-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to build rule exclusions for specific sites on a Multisite server? #3655
Comments
@Danrancan I'm personally hosting a few web application and I'm doing something similar to what linuxbabe.com is suggesting. First, you'll have to group all of your rule exclusions into rule ID ranges(Not the plugins but the rule exclusions you wrote, I'll cover plugins in a second), for example you may use the 1000 rule id range for WordPress rule exclusions, 2000 for drupal and so on. Just make sure to pick a rule id range that's reserved for internal use to avoid any potential rule id conflicts in the future, maybe you want to use the Comodo ModSecurity rules or Atomicorp rules alongside CRS in the future. Then, you want to create a rule that inspects the host header (The host header is what tells the web server/reverse-proxy what website to serve) and will disable a certain set of rule exclusions that doesn't have the correct host header.
Note the For the plugins, you'll have to edit the example rule commented out in the plugin's config file (I'll use WordPress as an example here again). We want to do something similar to what we did above, but add a chained rule to the example provided in
This is a bit different to what linuxbabe.com is suggesting, but the general idea is still the same. |
@EsadCetiner EsadCetiner Thank you so much for your helpful answer. However, I have a few follow up questions regarding the plugins. Specifically, I have three wordpress sites running on the same server, then I have phpmyadmin, roundcube, and netdata also running on that server. In your example you disable the wordpress exclusions plugin for any site that is not equal to
Since I have three wordpress sites, I am wondering If I can include all three wordpress sites in that rule as to keep the wordpress plugin exclusive to those threee sites. Would something like this work?
Or...
and
and
Thanks for all of your help and tips! |
@Danrancan Both options would work fine, but for your first example you need to include the chain action (This tells ModSecurity that you are chaining another rule) and the t:none transformer, otherwise the config will be rejected and Nginx will refuse to start. End result should look like this:
Based on the examples you provided, I think it would be cleaner if you use a regular expression for the host header instead to match the 3 domains like so:
If the regular expression ends up looking too messy for you (depending on your setup and familiarity with regular expressions) then maybe it'll make more sense to use multiple rules or chain multiple rules together. |
Thank you very much! This is of great help. One last thing I'm confused about. In your second example with the regular expressions you have:
If my assumption is correct, I do see a problem that I haven't discussed yet. that is, If so, then I think using your first example in your most recent post would be the most suitable option, is that correct? Sorry, I'm making a lot of assumptions about things I'm not sure about here. But hopefully you can provide some clarification. Thanks again so much for your help and support. |
Okay, so I think I've got the rules set up correctly, except I am confused on the rule ID ordering in Modsecurity. I am also using the phpmyadmin plugin, the roundcube plugin, and the wordpress hardening plugin. This is more or less my final draft for my rules, and I have listed all the sites and plugin's accordingly. However, I don't want my exclusive rules for example1.com or example2.net or example3.xyz, to block my plugin rules from activating somehow because of the ordering of the Rule ID's. I'm not positive how Modsec reads the rules and in what order, but I created a set of rules that currently seem to be working. I haven't tested any of the plugin's yet though, but the websites certainly seem to be working with the proper rules. Do you think you could look over my work and verify that I am doing this correctly with rule ID's in the proper order? To sumarize, I have rule ID's setup like this:
That is the gist of all my rules. Any help with your eyes is greatly appreciated. |
I think you guys have this covered. For the record, I recommend my users work with SecAppId and the corresponding variable this way. That means you defined an AppID in the VH context and then you group your rule exclusions by the variable and skip accordingly. This effectively removes the need to work with rule ranges for grouping. |
I was there not too long ago so I get where your coming from, I strongly recommend playing with this website to generate regular expressions, it shows you the result of your regular expressions against whatever text you want to match. It will take some practise, but you'll get the hang of it eventually.
Your close, the
It could technically work, but the regular expression will get messy and hard to read so in this case, I'd use seperate rules. Your on the right track.
Absolutely! Just make sure that these rules you've created are loaded before the plugin itself(This would be I think you understand the general idea, but one last thing I want to mention is to make sure you assign your custom rule exclusions a large block of rule IDs (about 1000 for each application). This will give you plenty of room to grow and that you don't run out of rule IDs. Some Applications (Like Nextcloud) will trigger a lot of false positives with CRS and you'll have to write a lot of rule exclusions, and you could easily run out of rule IDs with just 100. I don't think it'll happen with the applications your running, but it's better to be prepared. Please don't hesitate if you have any questions! |
Do you mean |
Yes exactly. Without relying on the client's information for rule routing. Purely server side config. |
The interesting thing is - IIRC - that |
@dune73 I just tested it and it works perfectly, I can confirm this works in phase 1. Wish I knew about this earlier, I think this will be a big help for @Danrancan and he won't have to chain together multiple rules checking the host header or using nasty regular expressions. |
Happy to help and thanks for the confirmation. |
@Danrancan Ping. |
Hwy, I'm here. Sometimes I have to take a break from this because I get busy with something else. But I'm here. I do not understannd at all @EsadCetiner's proposal to use SecWebAppID in my rules. I don't know what files he is referencing or how to make adjustments using his login. Is it better to use SecWebAppID or can I just stick with my already running RE's?
I'm not exactly sure what this means, but I'm thinking its something in my main.conf file located in /etc/nginx/modsec/main.conf. Here is my main.conf file below. Is this what you are talking about? Have I done it correctly?
|
You can stick to what you are doing @Danrancan. This proposal is just an alternative way to obtain the same functionality. I think it's more elegant, but yours is more or less equivalent. |
Yes that's what I meant, your all good here. As for the SecWebAppID, it's essentially the same thing I was suggesting earlier with the host header. It works by setting the SecWebAppID directive in each server block context in Nginx and assigning it an value of say, WordPress or Roundcube.
Then, instead of checking
This way, you don't have to use regular expression or chain many rules together. if you ever decide to add/remove/change domains the most you'll have to do is set SecWebAppID and you won't have to touch the ModSecurity rules. If you find working with host headers easier then feel free to stick to it, but I think you might find SecWebAppID and WebAppID easier since you won't have to use regular expressions or chain multiple rules together. |
Should this be added to the documentation if we don't have it? |
@fzipi It's a common enough use case, but I don't see it documented anywhere. I think we should also provide an example in the config for all plugins as well. |
Description
I am running an Ubuntu Based LEMP server. I have Modsecurity crs4.0 installed. The server is serving three websites: https://www.example1.com , https://example.com1, https://www.example2.com , https://example2.com , https://www.example3.com , https://example3.com .
Most of my rule exclusions that are set up apply only to example1.com, then I have one or two rules that apply to example2.com and example3.com. However, all of these rules are being applied across all websites on the server, so example1.com rule exclusions are also being applied to example2.com and example3.com.
How can I apply specific rule exclusions to specific websites/domains so that example1.com's RE's don't also apply to example2.com and example3.com?
I've been following a tutorial from Linuxbabe but I believe it only applies to crs3.3.4, and at that, I don't fully understand it. The following is an excerpt from the tutorial:
Can anyone explain how to properly apply RE's to specific sites in CRS4.0?
How to reproduce the misbehavior (-> curl call)
N/A
Logs
N/A
Your Environment
Confirmation
[X ] I have removed any personal data (email addresses, IP addresses,
passwords, domain names) from any logs posted.
The text was updated successfully, but these errors were encountered: