<div dir="ltr">There is a version of modsecurity for Nginx - <a href="https://github.com/SpiderLabs/ModSecurity">https://github.com/SpiderLabs/ModSecurity</a> - however it tends to cause random mysterious problems including segfaults so maybe not what your looking for.<div><br></div><div>There are also several WAFs built upon Openresty (nginx + luajit at <a href="http://openresty.com">openresty.com</a>) however I haven't set any of them up yet so I can't comment on their production readiness.</div><div><br></div><div>If you do have a WAF running I'd let to handle both SSL and non-SSL connections. SSL isn't the barrier it used to be, in fact there is a push to stomp out plain http altogether, and the last few months I'm definitely seeings bots, crawlers, and scripts adapting and connecting via SSL.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 24, 2016 at 11:28 PM, Francisco V. <span dir="ltr"><<a href="mailto:iseeprimenumbers@gmail.com" target="_blank">iseeprimenumbers@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
How are you?<br>
<br>
First of all excuse my english as it is not my mother tongue.<br>
<br>
I'd like to ask a rather general question which is not nginx specific:<br>
In my new job they use an Apache webserver running mod_proxy as a<br>
reverse proxy that works as the single entry point from the outside<br>
for all the apps that work in the LAN. That is, the webserver is in<br>
DMZ when they need an app published outside, the networking guys give<br>
permission on the firewall from the internal server to the DMZ reverse<br>
proxy which in turn is NAT'ed to the internet.<br>
<br>
That reverse proxy does two things:<br>
<br>
First it encrypts traffic, or it seems so, that is: The vhost<br>
listening on port 443 is the one that does all the proxy pass to the<br>
backend servers, so if anyone points their browser to<br>
<a href="https://outside-address/app" rel="noreferrer" target="_blank">https://outside-address/app</a> they'd go directly to the appserver. But<br>
if they to <a href="http://outside-address/app" rel="noreferrer" target="_blank">http://outside-address/app</a>, using mod_rewrite, they're<br>
redirected to <a href="https://outside-address/app" rel="noreferrer" target="_blank">https://outside-address/app</a>.<br>
<br>
And second, it runs mod_security with the OWASP rules to act as a Web<br>
Application Firewall.<br>
<br>
My question is this a good setup for a reverse proxy + WAF?<br>
<br>
As far as I'm concerned if you hit directly port 443 and get<br>
redirected to the app, no modsecurity inspection is made, because the<br>
request is SSL encrypted, right? The only modsecurity inspection would<br>
be when you hit port 80 and get your address rewritten to https, is it<br>
true?<br>
<br>
Also, I don't know if nginx does the same, but for requests to be<br>
proxied by Apache it seems that they must share the URL pattern with<br>
the app server, that is:<br>
<br>
It seems that you CAN NOT proxy <a href="http://outside-address/my_app" rel="noreferrer" target="_blank">http://outside-address/my_app</a> to<br>
<a href="http://server_in_the_lan_hosting_my_app/" rel="noreferrer" target="_blank">http://server_in_the_lan_hosting_my_app/</a> BUT you must do:<br>
<br>
<a href="http://outside-address/my_app/" rel="noreferrer" target="_blank">http://outside-address/my_app/</a> proxied to <a href="http://lanserver/my_app/" rel="noreferrer" target="_blank">http://lanserver/my_app/</a> if<br>
the URL part "my_app" isn't matched it won't redirect requests to the<br>
backend. Is this correct?<br>
<br>
And last, I'm writing this here because I tried to migrate this to<br>
nginx once, but it kept crashing (Not even finishing to start up) with<br>
the OWASP core rules.<br>
<br>
Does it makes sense SSL rewrites/termination on a reverse proxy/WAF?<br>
<br>
Can nginx handle proxing requests that won't match URL patterns? Like<br>
I mentioned above?<br>
<br>
Does anybody run nginx + OWASP rules for mod security?<br>
<br>
Thanks in advance and sorry for the bothering,<br>
<br>
Francisco<br>
Buenos Aires<br>
Argentina<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br></div>