Apache Reverse Proxy + ModSecurity.

ModSecurity is an open source web application firewall. It’s like an “Intrusion Detection/Prevention System for a WEB application“. Works as an Apache’s module.
It’s a powerfull tool for securing web applications.

A complete reference, is the ModSecurity Handbook, a good book for in-deep study of the tool.

ModSecurity can be implemented in an Apache Reverse Proxy for WEB applications, with support for both HTTP and HTTPS.

Apache as a Reverse Proxy with ModSecurity

Apache as a Reverse Proxy with ModSecurity

After reading some ModSecurity Handbook’s chapters, and the Apache mod_proxy documentation, a basic configuration file looks like this one.

<VirtualHost *:443>
# ModSecurity configuration
Include /opt/modsecurity/etc/modsecurity.conf
SSLEngine on
RewriteEngine on
SSLProxyEngine on
# The public certificate and the private key
# for the client <--> reverse proxy
SSLCertificateFile /etc/apache2/ssl/reverse-cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/reverse-key.pem
# The Certification Authority (CA) file.
# Who signed the certificates from the remote webservers.
SSLProxyCACertificateFile /etc/apache2/ssl/webservers-CA.pem
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteRule ^/webserver1$ /webserver1/ [R]
RewriteRule ^/webserver2$ /webserver2/ [R]
RewriteRule ^/webserver3$ /webserver3/ [R]
<Location /webserver1/>
ProxyPass https://webserver1/
ProxyPassReverse https://webserver1/
</Location>
<Location /webserver2/>
ProxyPass https://webserver2:8443/
ProxyPassReverse https://webserver:8443/
</Location>
<Location /webserver3/>
ProxyPass http://webserver3/
ProxyPassReverse http://webserver3/
</Location>
ErrorLog /var/log/apache2/reverse_proxy.log
LogLevel warn
CustomLog /var/log/apache2/reverse_proxy.log combined
ServerSignature Off
</VirtualHost>

Edit (25/10/2011):
The content of /opt/modsecurity/etc/modsecurity.conf
SecRuleEngine DetectionOnly
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecUploadKeepFiles Off
SecDebugLog /opt/modsecurity/var/log/modsec_debug.log
SecDebugLogLevel 0
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHKZ
SecAuditLogType Concurrent
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"
SecAuditLogStorageDir /var/log/mlogc/data
SecRequestBodyLimit 131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit 524288
SecRule REQBODY_PROCESSOR_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Failed to parse request body.',severity:2"
SSecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"ecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart request body \
failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_SEMICOLON_MISSING}, \
IQ %{MULTIPART_INVALID_QUOTING}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecRule ARGS MY_UNIQUE_TEST_STRING \
"phase:1,log,deny,status:503"
SecDefaultAction "phase:2,deny,log,status:500"
SecAuditLog "|/usr/local/bin/mlogc /etc/mlogc.conf"

About these ads

2 comments so far

  1. mager on

    ok and where is the content of the /opt/modsecurity/etc/modsecurity.conf file?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: