promising. >> >> On Sat, Dec 15, 2018, 9:01 PM Christian Folini < >> chr...@ne... wrote: >> >>> Thank you Eero. Sounds cool. >>> >>> It would be nice if you could share your test results. Off-list if that >>> is a >>> concern. >>> >>> Best, >>> >>> Christian >>> >>> On Sat, Dec 15, 2018 at 11:27:21AM +0200, Eero Volotinen wrote: >>> > https://www.haproxy.com/products/haproxy-enterprise-edition/ and I >>> asked >>> > trial from: Selma Nametak <sna...@ha...> >>> > >>> > They say that it is compatible with modsecurity. >>> > >>> > "Yes you can use the ModSecurity CRS rules. >>> > >>> > Our WAF supports 3 modes: >>> > >>> > 1) SQL Injection/XSS protection only >>> > >>> > 2) ModSecurity Ruleset >>> > >>> > 3) Whitelist only" >>> > >>> > We are currently testing the product. >>> > >>> > Eero >>> > >>> > >>> > >>> > On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < >>> > chr...@ne...> wrote: >>> > >>> > > Thanks Eero. Never came across this. Do you have contact? >>> > > >>> > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: >>> > > > or.. Haproxy enteprise that supports modsecurity waf internally. >>> (this >>> > > > costs something like 1700€/haproxy/year) >>> > > > >>> > > > Eero >>> > > > >>> > > > Christian Folini <chr...@ne...> kirjoitti pe 14. >>> jouluk. >>> > > > 2018 klo 17.41: >>> > > > >>> > > > > Oh, I see. Makes sense. >>> > > > > >>> > > > > Then your best option is >>> > > > > >>> > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application >>> > > > > >>> > > > > It's a proven and stable setup. Alternatively >>> > > > > >>> > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application >>> > > > > >>> > > > > but I think it still has too many rough edges for my taste. And >>> the >>> > > > > performance is not yet on-par with the traditional Apache setup. >>> > > > > (But that's a wild field and not everybody agrees with me.) >>> > > > > >>> > > > > Either way, you may find my tutorials for Apache + ModSec and >>> NGINX + >>> > > > > ModSec >>> > > > > on netnea.com helpful. >>> > > > > >>> > > > > Ahoj, >>> > > > > >>> > > > > Christian >>> > > > > >>> > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: >>> > > > > > Thank you for your prompt response. >>> > > > > > >>> > > > > > We currently have HAProxy serving our sites as a reverse proxy >>> which >>> > > > > doesn't nativily support modsecurity. >>> > > > > > >>> > > > > > What would you recommend in this scenario? >>> > > > > > >>> > > > > > -----Original Message----- >>> > > > > > From: Christian Folini <chr...@ne...> >>> > > > > > Sent: Friday, December 14, 2018 10:24 >>> > > > > > To: mod...@li... >>> > > > > > Subject: Re: [mod-security-users] Deployment Options >>> > > > > > >>> > > > > > Good evening to you, Kyle, >>> > > > > > >>> > > > > > ModSecurity is usually sitting inline on the proxy. But it's >>> > > perfectly >>> > > > > OK to >>> > > > > > have the proxy serve several if not hundreds of backends. The >>> > > problem is >>> > > > > much >>> > > > > > more a problem of overall throughput (expect ModSec to eat 10% >>> of >>> > > > > throughput >>> > > > > > for an average internet site, but your mileage may vary >>> greatly) and >>> > > in >>> > > > > > some cases a RAM problem with rule set duplication in memory. >>> > > > > > >>> > > > > > Generally: ModSec should not have any problem serving your >>> scenario >>> > > (if >>> > > > > you >>> > > > > > change it to "the proxy is the WAF") >>> > > > > > >>> > > > > > Cheers, >>> > > > > > >>> > > > > > Christian >>> > > > > > >>> > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: >>> > > > > > > Good morning all, >>> > > > > > > >>> > > > > > > Seeking advice on deploying a Web Application Firewall. >>> > > > > > > >>> > > > > > > I'm pretty familiar with WAFs and what they will do but >>> stuck on an >>> > > > > ideal deployment structure. >>> > > > > > > >>> > > > > > > Lets say there are 20 websites sitting behind a reverse >>> proxy. >>> > > > > > > My idea would be to have: >>> > > > > > > >>> > > > > > > 1. Request hits proxy >>> > > > > > > 2. Checks to see if it has been WAF'ed or not >>> > > > > > > 3. Sends to WAF >>> > > > > > > 4. If approved goes back to be proxied to correct backend >>> > > > > > > >>> > > > > > > Now, would it be okay to have 20 sites sent through a single >>> WAF or >>> > > > > should each site be configured for its own? >>> > > > > > > >>> > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset >>> but not >>> > > > > familiar with its scalability yet. >>> > > > > > > >>> > > > > > > Hoping someone else has already gone down this path and >>> could shed >>> > > > > some light on it. >>> > > > > > > >>> > > > > > > B. Kyle Parrish >>> > > > > > > >>> > > > > > > >>> > > > > > >>> > > > > > >>> > > > > > > _______________________________________________ >>> > > > > > > mod-security-users mailing list >>> > > > > > > mod...@li... >>> > > > > > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> > > SpiderLabs: >>> > > > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > > _______________________________________________ >>> > > > > > mod-security-users mailing list >>> > > > > > mod...@li... >>> > > > > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > > >>> > > > > > >>> > > > > > _______________________________________________ >>> > > > > > mod-security-users mailing list >>> > > > > > mod...@li... >>> > > > > > >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > >>> > > > > >>> > > > > _______________________________________________ >>> > > > > mod-security-users mailing list >>> > > > > mod...@li... >>> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > > > >>> > > >>> > > >>> > > > _______________________________________________ >>> > > > mod-security-users mailing list >>> > > > mod...@li... >>> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > > Commercial ModSecurity Rules and Support from Trustwave's >>> SpiderLabs: >>> > > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > > http://www.modsecurity.org/projects/commercial/support/ >>> > > >>> > > >>> > > >>> > > _______________________________________________ >>> > > mod-security-users mailing list >>> > > mod...@li... >>> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> > > http://www.modsecurity.org/projects/commercial/rules/ >>> > > http://www.modsecurity.org/projects/commercial/support/ >>> > > >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> |
|
From: Eero V. <eer...@ik...> - 2018-12-15 10:25:54
|
Well. Not much modsecurity related stuff in that repo? ./LICENSE ./Dockerfile ./README.md ./.gitignore ./containerfiles/container-entrypoint.sh ./containerfiles/usr/local/etc/haproxy/haproxy.conf.template ./containerfiles/fix_get0privatekey_compat.diff ./.git/config ./.git/objects/pack/pack-b4c83d259e65bcc25c460c8db7a504c321849558.idx ./.git/objects/pack/pack-b4c83d259e65bcc25c460c8db7a504c321849558.pack ./.git/HEAD ./.git/info/exclude ./.git/logs/HEAD ./.git/logs/refs/heads/master ./.git/logs/refs/remotes/origin/HEAD ./.git/description ./.git/hooks/commit-msg.sample ./.git/hooks/pre-rebase.sample ./.git/hooks/pre-commit.sample ./.git/hooks/applypatch-msg.sample ./.git/hooks/fsmonitor-watchman.sample ./.git/hooks/pre-receive.sample ./.git/hooks/prepare-commit-msg.sample ./.git/hooks/post-update.sample ./.git/hooks/pre-applypatch.sample ./.git/hooks/pre-push.sample ./.git/hooks/update.sample ./.git/refs/heads/master ./.git/refs/remotes/origin/HEAD ./.git/index ./.git/packed-refs ./.travis.yml .. Eero On Sat, Dec 15, 2018 at 12:07 PM Osama Elnaggar <oel...@gm...> wrote: > There is an open source patch to add this support to HAProxy as well - > https://github.com/git001/haproxy-waf > > I haven't tried it myself but is was released in 2017 so it looks > promising. > > On Sat, Dec 15, 2018, 9:01 PM Christian Folini < > chr...@ne... wrote: > >> Thank you Eero. Sounds cool. >> >> It would be nice if you could share your test results. Off-list if that >> is a >> concern. >> >> Best, >> >> Christian >> >> On Sat, Dec 15, 2018 at 11:27:21AM +0200, Eero Volotinen wrote: >> > https://www.haproxy.com/products/haproxy-enterprise-edition/ and I >> asked >> > trial from: Selma Nametak <sna...@ha...> >> > >> > They say that it is compatible with modsecurity. >> > >> > "Yes you can use the ModSecurity CRS rules. >> > >> > Our WAF supports 3 modes: >> > >> > 1) SQL Injection/XSS protection only >> > >> > 2) ModSecurity Ruleset >> > >> > 3) Whitelist only" >> > >> > We are currently testing the product. >> > >> > Eero >> > >> > >> > >> > On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < >> > chr...@ne...> wrote: >> > >> > > Thanks Eero. Never came across this. Do you have contact? >> > > >> > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: >> > > > or.. Haproxy enteprise that supports modsecurity waf internally. >> (this >> > > > costs something like 1700€/haproxy/year) >> > > > >> > > > Eero >> > > > >> > > > Christian Folini <chr...@ne...> kirjoitti pe 14. >> jouluk. >> > > > 2018 klo 17.41: >> > > > >> > > > > Oh, I see. Makes sense. >> > > > > >> > > > > Then your best option is >> > > > > >> > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application >> > > > > >> > > > > It's a proven and stable setup. Alternatively >> > > > > >> > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application >> > > > > >> > > > > but I think it still has too many rough edges for my taste. And >> the >> > > > > performance is not yet on-par with the traditional Apache setup. >> > > > > (But that's a wild field and not everybody agrees with me.) >> > > > > >> > > > > Either way, you may find my tutorials for Apache + ModSec and >> NGINX + >> > > > > ModSec >> > > > > on netnea.com helpful. >> > > > > >> > > > > Ahoj, >> > > > > >> > > > > Christian >> > > > > >> > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: >> > > > > > Thank you for your prompt response. >> > > > > > >> > > > > > We currently have HAProxy serving our sites as a reverse proxy >> which >> > > > > doesn't nativily support modsecurity. >> > > > > > >> > > > > > What would you recommend in this scenario? >> > > > > > >> > > > > > -----Original Message----- >> > > > > > From: Christian Folini <chr...@ne...> >> > > > > > Sent: Friday, December 14, 2018 10:24 >> > > > > > To: mod...@li... >> > > > > > Subject: Re: [mod-security-users] Deployment Options >> > > > > > >> > > > > > Good evening to you, Kyle, >> > > > > > >> > > > > > ModSecurity is usually sitting inline on the proxy. But it's >> > > perfectly >> > > > > OK to >> > > > > > have the proxy serve several if not hundreds of backends. The >> > > problem is >> > > > > much >> > > > > > more a problem of overall throughput (expect ModSec to eat 10% >> of >> > > > > throughput >> > > > > > for an average internet site, but your mileage may vary >> greatly) and >> > > in >> > > > > > some cases a RAM problem with rule set duplication in memory. >> > > > > > >> > > > > > Generally: ModSec should not have any problem serving your >> scenario >> > > (if >> > > > > you >> > > > > > change it to "the proxy is the WAF") >> > > > > > >> > > > > > Cheers, >> > > > > > >> > > > > > Christian >> > > > > > >> > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: >> > > > > > > Good morning all, >> > > > > > > >> > > > > > > Seeking advice on deploying a Web Application Firewall. >> > > > > > > >> > > > > > > I'm pretty familiar with WAFs and what they will do but stuck >> on an >> > > > > ideal deployment structure. >> > > > > > > >> > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. >> > > > > > > My idea would be to have: >> > > > > > > >> > > > > > > 1. Request hits proxy >> > > > > > > 2. Checks to see if it has been WAF'ed or not >> > > > > > > 3. Sends to WAF >> > > > > > > 4. If approved goes back to be proxied to correct backend >> > > > > > > >> > > > > > > Now, would it be okay to have 20 sites sent through a single >> WAF or >> > > > > should each site be configured for its own? >> > > > > > > >> > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but >> not >> > > > > familiar with its scalability yet. >> > > > > > > >> > > > > > > Hoping someone else has already gone down this path and could >> shed >> > > > > some light on it. >> > > > > > > >> > > > > > > B. Kyle Parrish >> > > > > > > >> > > > > > > >> > > > > > >> > > > > > >> > > > > > > _______________________________________________ >> > > > > > > mod-security-users mailing list >> > > > > > > mod...@li... >> > > > > > > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> > > SpiderLabs: >> > > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > > >> > > > > > >> > > > > > >> > > > > > _______________________________________________ >> > > > > > mod-security-users mailing list >> > > > > > mod...@li... >> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > > >> > > > > > >> > > > > > _______________________________________________ >> > > > > > mod-security-users mailing list >> > > > > > mod...@li... >> > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > >> > > > > >> > > > > _______________________________________________ >> > > > > mod-security-users mailing list >> > > > > mod...@li... >> > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > > http://www.modsecurity.org/projects/commercial/support/ >> > > > > >> > > >> > > >> > > > _______________________________________________ >> > > > mod-security-users mailing list >> > > > mod...@li... >> > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > > Commercial ModSecurity Rules and Support from Trustwave's >> SpiderLabs: >> > > > http://www.modsecurity.org/projects/commercial/rules/ >> > > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> > > >> > > >> > > _______________________________________________ >> > > mod-security-users mailing list >> > > mod...@li... >> > > https://lists.sourceforge.net/lists/listinfo/mod-security-users >> > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> > > http://www.modsecurity.org/projects/commercial/rules/ >> > > http://www.modsecurity.org/projects/commercial/support/ >> > > >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > |
|
From: Osama E. <oel...@gm...> - 2018-12-15 10:07:33
|
There is an open source patch to add this support to HAProxy as well - https://github.com/git001/haproxy-waf I haven't tried it myself but is was released in 2017 so it looks promising. On Sat, Dec 15, 2018, 9:01 PM Christian Folini <chr...@ne... wrote: > Thank you Eero. Sounds cool. > > It would be nice if you could share your test results. Off-list if that is > a > concern. > > Best, > > Christian > > On Sat, Dec 15, 2018 at 11:27:21AM +0200, Eero Volotinen wrote: > > https://www.haproxy.com/products/haproxy-enterprise-edition/ and I asked > > trial from: Selma Nametak <sna...@ha...> > > > > They say that it is compatible with modsecurity. > > > > "Yes you can use the ModSecurity CRS rules. > > > > Our WAF supports 3 modes: > > > > 1) SQL Injection/XSS protection only > > > > 2) ModSecurity Ruleset > > > > 3) Whitelist only" > > > > We are currently testing the product. > > > > Eero > > > > > > > > On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < > > chr...@ne...> wrote: > > > > > Thanks Eero. Never came across this. Do you have contact? > > > > > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: > > > > or.. Haproxy enteprise that supports modsecurity waf internally. > (this > > > > costs something like 1700€/haproxy/year) > > > > > > > > Eero > > > > > > > > Christian Folini <chr...@ne...> kirjoitti pe 14. > jouluk. > > > > 2018 klo 17.41: > > > > > > > > > Oh, I see. Makes sense. > > > > > > > > > > Then your best option is > > > > > > > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > > > > > > > > > It's a proven and stable setup. Alternatively > > > > > > > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > > > > > > > > > but I think it still has too many rough edges for my taste. And the > > > > > performance is not yet on-par with the traditional Apache setup. > > > > > (But that's a wild field and not everybody agrees with me.) > > > > > > > > > > Either way, you may find my tutorials for Apache + ModSec and > NGINX + > > > > > ModSec > > > > > on netnea.com helpful. > > > > > > > > > > Ahoj, > > > > > > > > > > Christian > > > > > > > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > > > > > Thank you for your prompt response. > > > > > > > > > > > > We currently have HAProxy serving our sites as a reverse proxy > which > > > > > doesn't nativily support modsecurity. > > > > > > > > > > > > What would you recommend in this scenario? > > > > > > > > > > > > -----Original Message----- > > > > > > From: Christian Folini <chr...@ne...> > > > > > > Sent: Friday, December 14, 2018 10:24 > > > > > > To: mod...@li... > > > > > > Subject: Re: [mod-security-users] Deployment Options > > > > > > > > > > > > Good evening to you, Kyle, > > > > > > > > > > > > ModSecurity is usually sitting inline on the proxy. But it's > > > perfectly > > > > > OK to > > > > > > have the proxy serve several if not hundreds of backends. The > > > problem is > > > > > much > > > > > > more a problem of overall throughput (expect ModSec to eat 10% of > > > > > throughput > > > > > > for an average internet site, but your mileage may vary greatly) > and > > > in > > > > > > some cases a RAM problem with rule set duplication in memory. > > > > > > > > > > > > Generally: ModSec should not have any problem serving your > scenario > > > (if > > > > > you > > > > > > change it to "the proxy is the WAF") > > > > > > > > > > > > Cheers, > > > > > > > > > > > > Christian > > > > > > > > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > > > > > Good morning all, > > > > > > > > > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > > > > > > > > > I'm pretty familiar with WAFs and what they will do but stuck > on an > > > > > ideal deployment structure. > > > > > > > > > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > > > > > My idea would be to have: > > > > > > > > > > > > > > 1. Request hits proxy > > > > > > > 2. Checks to see if it has been WAF'ed or not > > > > > > > 3. Sends to WAF > > > > > > > 4. If approved goes back to be proxied to correct backend > > > > > > > > > > > > > > Now, would it be okay to have 20 sites sent through a single > WAF or > > > > > should each site be configured for its own? > > > > > > > > > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but > not > > > > > familiar with its scalability yet. > > > > > > > > > > > > > > Hoping someone else has already gone down this path and could > shed > > > > > some light on it. > > > > > > > > > > > > > > B. Kyle Parrish > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > mod-security-users mailing list > > > > > > > mod...@li... > > > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > > SpiderLabs: > > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2018-12-15 10:00:03
|
Thank you Eero. Sounds cool. It would be nice if you could share your test results. Off-list if that is a concern. Best, Christian On Sat, Dec 15, 2018 at 11:27:21AM +0200, Eero Volotinen wrote: > https://www.haproxy.com/products/haproxy-enterprise-edition/ and I asked > trial from: Selma Nametak <sna...@ha...> > > They say that it is compatible with modsecurity. > > "Yes you can use the ModSecurity CRS rules. > > Our WAF supports 3 modes: > > 1) SQL Injection/XSS protection only > > 2) ModSecurity Ruleset > > 3) Whitelist only" > > We are currently testing the product. > > Eero > > > > On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < > chr...@ne...> wrote: > > > Thanks Eero. Never came across this. Do you have contact? > > > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: > > > or.. Haproxy enteprise that supports modsecurity waf internally. (this > > > costs something like 1700€/haproxy/year) > > > > > > Eero > > > > > > Christian Folini <chr...@ne...> kirjoitti pe 14. jouluk. > > > 2018 klo 17.41: > > > > > > > Oh, I see. Makes sense. > > > > > > > > Then your best option is > > > > > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > > > > > > > It's a proven and stable setup. Alternatively > > > > > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > > > > > > > but I think it still has too many rough edges for my taste. And the > > > > performance is not yet on-par with the traditional Apache setup. > > > > (But that's a wild field and not everybody agrees with me.) > > > > > > > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > > > > ModSec > > > > on netnea.com helpful. > > > > > > > > Ahoj, > > > > > > > > Christian > > > > > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > > > > Thank you for your prompt response. > > > > > > > > > > We currently have HAProxy serving our sites as a reverse proxy which > > > > doesn't nativily support modsecurity. > > > > > > > > > > What would you recommend in this scenario? > > > > > > > > > > -----Original Message----- > > > > > From: Christian Folini <chr...@ne...> > > > > > Sent: Friday, December 14, 2018 10:24 > > > > > To: mod...@li... > > > > > Subject: Re: [mod-security-users] Deployment Options > > > > > > > > > > Good evening to you, Kyle, > > > > > > > > > > ModSecurity is usually sitting inline on the proxy. But it's > > perfectly > > > > OK to > > > > > have the proxy serve several if not hundreds of backends. The > > problem is > > > > much > > > > > more a problem of overall throughput (expect ModSec to eat 10% of > > > > throughput > > > > > for an average internet site, but your mileage may vary greatly) and > > in > > > > > some cases a RAM problem with rule set duplication in memory. > > > > > > > > > > Generally: ModSec should not have any problem serving your scenario > > (if > > > > you > > > > > change it to "the proxy is the WAF") > > > > > > > > > > Cheers, > > > > > > > > > > Christian > > > > > > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > > > > Good morning all, > > > > > > > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > > > > ideal deployment structure. > > > > > > > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > > > > My idea would be to have: > > > > > > > > > > > > 1. Request hits proxy > > > > > > 2. Checks to see if it has been WAF'ed or not > > > > > > 3. Sends to WAF > > > > > > 4. If approved goes back to be proxied to correct backend > > > > > > > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > > > > should each site be configured for its own? > > > > > > > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > > > > familiar with its scalability yet. > > > > > > > > > > > > Hoping someone else has already gone down this path and could shed > > > > some light on it. > > > > > > > > > > > > B. Kyle Parrish > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > mod-security-users mailing list > > > > > > mod...@li... > > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > > Commercial ModSecurity Rules and Support from Trustwave's > > SpiderLabs: > > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > |
|
From: Eero V. <eer...@ik...> - 2018-12-15 09:27:43
|
https://www.haproxy.com/products/haproxy-enterprise-edition/ and I asked trial from: Selma Nametak <sna...@ha...> They say that it is compatible with modsecurity. "Yes you can use the ModSecurity CRS rules. Our WAF supports 3 modes: 1) SQL Injection/XSS protection only 2) ModSecurity Ruleset 3) Whitelist only" We are currently testing the product. Eero On Sat, Dec 15, 2018 at 11:17 AM Christian Folini < chr...@ne...> wrote: > Thanks Eero. Never came across this. Do you have contact? > > On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: > > or.. Haproxy enteprise that supports modsecurity waf internally. (this > > costs something like 1700€/haproxy/year) > > > > Eero > > > > Christian Folini <chr...@ne...> kirjoitti pe 14. jouluk. > > 2018 klo 17.41: > > > > > Oh, I see. Makes sense. > > > > > > Then your best option is > > > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > > > > > It's a proven and stable setup. Alternatively > > > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > > > > > but I think it still has too many rough edges for my taste. And the > > > performance is not yet on-par with the traditional Apache setup. > > > (But that's a wild field and not everybody agrees with me.) > > > > > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > > > ModSec > > > on netnea.com helpful. > > > > > > Ahoj, > > > > > > Christian > > > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > > > Thank you for your prompt response. > > > > > > > > We currently have HAProxy serving our sites as a reverse proxy which > > > doesn't nativily support modsecurity. > > > > > > > > What would you recommend in this scenario? > > > > > > > > -----Original Message----- > > > > From: Christian Folini <chr...@ne...> > > > > Sent: Friday, December 14, 2018 10:24 > > > > To: mod...@li... > > > > Subject: Re: [mod-security-users] Deployment Options > > > > > > > > Good evening to you, Kyle, > > > > > > > > ModSecurity is usually sitting inline on the proxy. But it's > perfectly > > > OK to > > > > have the proxy serve several if not hundreds of backends. The > problem is > > > much > > > > more a problem of overall throughput (expect ModSec to eat 10% of > > > throughput > > > > for an average internet site, but your mileage may vary greatly) and > in > > > > some cases a RAM problem with rule set duplication in memory. > > > > > > > > Generally: ModSec should not have any problem serving your scenario > (if > > > you > > > > change it to "the proxy is the WAF") > > > > > > > > Cheers, > > > > > > > > Christian > > > > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > > > Good morning all, > > > > > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > > > ideal deployment structure. > > > > > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > > > My idea would be to have: > > > > > > > > > > 1. Request hits proxy > > > > > 2. Checks to see if it has been WAF'ed or not > > > > > 3. Sends to WAF > > > > > 4. If approved goes back to be proxied to correct backend > > > > > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > > > should each site be configured for its own? > > > > > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > > > familiar with its scalability yet. > > > > > > > > > > Hoping someone else has already gone down this path and could shed > > > some light on it. > > > > > > > > > > B. Kyle Parrish > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > mod-security-users mailing list > > > > > mod...@li... > > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > > Commercial ModSecurity Rules and Support from Trustwave's > SpiderLabs: > > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2018-12-15 09:16:24
|
Thanks Eero. Never came across this. Do you have contact? On Fri, Dec 14, 2018 at 05:50:30PM +0200, Eero Volotinen wrote: > or.. Haproxy enteprise that supports modsecurity waf internally. (this > costs something like 1700€/haproxy/year) > > Eero > > Christian Folini <chr...@ne...> kirjoitti pe 14. jouluk. > 2018 klo 17.41: > > > Oh, I see. Makes sense. > > > > Then your best option is > > > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > > > It's a proven and stable setup. Alternatively > > > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > > > but I think it still has too many rough edges for my taste. And the > > performance is not yet on-par with the traditional Apache setup. > > (But that's a wild field and not everybody agrees with me.) > > > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > > ModSec > > on netnea.com helpful. > > > > Ahoj, > > > > Christian > > > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > > Thank you for your prompt response. > > > > > > We currently have HAProxy serving our sites as a reverse proxy which > > doesn't nativily support modsecurity. > > > > > > What would you recommend in this scenario? > > > > > > -----Original Message----- > > > From: Christian Folini <chr...@ne...> > > > Sent: Friday, December 14, 2018 10:24 > > > To: mod...@li... > > > Subject: Re: [mod-security-users] Deployment Options > > > > > > Good evening to you, Kyle, > > > > > > ModSecurity is usually sitting inline on the proxy. But it's perfectly > > OK to > > > have the proxy serve several if not hundreds of backends. The problem is > > much > > > more a problem of overall throughput (expect ModSec to eat 10% of > > throughput > > > for an average internet site, but your mileage may vary greatly) and in > > > some cases a RAM problem with rule set duplication in memory. > > > > > > Generally: ModSec should not have any problem serving your scenario (if > > you > > > change it to "the proxy is the WAF") > > > > > > Cheers, > > > > > > Christian > > > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > > Good morning all, > > > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > > ideal deployment structure. > > > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > > My idea would be to have: > > > > > > > > 1. Request hits proxy > > > > 2. Checks to see if it has been WAF'ed or not > > > > 3. Sends to WAF > > > > 4. If approved goes back to be proxied to correct backend > > > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > > should each site be configured for its own? > > > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > > familiar with its scalability yet. > > > > > > > > Hoping someone else has already gone down this path and could shed > > some light on it. > > > > > > > > B. Kyle Parrish > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > mod-security-users mailing list > > > > mod...@li... > > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > > http://www.modsecurity.org/projects/commercial/rules/ > > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Victor H. <vic...@gm...> - 2018-12-14 19:15:34
|
Hi Eero, Your recipes were already added to the ModSecurity's GitHub wiki. You can see the changeset here: https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x/_history Thanks for your contribution :) Cheers On Fri, Dec 14, 2018 at 11:36 AM Victor Hora <vic...@gm...> wrote: > hummm, I was looking into Atomicorp repo > <https://www6.atomicorp.com/channels/ossec/redhat/7/x86_64/RPMS/> and it > seems like all of their libModSecurity packages are from earlier this year, > either based of 3.0.0 or 3.0.2. I would recommend using 3.0.3. > > Seems like Arch Linux > <https://archlinux.pkgs.org/rolling/archlinux-community-x86_64/libmodsecurity-1:3.0.3-1-x86_64.pkg.tar.xz.html> > and Slackware > <https://slackware.pkgs.org/14.2/slackers/libmodsecurity-3.0.3-x86_64-1cf.txz.html> > have 3.0.3 on their repos. Using their spec files might help out people > wishing to build their own packages or for other distros to adopt. > > If you want to share your "recipe" or spec files, we could add them to the > Compilation-recipes-for-v3.x > <https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x> until > we have a dedicated wiki page for packages or something like that :) > > Cheers > > On Fri, Dec 14, 2018 at 11:17 AM Eero Volotinen <eer...@ik...> > wrote: > >> Hi Victor, >> >> Atomic Corp repo contains libmodsecurity 3.x.x and apache modsecurity >> module for rhel 7 / centos 7 >> >> Anyway. Looks like there is not much nginx modsecurity available.. so I >> have spec files and compilation >> instructions for Amazon Linux 2 (libmodsecurity 3+nginx modsecurity 3 >> module) and for Centos 7 too. >> >> I can provide these files, if someone is intrested? >> >> Eero >> >> Eero >> >> On Fri, Dec 14, 2018 at 6:02 PM Victor Hora <vic...@gm...> >> wrote: >> >>> Hi guys, >>> >>> There's a few libModSecurity packages for RPM and apt/dpkg based distros >>> available. See this comment here: >>> >>> >>> https://github.com/SpiderLabs/ModSecurity/issues/1981#issuecomment-446014441 >>> >>> Regardless, if any of you get packages inside distros, let us know and >>> we will happily add references to them either on www.modsecurity.org >>> and/or github.com/SpiderLabs/ModSecurity/wiki :) >>> >>> Cheers >>> >>> On Thu, Dec 13, 2018 at 3:33 AM Eero Volotinen <eer...@ik...> >>> wrote: >>> >>>> Hi, >>>> >>>> I already generated packages for aws linux and centos 7 (nginx only as >>>> apache version is available from atomic repo) >>>> >>>> Some (all? of packagers are not giving these out for free), but I am >>>> planning to release them as GPL. >>>> >>>> Eero >>>> >>>> On Thu, Dec 13, 2018 at 9:24 AM Ervin Hegedüs <ai...@gm...> >>>> wrote: >>>> >>>>> Hi Eero, >>>>> >>>>> On Thu, Dec 13, 2018 at 07:27:30AM +0200, Eero Volotinen wrote: >>>>> > Hi List, >>>>> > >>>>> > Is there place were I can distribute instructions for rpms >>>>> generation and >>>>> > binaries? >>>>> >>>>> I think there is a better place: >>>>> >>>>> https://sourceforge.net/p/mod-security/mailman/mod-security-packagers/ >>>>> >>>>> > Looks like there is not much nginx modsecurity binaries available >>>>> for free.. >>>>> >>>>> @agi and me have successfully created the modsecurity package for >>>>> Debian (a couple of days ago). If you think, you can find some >>>>> help there: >>>>> >>>>> https://salsa.debian.org/agi/modsecurity/tree/upstream_3.0.3 >>>>> >>>>> https://buildd.debian.org/status/logs.php?pkg=modsecurity&ver=3.0.3-1&suite=sid >>>>> >>>>> (The builded package isnt't part of Debian, but I hope it will be >>>>> soon.) >>>>> >>>>> I think you have to do it first (libmodsecurity), and then you >>>>> can do the others (Apache, nGinx...) >>>>> >>>>> If you have any question, just let me know. >>>>> >>>>> >>>>> a. >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> mod-security-users mailing list >>>>> mod...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>>> http://www.modsecurity.org/projects/commercial/rules/ >>>>> http://www.modsecurity.org/projects/commercial/support/ >>>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> >>> >>> -- >>> - >>> Victor Ribeiro Hora >>> >> > > -- > - > Victor Ribeiro Hora > -- - Victor Ribeiro Hora |
|
From: Victor H. <vic...@gm...> - 2018-12-14 16:36:21
|
hummm, I was looking into Atomicorp repo <https://www6.atomicorp.com/channels/ossec/redhat/7/x86_64/RPMS/> and it seems like all of their libModSecurity packages are from earlier this year, either based of 3.0.0 or 3.0.2. I would recommend using 3.0.3. Seems like Arch Linux <https://archlinux.pkgs.org/rolling/archlinux-community-x86_64/libmodsecurity-1:3.0.3-1-x86_64.pkg.tar.xz.html> and Slackware <https://slackware.pkgs.org/14.2/slackers/libmodsecurity-3.0.3-x86_64-1cf.txz.html> have 3.0.3 on their repos. Using their spec files might help out people wishing to build their own packages or for other distros to adopt. If you want to share your "recipe" or spec files, we could add them to the Compilation-recipes-for-v3.x <https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x> until we have a dedicated wiki page for packages or something like that :) Cheers On Fri, Dec 14, 2018 at 11:17 AM Eero Volotinen <eer...@ik...> wrote: > Hi Victor, > > Atomic Corp repo contains libmodsecurity 3.x.x and apache modsecurity > module for rhel 7 / centos 7 > > Anyway. Looks like there is not much nginx modsecurity available.. so I > have spec files and compilation > instructions for Amazon Linux 2 (libmodsecurity 3+nginx modsecurity 3 > module) and for Centos 7 too. > > I can provide these files, if someone is intrested? > > Eero > > Eero > > On Fri, Dec 14, 2018 at 6:02 PM Victor Hora <vic...@gm...> > wrote: > >> Hi guys, >> >> There's a few libModSecurity packages for RPM and apt/dpkg based distros >> available. See this comment here: >> >> >> https://github.com/SpiderLabs/ModSecurity/issues/1981#issuecomment-446014441 >> >> Regardless, if any of you get packages inside distros, let us know and we >> will happily add references to them either on www.modsecurity.org and/or >> github.com/SpiderLabs/ModSecurity/wiki :) >> >> Cheers >> >> On Thu, Dec 13, 2018 at 3:33 AM Eero Volotinen <eer...@ik...> >> wrote: >> >>> Hi, >>> >>> I already generated packages for aws linux and centos 7 (nginx only as >>> apache version is available from atomic repo) >>> >>> Some (all? of packagers are not giving these out for free), but I am >>> planning to release them as GPL. >>> >>> Eero >>> >>> On Thu, Dec 13, 2018 at 9:24 AM Ervin Hegedüs <ai...@gm...> wrote: >>> >>>> Hi Eero, >>>> >>>> On Thu, Dec 13, 2018 at 07:27:30AM +0200, Eero Volotinen wrote: >>>> > Hi List, >>>> > >>>> > Is there place were I can distribute instructions for rpms generation >>>> and >>>> > binaries? >>>> >>>> I think there is a better place: >>>> >>>> https://sourceforge.net/p/mod-security/mailman/mod-security-packagers/ >>>> >>>> > Looks like there is not much nginx modsecurity binaries available for >>>> free.. >>>> >>>> @agi and me have successfully created the modsecurity package for >>>> Debian (a couple of days ago). If you think, you can find some >>>> help there: >>>> >>>> https://salsa.debian.org/agi/modsecurity/tree/upstream_3.0.3 >>>> >>>> https://buildd.debian.org/status/logs.php?pkg=modsecurity&ver=3.0.3-1&suite=sid >>>> >>>> (The builded package isnt't part of Debian, but I hope it will be >>>> soon.) >>>> >>>> I think you have to do it first (libmodsecurity), and then you >>>> can do the others (Apache, nGinx...) >>>> >>>> If you have any question, just let me know. >>>> >>>> >>>> a. >>>> >>>> >>>> >>>> _______________________________________________ >>>> mod-security-users mailing list >>>> mod...@li... >>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>>> http://www.modsecurity.org/projects/commercial/rules/ >>>> http://www.modsecurity.org/projects/commercial/support/ >>>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> >> >> -- >> - >> Victor Ribeiro Hora >> > -- - Victor Ribeiro Hora |
|
From: Manuel S. <spa...@gm...> - 2018-12-14 16:23:02
|
+1 to Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application El vie., 14 dic. 2018 a las 10:42, Christian Folini (< chr...@ne...>) escribió: > Oh, I see. Makes sense. > > Then your best option is > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > It's a proven and stable setup. Alternatively > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > but I think it still has too many rough edges for my taste. And the > performance is not yet on-par with the traditional Apache setup. > (But that's a wild field and not everybody agrees with me.) > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > ModSec > on netnea.com helpful. > > Ahoj, > > Christian > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > Thank you for your prompt response. > > > > We currently have HAProxy serving our sites as a reverse proxy which > doesn't nativily support modsecurity. > > > > What would you recommend in this scenario? > > > > -----Original Message----- > > From: Christian Folini <chr...@ne...> > > Sent: Friday, December 14, 2018 10:24 > > To: mod...@li... > > Subject: Re: [mod-security-users] Deployment Options > > > > Good evening to you, Kyle, > > > > ModSecurity is usually sitting inline on the proxy. But it's perfectly > OK to > > have the proxy serve several if not hundreds of backends. The problem is > much > > more a problem of overall throughput (expect ModSec to eat 10% of > throughput > > for an average internet site, but your mileage may vary greatly) and in > > some cases a RAM problem with rule set duplication in memory. > > > > Generally: ModSec should not have any problem serving your scenario (if > you > > change it to "the proxy is the WAF") > > > > Cheers, > > > > Christian > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > Good morning all, > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > ideal deployment structure. > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > My idea would be to have: > > > > > > 1. Request hits proxy > > > 2. Checks to see if it has been WAF'ed or not > > > 3. Sends to WAF > > > 4. If approved goes back to be proxied to correct backend > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > should each site be configured for its own? > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > familiar with its scalability yet. > > > > > > Hoping someone else has already gone down this path and could shed > some light on it. > > > > > > B. Kyle Parrish > > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Eero V. <eer...@ik...> - 2018-12-14 16:17:30
|
Hi Victor, Atomic Corp repo contains libmodsecurity 3.x.x and apache modsecurity module for rhel 7 / centos 7 Anyway. Looks like there is not much nginx modsecurity available.. so I have spec files and compilation instructions for Amazon Linux 2 (libmodsecurity 3+nginx modsecurity 3 module) and for Centos 7 too. I can provide these files, if someone is intrested? Eero Eero On Fri, Dec 14, 2018 at 6:02 PM Victor Hora <vic...@gm...> wrote: > Hi guys, > > There's a few libModSecurity packages for RPM and apt/dpkg based distros > available. See this comment here: > > > https://github.com/SpiderLabs/ModSecurity/issues/1981#issuecomment-446014441 > > Regardless, if any of you get packages inside distros, let us know and we > will happily add references to them either on www.modsecurity.org and/or > github.com/SpiderLabs/ModSecurity/wiki :) > > Cheers > > On Thu, Dec 13, 2018 at 3:33 AM Eero Volotinen <eer...@ik...> > wrote: > >> Hi, >> >> I already generated packages for aws linux and centos 7 (nginx only as >> apache version is available from atomic repo) >> >> Some (all? of packagers are not giving these out for free), but I am >> planning to release them as GPL. >> >> Eero >> >> On Thu, Dec 13, 2018 at 9:24 AM Ervin Hegedüs <ai...@gm...> wrote: >> >>> Hi Eero, >>> >>> On Thu, Dec 13, 2018 at 07:27:30AM +0200, Eero Volotinen wrote: >>> > Hi List, >>> > >>> > Is there place were I can distribute instructions for rpms generation >>> and >>> > binaries? >>> >>> I think there is a better place: >>> >>> https://sourceforge.net/p/mod-security/mailman/mod-security-packagers/ >>> >>> > Looks like there is not much nginx modsecurity binaries available for >>> free.. >>> >>> @agi and me have successfully created the modsecurity package for >>> Debian (a couple of days ago). If you think, you can find some >>> help there: >>> >>> https://salsa.debian.org/agi/modsecurity/tree/upstream_3.0.3 >>> >>> https://buildd.debian.org/status/logs.php?pkg=modsecurity&ver=3.0.3-1&suite=sid >>> >>> (The builded package isnt't part of Debian, but I hope it will be >>> soon.) >>> >>> I think you have to do it first (libmodsecurity), and then you >>> can do the others (Apache, nGinx...) >>> >>> If you have any question, just let me know. >>> >>> >>> a. >>> >>> >>> >>> _______________________________________________ >>> mod-security-users mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/mod-security-users >>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >>> http://www.modsecurity.org/projects/commercial/rules/ >>> http://www.modsecurity.org/projects/commercial/support/ >>> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > -- > - > Victor Ribeiro Hora > |
|
From: Victor H. <vic...@gm...> - 2018-12-14 16:01:20
|
Hi guys, There's a few libModSecurity packages for RPM and apt/dpkg based distros available. See this comment here: https://github.com/SpiderLabs/ModSecurity/issues/1981#issuecomment-446014441 Regardless, if any of you get packages inside distros, let us know and we will happily add references to them either on www.modsecurity.org and/or github.com/SpiderLabs/ModSecurity/wiki :) Cheers On Thu, Dec 13, 2018 at 3:33 AM Eero Volotinen <eer...@ik...> wrote: > Hi, > > I already generated packages for aws linux and centos 7 (nginx only as > apache version is available from atomic repo) > > Some (all? of packagers are not giving these out for free), but I am > planning to release them as GPL. > > Eero > > On Thu, Dec 13, 2018 at 9:24 AM Ervin Hegedüs <ai...@gm...> wrote: > >> Hi Eero, >> >> On Thu, Dec 13, 2018 at 07:27:30AM +0200, Eero Volotinen wrote: >> > Hi List, >> > >> > Is there place were I can distribute instructions for rpms generation >> and >> > binaries? >> >> I think there is a better place: >> >> https://sourceforge.net/p/mod-security/mailman/mod-security-packagers/ >> >> > Looks like there is not much nginx modsecurity binaries available for >> free.. >> >> @agi and me have successfully created the modsecurity package for >> Debian (a couple of days ago). If you think, you can find some >> help there: >> >> https://salsa.debian.org/agi/modsecurity/tree/upstream_3.0.3 >> >> https://buildd.debian.org/status/logs.php?pkg=modsecurity&ver=3.0.3-1&suite=sid >> >> (The builded package isnt't part of Debian, but I hope it will be >> soon.) >> >> I think you have to do it first (libmodsecurity), and then you >> can do the others (Apache, nGinx...) >> >> If you have any question, just let me know. >> >> >> a. >> >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- - Victor Ribeiro Hora |
|
From: Eero V. <eer...@ik...> - 2018-12-14 15:50:50
|
or.. Haproxy enteprise that supports modsecurity waf internally. (this costs something like 1700€/haproxy/year) Eero Christian Folini <chr...@ne...> kirjoitti pe 14. jouluk. 2018 klo 17.41: > Oh, I see. Makes sense. > > Then your best option is > > Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application > > It's a proven and stable setup. Alternatively > > Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application > > but I think it still has too many rough edges for my taste. And the > performance is not yet on-par with the traditional Apache setup. > (But that's a wild field and not everybody agrees with me.) > > Either way, you may find my tutorials for Apache + ModSec and NGINX + > ModSec > on netnea.com helpful. > > Ahoj, > > Christian > > On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > > Thank you for your prompt response. > > > > We currently have HAProxy serving our sites as a reverse proxy which > doesn't nativily support modsecurity. > > > > What would you recommend in this scenario? > > > > -----Original Message----- > > From: Christian Folini <chr...@ne...> > > Sent: Friday, December 14, 2018 10:24 > > To: mod...@li... > > Subject: Re: [mod-security-users] Deployment Options > > > > Good evening to you, Kyle, > > > > ModSecurity is usually sitting inline on the proxy. But it's perfectly > OK to > > have the proxy serve several if not hundreds of backends. The problem is > much > > more a problem of overall throughput (expect ModSec to eat 10% of > throughput > > for an average internet site, but your mileage may vary greatly) and in > > some cases a RAM problem with rule set duplication in memory. > > > > Generally: ModSec should not have any problem serving your scenario (if > you > > change it to "the proxy is the WAF") > > > > Cheers, > > > > Christian > > > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > > Good morning all, > > > > > > Seeking advice on deploying a Web Application Firewall. > > > > > > I'm pretty familiar with WAFs and what they will do but stuck on an > ideal deployment structure. > > > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > > My idea would be to have: > > > > > > 1. Request hits proxy > > > 2. Checks to see if it has been WAF'ed or not > > > 3. Sends to WAF > > > 4. If approved goes back to be proxied to correct backend > > > > > > Now, would it be okay to have 20 sites sent through a single WAF or > should each site be configured for its own? > > > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not > familiar with its scalability yet. > > > > > > Hoping someone else has already gone down this path and could shed > some light on it. > > > > > > B. Kyle Parrish > > > > > > > > > > > > > _______________________________________________ > > > mod-security-users mailing list > > > mod...@li... > > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > > http://www.modsecurity.org/projects/commercial/rules/ > > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Christian F. <chr...@ne...> - 2018-12-14 15:40:47
|
Oh, I see. Makes sense. Then your best option is Net -> HAProxy -> Apache(s) + ModSec 2.9.x -> Backend Application It's a proven and stable setup. Alternatively Net -> HAProxy -> NGINX(s) + ModSec 3.0.x -> Backend Application but I think it still has too many rough edges for my taste. And the performance is not yet on-par with the traditional Apache setup. (But that's a wild field and not everybody agrees with me.) Either way, you may find my tutorials for Apache + ModSec and NGINX + ModSec on netnea.com helpful. Ahoj, Christian On Fri, Dec 14, 2018 at 03:34:16PM +0000, Parrish, Kyle wrote: > Thank you for your prompt response. > > We currently have HAProxy serving our sites as a reverse proxy which doesn't nativily support modsecurity. > > What would you recommend in this scenario? > > -----Original Message----- > From: Christian Folini <chr...@ne...> > Sent: Friday, December 14, 2018 10:24 > To: mod...@li... > Subject: Re: [mod-security-users] Deployment Options > > Good evening to you, Kyle, > > ModSecurity is usually sitting inline on the proxy. But it's perfectly OK to > have the proxy serve several if not hundreds of backends. The problem is much > more a problem of overall throughput (expect ModSec to eat 10% of throughput > for an average internet site, but your mileage may vary greatly) and in > some cases a RAM problem with rule set duplication in memory. > > Generally: ModSec should not have any problem serving your scenario (if you > change it to "the proxy is the WAF") > > Cheers, > > Christian > > On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > > Good morning all, > > > > Seeking advice on deploying a Web Application Firewall. > > > > I'm pretty familiar with WAFs and what they will do but stuck on an ideal deployment structure. > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > My idea would be to have: > > > > 1. Request hits proxy > > 2. Checks to see if it has been WAF'ed or not > > 3. Sends to WAF > > 4. If approved goes back to be proxied to correct backend > > > > Now, would it be okay to have 20 sites sent through a single WAF or should each site be configured for its own? > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar with its scalability yet. > > > > Hoping someone else has already gone down this path and could shed some light on it. > > > > B. Kyle Parrish > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Eero V. <eer...@ik...> - 2018-12-14 15:35:41
|
How about Nginx with WAF as proxy? Eero Parrish, Kyle <Kyl...@th...> kirjoitti pe 14. jouluk. 2018 klo 17.15: > Good morning all, > > > > Seeking advice on deploying a Web Application Firewall. > > > > I’m pretty familiar with WAFs and what they will do but stuck on an ideal > deployment structure. > > > > Lets say there are 20 websites sitting behind a reverse proxy. > > My idea would be to have: > > 1. Request hits proxy > 2. Checks to see if it has been WAF’ed or not > 3. Sends to WAF > 4. If approved goes back to be proxied to correct backend > > > > Now, would it be okay to have 20 sites sent through a single WAF or should > each site be configured for its own? > > > > I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar > with its scalability yet. > > > > Hoping someone else has already gone down this path and could shed some > light on it. > > > > *B. Kyle Parrish* > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Parrish, K. <Kyl...@Th...> - 2018-12-14 15:34:32
|
Thank you for your prompt response. We currently have HAProxy serving our sites as a reverse proxy which doesn't nativily support modsecurity. What would you recommend in this scenario? -----Original Message----- From: Christian Folini <chr...@ne...> Sent: Friday, December 14, 2018 10:24 To: mod...@li... Subject: Re: [mod-security-users] Deployment Options Good evening to you, Kyle, ModSecurity is usually sitting inline on the proxy. But it's perfectly OK to have the proxy serve several if not hundreds of backends. The problem is much more a problem of overall throughput (expect ModSec to eat 10% of throughput for an average internet site, but your mileage may vary greatly) and in some cases a RAM problem with rule set duplication in memory. Generally: ModSec should not have any problem serving your scenario (if you change it to "the proxy is the WAF") Cheers, Christian On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > Good morning all, > > Seeking advice on deploying a Web Application Firewall. > > I'm pretty familiar with WAFs and what they will do but stuck on an ideal deployment structure. > > Lets say there are 20 websites sitting behind a reverse proxy. > My idea would be to have: > > 1. Request hits proxy > 2. Checks to see if it has been WAF'ed or not > 3. Sends to WAF > 4. If approved goes back to be proxied to correct backend > > Now, would it be okay to have 20 sites sent through a single WAF or should each site be configured for its own? > > I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar with its scalability yet. > > Hoping someone else has already gone down this path and could shed some light on it. > > B. Kyle Parrish > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Christian F. <chr...@ne...> - 2018-12-14 15:24:35
|
Good evening to you, Kyle, ModSecurity is usually sitting inline on the proxy. But it's perfectly OK to have the proxy serve several if not hundreds of backends. The problem is much more a problem of overall throughput (expect ModSec to eat 10% of throughput for an average internet site, but your mileage may vary greatly) and in some cases a RAM problem with rule set duplication in memory. Generally: ModSec should not have any problem serving your scenario (if you change it to "the proxy is the WAF") Cheers, Christian On Fri, Dec 14, 2018 at 02:50:27PM +0000, Parrish, Kyle wrote: > Good morning all, > > Seeking advice on deploying a Web Application Firewall. > > I'm pretty familiar with WAFs and what they will do but stuck on an ideal deployment structure. > > Lets say there are 20 websites sitting behind a reverse proxy. > My idea would be to have: > > 1. Request hits proxy > 2. Checks to see if it has been WAF'ed or not > 3. Sends to WAF > 4. If approved goes back to be proxied to correct backend > > Now, would it be okay to have 20 sites sent through a single WAF or should each site be configured for its own? > > I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar with its scalability yet. > > Hoping someone else has already gone down this path and could shed some light on it. > > B. Kyle Parrish > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Parrish, K. <Kyl...@Th...> - 2018-12-14 15:14:18
|
Good morning all, Seeking advice on deploying a Web Application Firewall. I'm pretty familiar with WAFs and what they will do but stuck on an ideal deployment structure. Lets say there are 20 websites sitting behind a reverse proxy. My idea would be to have: 1. Request hits proxy 2. Checks to see if it has been WAF'ed or not 3. Sends to WAF 4. If approved goes back to be proxied to correct backend Now, would it be okay to have 20 sites sent through a single WAF or should each site be configured for its own? I am looking to use OWASP ModSecurity for the WAF ruleset but not familiar with its scalability yet. Hoping someone else has already gone down this path and could shed some light on it. B. Kyle Parrish |
|
From: Davy G. <da...@ya...> - 2018-12-14 13:58:10
|
Hi to all, I wonder if you actually create custom rule for mod security for example to prevent piggy tail sqlia only. Is that possible? Davy Dikirim dari Yahoo Mail di Android Pada Rab, 12 Des 2018 pada 20:09, Reindl Harald<h.r...@th...> menulis: Am 12.12.18 um 14:02 schrieb Gryzli Bugbear: > Hi to all, > > Recently I found something weird for me - rules executing in the same > phase , are executed not by their ID numbers, but rather based on > appereance in the configuration file. > > Is that a correct behavior for ModSecurity ? yes the rule-ids are in different ranges depedning of context and it would not make any sense execute them in the order of the id's at all _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
|
From: Eero V. <eer...@ik...> - 2018-12-13 08:31:06
|
Hi, I already generated packages for aws linux and centos 7 (nginx only as apache version is available from atomic repo) Some (all? of packagers are not giving these out for free), but I am planning to release them as GPL. Eero On Thu, Dec 13, 2018 at 9:24 AM Ervin Hegedüs <ai...@gm...> wrote: > Hi Eero, > > On Thu, Dec 13, 2018 at 07:27:30AM +0200, Eero Volotinen wrote: > > Hi List, > > > > Is there place were I can distribute instructions for rpms generation and > > binaries? > > I think there is a better place: > > https://sourceforge.net/p/mod-security/mailman/mod-security-packagers/ > > > Looks like there is not much nginx modsecurity binaries available for > free.. > > @agi and me have successfully created the modsecurity package for > Debian (a couple of days ago). If you think, you can find some > help there: > > https://salsa.debian.org/agi/modsecurity/tree/upstream_3.0.3 > > https://buildd.debian.org/status/logs.php?pkg=modsecurity&ver=3.0.3-1&suite=sid > > (The builded package isnt't part of Debian, but I hope it will be > soon.) > > I think you have to do it first (libmodsecurity), and then you > can do the others (Apache, nGinx...) > > If you have any question, just let me know. > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
|
From: Ervin H. <ai...@gm...> - 2018-12-13 07:23:47
|
Hi Eero, On Thu, Dec 13, 2018 at 07:27:30AM +0200, Eero Volotinen wrote: > Hi List, > > Is there place were I can distribute instructions for rpms generation and > binaries? I think there is a better place: https://sourceforge.net/p/mod-security/mailman/mod-security-packagers/ > Looks like there is not much nginx modsecurity binaries available for free.. @agi and me have successfully created the modsecurity package for Debian (a couple of days ago). If you think, you can find some help there: https://salsa.debian.org/agi/modsecurity/tree/upstream_3.0.3 https://buildd.debian.org/status/logs.php?pkg=modsecurity&ver=3.0.3-1&suite=sid (The builded package isnt't part of Debian, but I hope it will be soon.) I think you have to do it first (libmodsecurity), and then you can do the others (Apache, nGinx...) If you have any question, just let me know. a. |
|
From: Eero V. <eer...@ik...> - 2018-12-13 05:27:51
|
Hi List, Is there place were I can distribute instructions for rpms generation and binaries? Looks like there is not much nginx modsecurity binaries available for free.. Eero |
|
From: Luciano G. F. <luc...@gm...> - 2018-12-13 02:01:14
|
It perfectly worked! I've just combined setenv:dontlog in all rules I
needed and that's it. This really helps me to keep an eye in the logs.
Thank you!
El mié., 12 de dic. de 2018 a la(s) 22:26, Manuel Spartan (
spa...@gm...) escribió:
> Try a modsec with ctl:setenv with pmf to the bot file for
> request_headers:user-agent. So if the header is in the file then set the
> nolog env.
> Having two update point is painful on the long run.
> Cheers!
>
> Sent from my iPhone
>
> On 12 Dec 2018, at 20:05, Luciano Guillermo Fantuzzi <
> luc...@gm...> wrote:
>
> Yes, I had to do it that way. Just in case:
>
> ---
> # Local messages
> SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
> SetEnvIf Remote_Addr "::1" dontlog
> SetEnvIfNoCase User-Agent "internal dummy connection" dontlog
>
> # Not interesting
> SetEnvIfNoCase Request_URI "^/robots\.txt$" dontlog
>
> # Only relevant for modsec log (it will output to error log eventually)
> # Note: Keep this list updated with /etc/modsecurity/data/*.data
> SetEnvIfNoCase User-Agent (Googlebot|bingbot\
>
>
>
> |AhrefsBot|MJ12bot|trovitBot|AwarioRssBot|Semrush|DotBot|BLEXBot|YandexBot|YandexMobileBot|PaperLiBot|Baidu|ZoominfoBot\
> |facebookexternalhit) dontlog
>
> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
> env=!dontlog
> ---
>
> The only thing that I don't like of this approach is that I can't pass
> SetEnvIf a file to read, so I'll have to keep both (*.data and .conf files)
> in sync.
>
>
> El mié., 12 de dic. de 2018 a la(s) 21:39, Manuel Spartan (
> spa...@gm...) escribió:
>
>> Hi Luciano, you can achieve that with environment variables and a custom
>> log format with an env condition in Apache.
>> Modsec writes error and audit log only, access log tricks can be useful
>> to prevent IP/personal/financial leaks.
>>
>> Cheers!
>>
>> Sent from my iPhone
>>
>> On 12 Dec 2018, at 18:16, Luciano Guillermo Fantuzzi <
>> luc...@gm...> wrote:
>>
>> Something I couldn't find in the docs. Is it possible to avoid logging in
>> the access log? With nolog action I can avoid logging it in error log (and
>> audit log, but it's turned off), but I couldn't find a way to avoid
>> displaying a message in the access log on every rule match. I find this
>> important because my idea was to sepparate logs and keep the access log as
>> clean as possible so I can analyze bots/crawlers not being catched in my
>> rules.
>>
>> Thanks.
>>
>> El mié., 12 de dic. de 2018 a la(s) 18:32, Christian Folini (
>> chr...@ne...) escribió:
>>
>>> On Wed, Dec 12, 2018 at 06:16:49PM -0300, Luciano Guillermo Fantuzzi
>>> wrote:
>>> > Oh, I didn't realize we were not anymore in the main mailing thread.
>>> I'm
>>> > re-joining it from here.
>>>
>>> Yes, I took it private after things turned sour following my comment.
>>>
>>> Glad it worked out for your in the end.
>>>
>>> Ahoj,
>>>
>>> Christian
>>>
>>> --
>>> If liberty means anything at all, it means the right to tell people
>>> what they do not want to hear.
>>> -- George Orwell
>>>
>>>
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Manuel S. <spa...@gm...> - 2018-12-13 01:25:34
|
Try a modsec with ctl:setenv with pmf to the bot file for request_headers:user-agent. So if the header is in the file then set the nolog env.
Having two update point is painful on the long run.
Cheers!
Sent from my iPhone
> On 12 Dec 2018, at 20:05, Luciano Guillermo Fantuzzi <luc...@gm...> wrote:
>
> Yes, I had to do it that way. Just in case:
>
> ---
> # Local messages
> SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
> SetEnvIf Remote_Addr "::1" dontlog
> SetEnvIfNoCase User-Agent "internal dummy connection" dontlog
>
> # Not interesting
> SetEnvIfNoCase Request_URI "^/robots\.txt$" dontlog
>
> # Only relevant for modsec log (it will output to error log eventually)
> # Note: Keep this list updated with /etc/modsecurity/data/*.data
> SetEnvIfNoCase User-Agent (Googlebot|bingbot\
> |AhrefsBot|MJ12bot|trovitBot|AwarioRssBot|Semrush|DotBot|BLEXBot|YandexBot|YandexMobileBot|PaperLiBot|Baidu|ZoominfoBot\
> |facebookexternalhit) dontlog
>
> CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined env=!dontlog
> ---
>
> The only thing that I don't like of this approach is that I can't pass SetEnvIf a file to read, so I'll have to keep both (*.data and .conf files) in sync.
>
>
> El mié., 12 de dic. de 2018 a la(s) 21:39, Manuel Spartan (spa...@gm...) escribió:
>> Hi Luciano, you can achieve that with environment variables and a custom log format with an env condition in Apache.
>> Modsec writes error and audit log only, access log tricks can be useful to prevent IP/personal/financial leaks.
>>
>> Cheers!
>>
>> Sent from my iPhone
>>
>>> On 12 Dec 2018, at 18:16, Luciano Guillermo Fantuzzi <luc...@gm...> wrote:
>>>
>>> Something I couldn't find in the docs. Is it possible to avoid logging in the access log? With nolog action I can avoid logging it in error log (and audit log, but it's turned off), but I couldn't find a way to avoid displaying a message in the access log on every rule match. I find this important because my idea was to sepparate logs and keep the access log as clean as possible so I can analyze bots/crawlers not being catched in my rules.
>>>
>>> Thanks.
>>>
>>> El mié., 12 de dic. de 2018 a la(s) 18:32, Christian Folini (chr...@ne...) escribió:
>>>> On Wed, Dec 12, 2018 at 06:16:49PM -0300, Luciano Guillermo Fantuzzi wrote:
>>>> > Oh, I didn't realize we were not anymore in the main mailing thread. I'm
>>>> > re-joining it from here.
>>>>
>>>> Yes, I took it private after things turned sour following my comment.
>>>>
>>>> Glad it worked out for your in the end.
>>>>
>>>> Ahoj,
>>>>
>>>> Christian
>>>>
>>>> --
>>>> If liberty means anything at all, it means the right to tell people
>>>> what they do not want to hear.
>>>> -- George Orwell
>>>>
>>>>
>>>> _______________________________________________
>>>> mod-security-users mailing list
>>>> mod...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>>> http://www.modsecurity.org/projects/commercial/rules/
>>>> http://www.modsecurity.org/projects/commercial/support/
>>> _______________________________________________
>>> mod-security-users mailing list
>>> mod...@li...
>>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>>> http://www.modsecurity.org/projects/commercial/rules/
>>> http://www.modsecurity.org/projects/commercial/support/
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
|
|
From: Luciano G. F. <luc...@gm...> - 2018-12-13 01:05:48
|
Yes, I had to do it that way. Just in case:
---
# Local messages
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
SetEnvIf Remote_Addr "::1" dontlog
SetEnvIfNoCase User-Agent "internal dummy connection" dontlog
# Not interesting
SetEnvIfNoCase Request_URI "^/robots\.txt$" dontlog
# Only relevant for modsec log (it will output to error log eventually)
# Note: Keep this list updated with /etc/modsecurity/data/*.data
SetEnvIfNoCase User-Agent (Googlebot|bingbot\
|AhrefsBot|MJ12bot|trovitBot|AwarioRssBot|Semrush|DotBot|BLEXBot|YandexBot|YandexMobileBot|PaperLiBot|Baidu|ZoominfoBot\
|facebookexternalhit) dontlog
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
env=!dontlog
---
The only thing that I don't like of this approach is that I can't pass
SetEnvIf a file to read, so I'll have to keep both (*.data and .conf files)
in sync.
El mié., 12 de dic. de 2018 a la(s) 21:39, Manuel Spartan (
spa...@gm...) escribió:
> Hi Luciano, you can achieve that with environment variables and a custom
> log format with an env condition in Apache.
> Modsec writes error and audit log only, access log tricks can be useful to
> prevent IP/personal/financial leaks.
>
> Cheers!
>
> Sent from my iPhone
>
> On 12 Dec 2018, at 18:16, Luciano Guillermo Fantuzzi <
> luc...@gm...> wrote:
>
> Something I couldn't find in the docs. Is it possible to avoid logging in
> the access log? With nolog action I can avoid logging it in error log (and
> audit log, but it's turned off), but I couldn't find a way to avoid
> displaying a message in the access log on every rule match. I find this
> important because my idea was to sepparate logs and keep the access log as
> clean as possible so I can analyze bots/crawlers not being catched in my
> rules.
>
> Thanks.
>
> El mié., 12 de dic. de 2018 a la(s) 18:32, Christian Folini (
> chr...@ne...) escribió:
>
>> On Wed, Dec 12, 2018 at 06:16:49PM -0300, Luciano Guillermo Fantuzzi
>> wrote:
>> > Oh, I didn't realize we were not anymore in the main mailing thread. I'm
>> > re-joining it from here.
>>
>> Yes, I took it private after things turned sour following my comment.
>>
>> Glad it worked out for your in the end.
>>
>> Ahoj,
>>
>> Christian
>>
>> --
>> If liberty means anything at all, it means the right to tell people
>> what they do not want to hear.
>> -- George Orwell
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
|
|
From: Manuel S. <spa...@gm...> - 2018-12-13 00:37:35
|
Hi Luciano, you can achieve that with environment variables and a custom log format with an env condition in Apache. Modsec writes error and audit log only, access log tricks can be useful to prevent IP/personal/financial leaks. Cheers! Sent from my iPhone > On 12 Dec 2018, at 18:16, Luciano Guillermo Fantuzzi <luc...@gm...> wrote: > > Something I couldn't find in the docs. Is it possible to avoid logging in the access log? With nolog action I can avoid logging it in error log (and audit log, but it's turned off), but I couldn't find a way to avoid displaying a message in the access log on every rule match. I find this important because my idea was to sepparate logs and keep the access log as clean as possible so I can analyze bots/crawlers not being catched in my rules. > > Thanks. > > El mié., 12 de dic. de 2018 a la(s) 18:32, Christian Folini (chr...@ne...) escribió: >> On Wed, Dec 12, 2018 at 06:16:49PM -0300, Luciano Guillermo Fantuzzi wrote: >> > Oh, I didn't realize we were not anymore in the main mailing thread. I'm >> > re-joining it from here. >> >> Yes, I took it private after things turned sour following my comment. >> >> Glad it worked out for your in the end. >> >> Ahoj, >> >> Christian >> >> -- >> If liberty means anything at all, it means the right to tell people >> what they do not want to hear. >> -- George Orwell >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
139 messages has been excluded from this view by a project administrator.
