[BlueOnyx:25986] Re: Integrate modsecurity as an pers site enable or disable WAF?

Dirk Estenfeld dirk.estenfeld at blackpoint.de
Mon Feb 20 03:49:42 -05 2023 

Hello Michael,

Unfortunately, I don't have any ready-made instructions for you, but can
only ask Auntie Google in this case.
However, there is a switch "SecRuleEngine On".
It may be possible to set this to "off" at a high level and then set it to
"on" in the respective site config, if desired. Then you wouldn't have to
touch all the config files in general.

There are probably several rulesets for ModSecurity like OWASP, Comodo,
Atomic that are free or costly. I think ModSecurity is mostly used together
with OWASP. But as written. I don't have a tested manual that you can simply
go through.

Best regards,
Dirk
 

 
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel 

 
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Freitag, 17. Februar 2023 16:30
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:25979] Re: Integrate modsecurity as an pers site enable
or disable WAF?

Hi Dirk,

> what do you think about adding modsecurity to blueonyx and add it in a 
> way that you can decide on a per site basis if you want to enable or 
> disable. Modsecurity + OWASP will create a basic protection what will 
> be very helpful for a lot of sites I guess.
I like modsecurity and it has come a long way. But it's only as good as the
rulesets that you use. The OWASP ruleset? It's pretty darn complete and
complex, which is also a bit of a problem. It might block stuff that some
users intentionally want to use. And there the complexity and abstractness
of the rules is a bit of an enemy, as it's difficult to find the exact rules
that one might want to disable.

Normally modesecurity is enabled on a global level and protects all traffic
that runs through Apache. It *can* be disabled on a per VirtualHost basis,
but not the other way around. At least that's how I think it works.

So if we install it and only want to enable it for specific Vsites, I need
to once run a script that modifies the configs of all Vsites to disable it.

Likewise: The OWASP ruleset has rules of type "main" and "core", which (when
loaded) will always be active.

A proper GUI integration of this would be fairly complex, but I don't rule
it out. I still have a ton of other work on my plate, but I'll try to look
at it when I can.

If you have any writeup about a specific configuration or method of
installation? Please share it with me and I'll orient my build process that
way. Same as I did when Chris Gebhardt published his DKIM guide.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20230220/1299909e/attachment.p7s>

More information about the Blueonyx mailing list