WAF¶
A Web Application Firewall (WAF) is a security solution designed to monitor, filter, and block malicious traffic to and from web applications by enforcing policies based on specific rules. It helps protect applications from common web-based attacks such as SQL injection, cross-site scripting (XSS), and distributed denial-of-service (DDoS) attacks.
In the HA Load Balancer, the WAF consists of three applications:
- ModSecurity - WAF engine,
- ModSecurity-nginx - connector that integrates ModSecurity with the Nginx,
- CoreRuleSet (CRS) - set of predefined security rules for ModSecurity (helps detect common web application attacks).
WAF files can be found at ${onteon-node-manager-path}/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity (by default /usr/local/bin/onteon-node-manager/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity).
Configuration¶
For details visit the ModSecurity official documentation and ModSecurity-nginx documentation.
Using Web GUI¶
You can configure the WAF using the Web GUI.
- Go to the Manage Configs tab and click
Modifyon themodsecuritydirectory. - Click
Modifyon themodsecurity.conffile (or clickCreate Fileto create a new file).
Turn on the WAF¶
In your server's configuration add the following directives:
For example:
modsecurity on;
modsecurity_rules_file /usr/local/bin/onteon-node-manager/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/modsecurity.conf;
Configure ModSecurity¶
To configure ModSecurity either edit ${onteon-node-manager-path}/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/modsecurity.conf (by default /usr/local/bin/onteon-node-manager/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/modsecurity.conf) file or create your own configuration file.
File ${onteon-node-manager-path}/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/modsecurity.conf comes with configuration recommended by ModSecurity.
Use CRS¶
To use CRS use the following include directives:
Include /usr/local/bin/onteon-node-manager/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/crs/crs-setup.conf
Include /usr/local/bin/onteon-node-manager/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/crs/rules/*.conf
Enable Security Rule Engine¶
TO enable Security Rule Engine simply add:
Example Configuration¶
SecRequestBodyAccess On
SecResponseBodyAccess On
SecRule ARGS "attack" "id:1001,phase:2,deny,status:403,log,msg:'Blocked because of attack argument'"
SecRule REQUEST_BODY "attack" \
"id:1002,phase:2,t:none,deny,status:403,block,log,msg:'Blocked request containing forbidden keyword: attack in request body'"
In this example, we start with enabling ModSecurity to inspect the body of both request and response bodies:
Then, we defined our first rule, which defends the server from every request, which contains the keyword attack as the argument value, denies it, returns status 403 and logs the message into the error log.
SecRule ARGS "attack" "id:1001,phase:2,deny,status:403,log,msg:'Blocked because of attack argument'"
The second rule defends the server from every request, which contains the keyword attack in the request body, denies it, returns status 403 and logs the message into the error log.
SecRule REQUEST_BODY "attack" \
"id:1002,phase:2,t:none,deny,status:403,block,log,msg:'Blocked request containing forbidden keyword: attack in request body'"
Update CRS¶
To manually update the CRS, you need to:
-
Download the new version from here. Then simply untar the package with new CRS and copy all the files into the
${onteon-node-manager-path}/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/crs(by default/usr/local/bin/onteon-node-manager/store/drbd/onteon-ha-resource-0/nginx/conf/modsecurity/crs) directory.
-
Go to the ModSecurity configuration files and make sure that the following lines are still valid for the new version of CRS. If not, then simply write new
Includedirectives pointing to the CRS's.conffiles. -
Remember to reload Nginx at the end of this operation.