Here I will describe as mentioned in article https://stangneth.com/2022/12/27/nginx-as-reverse-proxy-with-waf-modsecurity-on-debian/ how to install a reverse proxy with WAF based on Apache2.
Table of Contents
To install Apache2 on Debian, use the following command:
apt install apache2 -y
Next, we need to enable the necessary modules. We will be using the proxy and proxy_http modules to configure reverse proxy functionality and the headers module to add custom headers to the proxied traffic:
a2enmod proxy proxy_http headers
To request a wildcard certificate for your domain using a DNS challenge and Certbot, you will need to follow these steps:
certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory -d *.stangneth.com
Follow the instructions provided by Certbot for creating a TXT record in your DNS settings. This will typically involve logging into your domain provider’s control panel and adding a new TXT record with the value provided by Certbot.
Once the TXT record has been added, return to the terminal and press Enter to continue the certificate request process.
Certbot will verify that the TXT record has been added correctly and, if successful, will issue a wildcard certificate for your domain.
Please note that this process may vary depending on your specific domain provider and the DNS management tools they offer. You may need to consult your provider’s documentation or support resources for additional guidance.
It will be stored under:
/etc/letsencrypt/live/stangneth.com/
Create a new virtual host configuration file in the /etc/apache2/sites-available
directory. For example, if you want to proxy traffic for example.stangneth.com, you can create a file called 001-example.stangneth.com.conf:
vi /etc/apache2/sites-available/001-example.stangneth.com.conf
Add the following configuration to the file. Replace the IP address and Port number with the appropriate values for your backend server:
<VirtualHost *:80> ServerName example.stangneth.com RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> <VirtualHost *:443> ServerName example.stangneth.com ProxyPass / https://172.16.0.18:444/ ProxyPassReverse / https://172.16.0.18:444/ Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/stangneth.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/stangneth.com/privkey.pem </VirtualHost>
Activate the new site:
ln -s /etc/apache2/sites-avaialable/001-example.stangneth.com.conf /etc/apache2/sites-enabled/001-example.stangneth.com.conf
Restart now Apache2 and check if the site is reachable (be sure DNS is ok!):
systemctl restart apache2 systemctl status apache2
To install ModSecurity and the OWASP ruleset, we will use the following command:
apt install libapache2-mod-security2 -y apt install git -y
Enable the module:
a2enmod security2
Now download the OWASP ruleset from git:
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/modsecurity
Move the recommended modsecurity.conf
and crs-setup.conf
to productive:
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf mv /etc/modsecurity/crs-setup.conf-recommended /etc/modsecurity/crs-setup.conf
Add the following configuration to /etc/apache2/mods-enabled/security2.conf
file:
Include /etc/modsecurity/crs-setup.conf Include /etc/modsecurity/rules/*.conf
Restart Apache2:
systemctl restart apache2 systemctl status apache2
Default mode for ModSecurity is DetectionOnly
. So nothing gets blocked, just logged. To enable ModSecurity go to /etc/modsecurity
and edit the file modsecurity.conf
:
cd /etc/modsecurity vi modsecurity.conf
Edit the line SecRuleEngine
:
SecRuleEngine On
To apply these changes restart Apache2:
systemctl restart apache2 systemctl status apache2
To check if a rule gets triggered as a false/positive you have to check your website functionality and the log at /var/log/apache2/error.log
:
tail -f /var/log/apache2/error.log
An output can look like this example:
2023/01/12 14:38:39 [error] 1155#1155: *18 [client 172.16.0.123] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/src/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "44"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.16.0.18"] [uri "/api/v1/tickets/14"] [unique_id "167188911882.664343"] [ref ""], client: 172.16.0.123, server: example.stangneth.com, request: "PUT /api/v1/tickets/14?all=true HTTP/1.1", host: "example.stangneth.com", referrer: "https://example.stangneth.com/"
So it was neccessary to remove the [id “949110”] from the configuration for THIS website (all other sides can use these rule but maybe others not. Check it for every single site in your configuration!). Go to the specific site configuration:
vi /etc/apache2/sites-available/001-example.stangneth.com.conf
And now add the following line to the *:443 configuration:
SecRuleRemoveById 949110
No Comments on Apache2 as reverse proxy with ModSecurity and OWASP Ruleset on Debian