xeor/waf

By xeor

Updated over 4 years ago

Image
0

198

waf (web-application-firewall)

Base commands/idea is taken from:

Changes

  • ubuntu > alpine
  • port 80 > 8000
  • run as own user
  • Download maxmind db if license key is in MAXMIND_LIC at start (will also set config to get it weekly)
  • Configurable "to" server, defaults to "localhost:8080
    • Use NGINX_PROXY_PASS
  • Mount a custom /rules if you have some extra rules, see modsec_includes.conf for order. Usually, it's fine to just use /rules/PRE-*.conf
    • /rules/PRE-*.conf - first
    • /rules/REQUEST-POST-*.conf - after all the REQUEST rules (useful for exclude rules)
    • /rules/POST-*.conf - last rules, after all RESPONSE rules as well
  • Normalized some paths
  • Fixed some compile warnings
  • Starts up in block-mode with paranoia lever 4, secure as default, make sure to add exlude rules
  • Some minor tweaks to nginx config
  • Compile support for passing host-ip as well, so you can use geoblock even behind a reverse proxy

tips

  • The default crs-setup.conf is fairly strict.. You should change it
  • If you need to write some exclude rules, look at the REQUEST-903.* files for ideas
  • To test project-honeypot blocks, add a rule like SecRule ARGS:IP "@rbl dnsbl.httpbl.org" "phase:1,id:171,t:none,deny,nolog,auditlog,msg:'RBL Match for SPAM Source', then do query like .../?IP=198.204.237.106. Use an ip from https://www.projecthoneypot.org/list_of_ips.php
  • To use geoip, you will need the token, and configure the crs-setup.conf to SecGeoLookupDB /var/lib/libmaxminddb/GeoLite2-City.mmdb

Docker Pull Command

docker pull xeor/waf