Thread: [mod-security-users] Handling multiple clients with modsecurity
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Blason R <bla...@gm...> - 2021-03-08 06:59:28
|
Hi Folks, Here is my requirement and seeking any heads up from community - - I already have nginx server running for our multiple customers in reverse proxy mode - So Nginx reverse proxy is sending requests to customer web servers - lets say - - Customer-1 exmaple.com -> web site example.com - Customer-2 www.test.com -. www.test.com - Customer3- acme.com -> www.acme.com - Now I am trying to integrate modsecurity with Nginx - So my question is - Do I need to create a separate config file for every customer location? - like /etc/nginx/modsec/example.com/main.conf /etc/nginx/modsec/example.com/modsecurity.conf /etc/nginx/modsec/example.com/coreruleset/rules/*.conf /etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf ################## /etc/nginx/modsec/test.com/main.conf /etc/nginx/modsec/test.com/modsecurity.conf /etc/nginx/modsec/test.com/coreruleset/rules/*.conf /etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf ################## /etc/nginx/modsec/acme.com/main.conf /etc/nginx/modsec/acme.com/modsecurity.conf /etc/nginx/modsec/acme.com/coreruleset/rules/*.conf /etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf - Is this correct method to manage rules/exceptions/blacklisting/whitelisting for multiple customers? Or is there any other alternative? - Plus logs should be separate for every customer which I am thinking to generate in json file - Please let me know if this is the correct option considering around 15-20 sites protected by nginx and customers. - SecAuditEngine RelevantOnly - SecAuditLogRelevantStatus "^(?:5|4(?!04))" - SecAuditLogParts ABIJDEFHZ - SecAuditLogFormat JSON - SecAuditLog /var/log/modsec_audit.log TIA Blason R |
|
From: Christian V. <cv...@it...> - 2021-03-08 11:28:59
Attachments:
signature.asc
|
Hi Blason, Is better if you separate everything as you mention, in that way you can configure by app: exclusions, rules, custom configuration, etc... If you are in a Debian distribution, you could use Waf2Py, will do what you are looking for with a easy web interface https://github.com/ITSec-Chile/Waf2Py Cheers Chris -- > On lunes, mar. 08, 2021 at 3:59 a. m., Blason R <bla...@gm... (mailto:bla...@gm...)> wrote: > Hi Folks, > > Here is my requirement and seeking any heads up from community - > I already have nginx server running for our multiple customers in reverse proxy mode > So Nginx reverse proxy is sending requests to customer web servers > lets say - > > Customer-1 exmaple.com (http://exmaple.com) -> web site example.com (http://example.com) > Customer-2 www.test.com (http://www.test.com) -. www.test.com (http://www.test.com) > Customer3- acme.com (http://acme.com) -> www.acme.com (http://www.acme.com) > > > Now I am trying to integrate modsecurity with Nginx > So my question is - Do I need to create a separate config file for every customer location? > like /etc/nginx/modsec/example.com/main.conf (http://example.com/main.conf) > > /etc/nginx/modsec/example.com/modsecurity.conf (http://example.com/modsecurity.conf) > /etc/nginx/modsec/example.com/coreruleset/rules/*.conf (http://example.com/coreruleset/rules/*.conf) > /etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf (http://example.com/coreruleset/cor-ruleset.conf) > > ################## > /etc/nginx/modsec/test.com/main.conf (http://test.com/main.conf) > /etc/nginx/modsec/test.com/modsecurity.conf (http://test.com/modsecurity.conf) > /etc/nginx/modsec/test.com/coreruleset/rules/*.conf (http://test.com/coreruleset/rules/*.conf) > /etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf (http://test.com/coreruleset/cor-ruleset.conf) > ################## > /etc/nginx/modsec/acme.com/main.conf (http://acme.com/main.conf) > /etc/nginx/modsec/acme.com/modsecurity.conf (http://acme.com/modsecurity.conf) > /etc/nginx/modsec/acme.com/coreruleset/rules/*.conf (http://acme.com/coreruleset/rules/*.conf) > /etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf (http://acme.com/coreruleset/cor-ruleset.conf) > Is this correct method to manage rules/exceptions/blacklisting/whitelisting for multiple customers? Or is there any other alternative? > Plus logs should be separate for every customer which I am thinking to generate in json file > > > Please let me know if this is the correct option considering around 15-20 sites protected by nginx and customers. > > > SecAuditEngine RelevantOnly > SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > SecAuditLogParts ABIJDEFHZ > SecAuditLogFormat JSON > SecAuditLog /var/log/modsec_audit.log > > TIA > Blason R > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
|
From: Blason R <bla...@gm...> - 2021-03-08 17:25:36
|
Thanks for the reply and heads up. Any clue to for logs parsing tool apart from elk? I am looking for multi-tenant facility. On Mon, 8 Mar 2021, 17:01 Christian Varas via mod-security-users, < mod...@li...> wrote: > Hi Blason, > > Is better if you separate everything as you mention, in that way you can > configure by app: exclusions, rules, custom configuration, etc... > > If you are in a Debian distribution, you could use Waf2Py, will do what > you are looking for with a easy web interface > https://github.com/ITSec-Chile/Waf2Py > > Cheers > Chris > -- > > On lunes, mar. 08, 2021 at 3:59 a. m., Blason R <bla...@gm...> > wrote: > Hi Folks, > > Here is my requirement and seeking any heads up from community - > > - I already have nginx server running for our multiple customers in > reverse proxy mode > - So Nginx reverse proxy is sending requests to customer web servers > - lets say - > > > - Customer-1 exmaple.com -> web site example.com > - Customer-2 www.test.com -. www.test.com > - Customer3- acme.com -> www.acme.com > > > - Now I am trying to integrate modsecurity with Nginx > - So my question is - Do I need to create a separate config file for > every customer location? > - like /etc/nginx/modsec/example.com/main.conf > > /etc/nginx/modsec/example.com/modsecurity.conf > /etc/nginx/modsec/example.com/coreruleset/rules/*.conf > /etc/nginx/modsec/example.com/coreruleset/cor-ruleset.conf > ################## > /etc/nginx/modsec/test.com/main.conf > /etc/nginx/modsec/test.com/modsecurity.conf > /etc/nginx/modsec/test.com/coreruleset/rules/*.conf > /etc/nginx/modsec/test.com/coreruleset/cor-ruleset.conf > ################## > /etc/nginx/modsec/acme.com/main.conf > /etc/nginx/modsec/acme.com/modsecurity.conf > /etc/nginx/modsec/acme.com/coreruleset/rules/*.conf > /etc/nginx/modsec/acme.com/coreruleset/cor-ruleset.conf > > - Is this correct method to manage > rules/exceptions/blacklisting/whitelisting for multiple customers? Or is > there any other alternative? > - Plus logs should be separate for every customer which I am thinking > to generate in json file > > > - Please let me know if this is the correct option considering around > 15-20 sites protected by nginx and customers. > > > - SecAuditEngine RelevantOnly > - SecAuditLogRelevantStatus "^(?:5|4(?!04))" > > > - SecAuditLogParts ABIJDEFHZ > - SecAuditLogFormat JSON > - SecAuditLog /var/log/modsec_audit.log > > TIA > Blason R > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > |
Thanks for helping keep SourceForge clean.
X