[BlueOnyx:25979] Re: Integrate modsecurity as an pers site enable or disable WAF?

[Michael Stauber]

Hi Dirk,

> what do you think about adding modsecurity to blueonyx and add it in a 
> way that you can decide on a per site basis if you want to enable or 
> disable. Modsecurity + OWASP will create a basic protection what will be 
> very helpful for a lot of sites I guess.
I like modsecurity and it has come a long way. But it's only as good as 
the rulesets that you use. The OWASP ruleset? It's pretty darn complete 
and complex, which is also a bit of a problem. It might block stuff that 
some users intentionally want to use. And there the complexity and 
abstractness of the rules is a bit of an enemy, as it's difficult to 
find the exact rules that one might want to disable.

Normally modesecurity is enabled on a global level and protects all 
traffic that runs through Apache. It *can* be disabled on a per 
VirtualHost basis, but not the other way around. At least that's how I 
think it works.

So if we install it and only want to enable it for specific Vsites, I 
need to once run a script that modifies the configs of all Vsites to 
disable it.

Likewise: The OWASP ruleset has rules of type "main" and "core", which 
(when loaded) will always be active.

A proper GUI integration of this would be fairly complex, but I don't 
rule it out. I still have a ton of other work on my plate, but I'll try 
to look at it when I can.

If you have any writeup about a specific configuration or method of 
installation? Please share it with me and I'll orient my build process 
that way. Same as I did when Chris Gebhardt published his DKIM guide.

-- 
With best regards

Michael Stauber