EDUCATIC
/
digitaldemocratic
mirror of https://gitlab.com/digitaldemocratic/digitaldemocratic
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
digitaldemocratic/docs/waf-modsecurity.md

1.4 KiB
Raw Blame History

DD - Apache2 ModSecurity + HAProxy

Installation of Apache2 ModSecurity and HAProxy.

  • In Apache2 with ModSecurity V3 enabled are included the OWASP rules.
  • HAProxy service acts as application frontend and administers and negotiates the SSL domain certificate using Letsencrypt.
  • Modsecurity is disabled by default when installing DD.
  • The installation can be done with or without WAF part.
  • If you have installed WAF you can set in bypass mode or enabled mode.

Apache - ModSecurity

You can find the service definition in dd-sso/docker/waf-modsecurity.

There are different files to set up this service:

  • 000-default.conf contains Apache2 web service settings.
  • crs-setup.conf is where is configured the OWASP ModSecurity Core Rule Set ver.3.2.0 .
  • modsec_rules.conf contains the needed files for owasp service of Apache2.
  • rules_apps.conf is where are configured the false positives, of different applications, that needs to be detected until the moment.

Enable/Disable

DD can be used with WAF enabled or disabled, this is set in variable DISABLE_WAF in dd.conf file.

The default value is true (WAF disabled), this will change in the future.

# Sample of dd.conf

# Enable WAF
DISABLE_WAF=false

# Disable WAF
DISABLE_WAF=true

Configuration

Changes in dd.conf are not immediate, you need to deploy again the DD containers using dd-ctl:

./dd-ctl down
./dd-ctl build
./dd-ctl up