1. Can someone give me some guidelines about configuring a WAF? I want to filter the HTTP traffic for a few sites, but I would like to have a separate server (Proxy) for WAF.

I think I just need Nginx Reverse Proxy with Naxsi or ModSecurity. As far as I know Cloudflare is using too. Why not using my own WAF instead of Cloudflare?

2. How many sites it's okay to put under a single proxy server WAF?

I use NGINX and ModSecurity 3. At a basic level you install NGINX and add the modsecurity module then use the proxy_pass directive to forward on the traffic to your real hosts. You configure ModSec to filter the bad traffic from reaching your servers via the OWASP core rule set and custom regex.

Togger75 Wrote:
-------------------------------------------------------
> I use NGINX and ModSecurity 3. At a basic level you install NGINX and
> add the modsecurity module then use the proxy_pass directive to
> forward on the traffic to your real hosts. You configure ModSec to
> filter the bad traffic from reaching your servers via the OWASP core
> rule set and custom regex.

@Togger75, Thank you for your answer! I have two more questions. If I want to use the WAF for a load balancer, do I need to put the WAF in front of the load balancer? I'm also thinking how many sites can I proxy with WAF without performance issues?

Any help is appreciated.

I'm no expert but you can proxy pass multiple sites, think of NGINX as the load balancer and ModSec as the traffic filter. I will post up my notes I made but i wont be able to get them until tomorrow.

Hey dominykas

I made this step by step for Ubuntu Server 16.04.2 as if a fresh install. You can try it perhaps and let me know if it works, it is only my notes so I can't 100% guarantee it but if all of the steps work then at the end you should have a working Ubuntu NGINX WAF with ModSecurity 3. I make no claims that this is the correct way to do it and welcome any feedback from anyone.

sudo apt-get update
sudo apt-get upgrade

put the key from here https://nginx.org/keys/nginx_signing.key into the nginx_signing.key file like this

sudo nano nginx_signing.key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH
W6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I
QxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE
fDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt
97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5
XRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg
a2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCV2K1+AUJGB4fQQAKCRCr9b2Ce9m/YloaB/9XGrol
kocm7l/tsVjaBQCteXKuwsm4XhCuAQ6YAwA1L1UheGOG/aa2xJvrXE8X32tgcTjr
KoYoXWcdxaFjlXGTt6jV85qRguUzvMOxxSEM2Dn115etN9piPl0Zz+4rkx8+2vJG
F+eMlruPXg/zd88NvyLq5gGHEsFRBMVufYmHtNfcp4okC1klWiRIRSdp4QY1wdrN
1O+/oCTl8Bzy6hcHjLIq3aoumcLxMjtBoclc/5OTioLDwSDfVx7rWyfRhcBzVbwD
oe/PD08AoAA6fxXvWjSxy+dGhEaXoTHjkCbz/l6NxrK3JFyauDgU4K4MytsZ1HDi
MgMW8hZXxszoICTTiQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S
YtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx
JKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/
Thn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk
RS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J
SO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf
Wa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6
cflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f
YQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y
Va3l3WuB+rgKjsQ=
=EWWI
-----END PGP PUBLIC KEY BLOCK-----

(ctrl+x enter)

sudo apt-key add nginx_signing.key

sudo nano /etc/apt/sources.list
deb http://nginx.org/packages/mainline/ubuntu/ xenial nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ xenial nginx

sudo apt-get update
sudo apt-get install nginx

sudo apt-get install -y apt-utils autoconf automake build-essential git libcurl4-openssl-dev libgeoip-dev liblmdb-dev libpcre++-dev libtool libxml2-dev libyajl-dev pkgconf wget zlib1g-dev

git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git submodule init
git submodule update
./build.sh (errors here, ingnore them)
./configure
make
sudo make install

git clone --depth 1 http://github.com/SpiderLabs/ModSecurity-nginx.git
nginx -v

(answer was:nginx version: nginx/1.13.8)

wget http://nginx.org/download/nginx-1.13.8.tar.gz
tar zxvf nginx-1.13.8.tar.gz

cd nginx-1.13.8
./configure --with-compat --add-dynamic-module=../ModSecurity-nginx


make modules
sudo cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

CONFIGURE the installation

sudo nano /etc/nginx/nginx.conf
load_module "modules/ngx_http_modsecurity_module.so";

sudo mkdir /etc/nginx/modsec
sudo wget -P /etc/nginx/modsec/ https://raw.githubusercontent.com/SpiderLabs/ModSecurity/master/modsecurity.conf-recommended
sudo mv /etc/nginx/modsec/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf

sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf

create a conf directory for the custom config
sudo mkdir /etc/nginx/conf
create the 3 conf files proxy.conf, ipfilter.conf, hard.conf

Web server Config:
sudo mkdir /var/www
sudo mkdir /var/www/www.example.com
sudo nano /var/www/www.example.com/index.html (create some test)

Create a sites-enabled and sites-available folder in /etc/nginx/
sudo mkdir sites-enabled
sudo mkdir sites-available

Put the actual site into sites-available then symlink it into the sites-enabled directory. To disable a site you can now just delete the symlink rather than the content

sudo ln -s /etc/nginx/sites-available/www.example.com /etc/nginx/sites-enabled/

add this in to the nginx.conf above the geo code
include /etc/nginx/sites-enabled/*;
include /etc/nginx/conf/proxy.conf;

create a main.conf in /etc/nginx/modsec/main.conf
include /etc/nginx/modsec/modsecurity.conf

# Basic test rule
SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403"

in modsecurity.conf rem out the line
#SecRequestBodyInMemoryLimit 131072


OWASP rules

Download the following into /etc/nginx/modsec/
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git
sudo gunzip owasp-modsecurity-crs.git.gz
cp crs-setup.conf.example crs-setup.conf

sudo nano /etc/nginx/modsec/main.conf

Include /etc/nginx/modsec/.../crs-setup.conf
Include /etc/nginx/modsec/.../rules/*.conf

sudo systemctl restart nginx.service

To test ModSecurity from another device
http://nginxIP/index.html?testparam=test

Did you get anywhere with it?

Hi @Togger75;

This article is excellent.Thank you for this.We thinking to replace our WAF solution with Nginx + Mod Security.It seems to be a good article for the beginning.

Hi yigit.basalma, thanks. Let me know if you get it going from this, it would be nice to know if it was worth writing down and is useful to someone