With respect the ModSecurity and the CRS, the current nginx implementation of ModSecurity is still pretty buggy and likely won't get any attention. It's known to cause segfaults and server-side errors during requests. You'd be better off looking at the libmodsec v3 integration, which is still in development.
> On Apr 24, 2016, at 20:28, Francisco V. <[email protected]> wrote: > > Hi all, > > How are you? > > First of all excuse my english as it is not my mother tongue. > > I'd like to ask a rather general question which is not nginx specific: > In my new job they use an Apache webserver running mod_proxy as a > reverse proxy that works as the single entry point from the outside > for all the apps that work in the LAN. That is, the webserver is in > DMZ when they need an app published outside, the networking guys give > permission on the firewall from the internal server to the DMZ reverse > proxy which in turn is NAT'ed to the internet. > > That reverse proxy does two things: > > First it encrypts traffic, or it seems so, that is: The vhost > listening on port 443 is the one that does all the proxy pass to the > backend servers, so if anyone points their browser to > https://outside-address/app they'd go directly to the appserver. But > if they to http://outside-address/app, using mod_rewrite, they're > redirected to https://outside-address/app. > > And second, it runs mod_security with the OWASP rules to act as a Web > Application Firewall. > > My question is this a good setup for a reverse proxy + WAF? > > As far as I'm concerned if you hit directly port 443 and get > redirected to the app, no modsecurity inspection is made, because the > request is SSL encrypted, right? The only modsecurity inspection would > be when you hit port 80 and get your address rewritten to https, is it > true? > > Also, I don't know if nginx does the same, but for requests to be > proxied by Apache it seems that they must share the URL pattern with > the app server, that is: > > It seems that you CAN NOT proxy http://outside-address/my_app to > http://server_in_the_lan_hosting_my_app/ BUT you must do: > > http://outside-address/my_app/ proxied to http://lanserver/my_app/ if > the URL part "my_app" isn't matched it won't redirect requests to the > backend. Is this correct? > > And last, I'm writing this here because I tried to migrate this to > nginx once, but it kept crashing (Not even finishing to start up) with > the OWASP core rules. > > Does it makes sense SSL rewrites/termination on a reverse proxy/WAF? > > Can nginx handle proxing requests that won't match URL patterns? Like > I mentioned above? > > Does anybody run nginx + OWASP rules for mod security? > > Thanks in advance and sorry for the bothering, > > Francisco > Buenos Aires > Argentina > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
