Exploring the Unseen:

Apache2 as reverse proxy with ModSecurity and OWASP Ruleset on Debian

Here I will describe as mentioned in article https://stangneth.com/2022/12/27/nginx-as-reverse-proxy-with-waf-modsecurity-on-debian/ how to install a reverse proxy with WAF based on Apache2.

Installation

To install Apache2 on Debian, use the following command:

apt install apache2 -y

Next, we need to enable the necessary modules. We will be using the proxy and proxy_http modules to configure reverse proxy functionality and the headers module to add custom headers to the proxied traffic:

a2enmod proxy proxy_http headers

Certbot wildcard certificate request

To request a wildcard certificate for your domain using a DNS challenge and Certbot, you will need to follow these steps:

certbot certonly --manual --preferred-challenges=dns --server https://acme-v02.api.letsencrypt.org/directory -d *.stangneth.com

Follow the instructions provided by Certbot for creating a TXT record in your DNS settings. This will typically involve logging into your domain provider’s control panel and adding a new TXT record with the value provided by Certbot.

Once the TXT record has been added, return to the terminal and press Enter to continue the certificate request process.

Certbot will verify that the TXT record has been added correctly and, if successful, will issue a wildcard certificate for your domain.

Please note that this process may vary depending on your specific domain provider and the DNS management tools they offer. You may need to consult your provider’s documentation or support resources for additional guidance.

It will be stored under:

/etc/letsencrypt/live/stangneth.com/

Configure Apache2

Create a new virtual host configuration file in the /etc/apache2/sites-available directory. For example, if you want to proxy traffic for example.stangneth.com, you can create a file called 001-example.stangneth.com.conf:

vi /etc/apache2/sites-available/001-example.stangneth.com.conf

Add the following configuration to the file. Replace the IP address and Port number with the appropriate values for your backend server:

<VirtualHost *:80>
	ServerName example.stangneth.com

	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
	ServerName example.stangneth.com

	ProxyPass / https://172.16.0.18:444/
	ProxyPassReverse / https://172.16.0.18:444/
 
	Include /etc/letsencrypt/options-ssl-apache.conf
	SSLCertificateFile /etc/letsencrypt/live/stangneth.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/stangneth.com/privkey.pem
</VirtualHost>

Activate the new site:

ln -s /etc/apache2/sites-avaialable/001-example.stangneth.com.conf /etc/apache2/sites-enabled/001-example.stangneth.com.conf

Restart now Apache2 and check if the site is reachable (be sure DNS is ok!):

systemctl restart apache2
systemctl status apache2

Install ModSecurity and the OWASP ruleset

To install ModSecurity and the OWASP ruleset, we will use the following command:

apt install libapache2-mod-security2 -y
apt install git -y

Enable the module:

a2enmod security2

Now download the OWASP ruleset from git:

git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /etc/modsecurity

Configure ModSecurity and OWASP

Move the recommended modsecurity.conf and crs-setup.conf to productive:

mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
mv /etc/modsecurity/crs-setup.conf-recommended /etc/modsecurity/crs-setup.conf

Add the following configuration to /etc/apache2/mods-enabled/security2.conf file:

Include /etc/modsecurity/crs-setup.conf
Include /etc/modsecurity/rules/*.conf

Restart Apache2:

systemctl restart apache2
systemctl status apache2

Enable ModSecurity and exclude Rule for specific websites

Default mode for ModSecurity is DetectionOnly. So nothing gets blocked, just logged. To enable ModSecurity go to /etc/modsecurity and edit the file modsecurity.conf:

cd /etc/modsecurity
vi modsecurity.conf

Edit the line SecRuleEngine:

SecRuleEngine On

To apply these changes restart Apache2:

systemctl restart apache2
systemctl status apache2

To check if a rule gets triggered as a false/positive you have to check your website functionality and the log at /var/log/apache2/error.log:

tail -f /var/log/apache2/error.log

An output can look like this example:

2023/01/12 14:38:39 [error] 1155#1155: *18 [client 172.16.0.123] ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/usr/local/src/owasp-modsecurity-crs-3.0.2/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "44"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "172.16.0.18"] [uri "/api/v1/tickets/14"] [unique_id "167188911882.664343"] [ref ""], client: 172.16.0.123, server: example.stangneth.com, request: "PUT /api/v1/tickets/14?all=true HTTP/1.1", host: "example.stangneth.com", referrer: "https://example.stangneth.com/"

So it was neccessary to remove the [id “949110”] from the configuration for THIS website (all other sides can use these rule but maybe others not. Check it for every single site in your configuration!). Go to the specific site configuration:

vi /etc/apache2/sites-available/001-example.stangneth.com.conf

And now add the following line to the *:443 configuration:

SecRuleRemoveById 949110