There is much commercial software(Akamai, Cloudflare, etc) to control the malicious calls/attacks (XSS, injection, DDOS, etc). Although, can we use ModSecurity with Nginx ? How to write custom rules in Lua to avoid major vulnerabilities for my web application. May i get some guidance on this? is there any opensource templates to follow?
How can we control malicious calls to a web application with Nginx modsecurity module?
347 Views Asked by Chaitanya krishna ch At
1
There are 1 best solutions below
Related Questions in SECURITY
- Can MVC.NET prevent SQL-injection at razor or controller level?
- Forgotten password reset page: should the user need to enter a username/email as well?
- Dynamic roles list in CustomAuthorize ASP MVC
- Access roles from multiple applications
- How to Fix TLS CBC Incorrect Padding Abuse Vulnerability on Windows 2003 Server
- Evernote Web Clipper and Content Security Policy
- Invalidate user credentials when password changes
- Spring Boot MVC non-role based security
- Correct Captcha behaviour on error
- Is macro more secure than static const if I don't want someone to know or change the hardcode value?
- In Android, ensuring only pre-decided users can only use the app
- Authenticating plain text passwords against md5 hash in DB using Apache Shiro
- Symfony2 - handle HTTP/Entity user access restrictions
- Client side computation without exposing code?
- searchable row level encryption using java?
Related Questions in NGINX
- PHP script timeout when I use sleep()
- Convert Apache VirtualHost to nginx Server Block for Dynamic Subdomains
- Nginx not passing websocket upgrade response back to client?
- How to rewrite url to match root directory?
- How to deploy django 1.8 on Elastic Beanstalk using Docker
- How to set X-Frame-Options Allow-From in nginx correctly
- Adding custom events to nginx request handler
- Nginx 403 forbidden with php-fpm
- Changing sorting on Nginx autoindex
- Convert .htaccess to nginx, seeking working solution
- Phalcon 2.x skeleton app with modules doesn't produce 404 Not Found if path is not found
- HSTS: Should I force user to use HTTPS on load balance or web server?
- What are the possible bugs that cause slow response (sometimes but not all the time) for a websocket connection?
- MariaDB/MySQL all of a sudden crashed and won't restart
- Nginx + php5-fpm not displaying php errors but cli is showing errors
Related Questions in WEB-APPLICATIONS
- Azure Web App PATH Variable Modification
- How To Update a Web Application In Azure and Keep The App Up the whole time
- Developing a search and tag heavy website
- How do you include a HTML file in c
- Is it recommended to use Node.js for an online room booking web application?
- programmatically uninstall other application without asking user
- Fail to locate j_spring_security_check in Spring Security
- Configuring Web Applications for iOS
- Change Javascript Variables Using <input>
- how do you use angularJs to produce a functioning webapp?
- NoClassDefFound error in web application deployed on Tomcat
- Replying to a request in ruby on rails (Server side)
- Exclude one role in web.xml
- LDAP connection only works on localhost
- Displaying statistics collected by Moskito-central
Related Questions in MOD-SECURITY
- mod_security blocks data binding in MVC4
- Disable mod_security for QUERY_STRING (table_name) in specific file
- modsecurity chaining and OR logic
- Is there a way to get ProxyHTMLURLMap to match more than once per tag attribute?
- Mod_security rules setup error
- mod-security: warning, not blocking
- How do I use Apache mod_rewrite rewritecond with POST parameters?
- Writing a mod security rule to block access to a PHP file
- How to safely send PHP through POST (and work on shared server)
- many connections on Site, but not load js, images, css
- File uploads fail with through web application firewall with mod_security and mod_rewrite
- Access denied, pattern match SurveyBot at HEADER? What does this mean?
- how to limit webpage access to 1 user per ip?
- Installing ModSecurity with OWASP for Windows
- Apache Server failing to start when Secfilter engine is on
Related Questions in WEB-APPLICATION-FIREWALL
- UNION on dynamic SQL statements
- Azure ARM Templates - Appication Gateway Web Application Firewall Configuration SelectorMatchOperator Syntax
- cURL 35 Error from WordPress Site Health behind a CDN+WAF Firewall
- An error occurred while executing the "make" command while compiling and installing the "ModSecurity- Nginx" module
- AWS - WAF : log configuration for kinesis firehose in cloud formation
- How to integrate a Web Application firewall (ModSecurity) with Heroku?
- ELB WAF Sandwiching - AWS
- Problems with Cloudflare's WAF When Using AWS Elastic Beanstalk for a PHP Application
- HTTP_HOST Stripping via Firewalls and VPNs
- Apache logs shows us we are using HTTP1.1 instead of HTTP2 protocol even HTTP/2 is enabled (through WAF)
- aws waf regex pattern rule not working --rate limit
- Error deploying global resources into China with Terraform
- Dynamic route in NextJS cause security problem
- Whitelist EC2 instances in ASG to access AWS WAF
- Do I need a Web Application Firewall if my APIs are protected with OAuth?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
ModSecurity Core Rule Set Developer on Duty here. First of all, ModSecurity rules are written in "SecLang", a domain-specific language used to express ModSecurity rules and logic. It is also possible to write Lua scripts to provide extremely custom behaviour, but in practice this is very rarely necessary.
If you want to start with a great set of ModSecurity WAF rules to protect web applications, take a look at the Core Rule Set (CRS), which can be found at coreruleset.org. CRS is the de facto set of free and open-source WAF/ModSecurity rules, and it's used by some very big WAF vendors and service providers.
There are lots of great resources available to help get you started with Nginx + ModSecurity. I'll run few some of them here: