WAF Recommendations?

aris · September 13, 2012, 5:29pm

Would like to integrate WAF functionality/capability with nginx. Has
anyone tested the latest version of ModSecurity (2.7.0), which
apparently has a module for nginx?

Interested in any and all feedback and recommendations.

Thanks,
AJ

AJ_Weber · September 13, 2012, 5:38pm

Am Thu, 13 Sep 2012 11:29:13 -0400
schrieb AJ Weber [email protected]:

Would like to integrate WAF functionality/capability with nginx. Has
anyone tested the latest version of ModSecurity (2.7.0), which
apparently has a module for nginx?

Interested in any and all feedback and recommendations.

Has anyone actually built that?
I think it has only very recently been added to their repository on
sf.net

There’s no “release” in the sense of a tarball - the announcement some
time ago was a classic paper-launch IMO.

I’d be more interested anyway to hear from users of naxi - and how it
compares to mod_security…

AJ_Weber · September 13, 2012, 5:49pm

The tarball on their frontpage (modsecurity.org) apparently has it
included now.

From what I read it was originally in a separate sub-project or
something.

I’m all for hearing from naxi users too! Functionally, it appears that
ModSecurity has many more options, but it’s in RC, versus naxi that has
been available for a while.

AJ_Weber · September 25, 2012, 3:47am

May i ask where can i download the source of ngx_lua?
Thanks!

Posted at Nginx Forum:

AJ_Weber · September 13, 2012, 11:42pm

Hello!

On Thu, Sep 13, 2012 at 8:29 AM, AJ Weber [email protected] wrote:

Would like to integrate WAF functionality/capability with nginx. Has anyone
tested the latest version of ModSecurity (2.7.0), which apparently has a
module for nginx?

My colleague John Graham-Cumming has been working on a compiler that
can compile a good number of ModSecurity rule configurations into Lua
code that can be run atop ngx_lua [1]. We (CloudFlare) may opensource
it at some point.

Some (big) users of mine have been using ngx_lua to implement custom
WAF in production and sent back good results. Some reported better
performance with ngx_lua than both ModSecurity and Naxi, but I’ve not
confirmed the result myself yet

Best regards,
-agentzh

[1] Lua | NGINX

AJ_Weber · October 4, 2012, 9:37pm

Hi,

I recommend you to try use of modsecurity for NGINX, with some
adaptions,
the CRS (a set for modsecurity rules) working now with this module.

Instructions:

Regards,

Alan

AJ_Weber · October 4, 2012, 9:59pm

My reservation is whether I need to compile it, and how. Can nginx use
shared libraries or do I have to recompile that from source too?

I think I would like to try it if someone can tell me the necessary
steps (or goes ahead and builds it for centos 6).

-Aaron

AJ_Weber · September 25, 2012, 8:41am

On 2012-09-25 03:47, Listjj wrote:

May i ask where can i download the source of ngx_lua?

Speaking of lua-nginx-module, it’s hosted on GitHub

AJ_Weber · October 4, 2012, 11:33pm

Hi Aaron,

In instructions have a step-by-step to package build, but you have more
specific doubts about module, I recommend you to subscribe and ask in
modsecurity-users list.

But I think today modsecurity is a good and usual alternative for WAF in
NGINX.

Regards,

Alan