Web Application Firewall
We use ModSecurity as additional protection against application level attacks such as cross site-scripting and SQL injections. By default, the core rule set will be loaded, and we block common vulnerabilities and zero-day attacks by adding some more global rules.
Identify Blocks
If a request is blocked by the web application firewall, the HTTP status 403 will be returned. You can distinguish a 403 returned by the web application firewall from a 403 returned due to missing access rights by looking at the Apache error log file.
Apache Error Log
Details about each blocked request are available in the Apache error log file,
located at ~/log/apache-error.log
. You can identify the particular rule that
has led to the block by looking for the [id "<rule-number>"]
part within the
log line.
Often, a block will be triggered by rule ID 949110. In this case, the threshold for the anomaly score was exceeded. Instead of just disabling rule 949110, and thus removing the anomaly threshold altogether, you should investigate further and disable or adapt the actual source rule.
To determine which rule triggered the anomaly score threshold, take a look at the audit log chapter below.
Tip
For details, please consult the ModSecurity documentation.
ModSecurity Audit Log
The audit log is available in ~/log/apache-waf.log
. Each blocked request will be
logged with all details, such as client and server headers, and in-depth details about
the processed rules.
To return to the example above, we can analyze the detailed trail it took to exceed the
anomaly threshold score. Such a log entry does include a section H (for example,
--1d61f602-H--
). The first line after the section title will be something like
ModSecurity: Warning. Matched "Operator `Rx'...
. This is the rule that triggers
the anomaly score threshold.
Now that we have identified the root cause, you can modify the rule to allow your request, or even better, adjust your application accordingly when possible.
Tip
A detailed explanation of the available audit log parts can be found in the ModSecurity documentation.
Tip
For an easier representation and identification of the blocking WAF rules, the command waf-logparser
can be used.
Custom Configuration
The rules added to the core rules set are there for a reason and do comply with the HTTP RFC. Even though, it can be required to adapt the rules instead of changing your application.
We recommend making adjustments to these rules as precisely as possible. For example, instead of disabling a rule completely, disable checking of the argument that triggered the rule for the URL on which it was triggered.
You can adjust the configuration through the ~/cnf/waf.conf
file. We added some
examples of common use cases to the default file, which you can copy and adjust to your needs.
Tip
To apply your changes, run waf-apply
after each modification in ~/cnf/waf.conf
.
Tip
For in depth details, see the ModSecurity documentation.
Disable Altogether
If you are unable to adapt the rules to your needs for whatever reason, it is possible to disable the web application altogether. You can do so by checking Disable WAF in the corresponding website’s Advanced tab.
Warning
For security reasons, we do not recommend disabling the web application firewall. Please let us know your concerns, and we will assist you in working out a running configuration.