Incorporate a WAF built into cloudron

Mastadamus

It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/

girish

@mastadamus Unfortunately, many WAF features are not in the opensource version of nginx but in nginx plus. See https://docs.nginx.com/nginx-waf/ .

That said, it should totally possible to move to apache instead of nginx for the reverse proxy, with some effort.

fbartels

@girish said in Incorporate a WAF built into cloudron:

it should totally possible to move to apache instead of nginx for the reverse proxy, with some effort

I'm not sure if moving from Nginx to Apache is a very "modern" decision. There has been a buzz on this forum about Crowdsec a few weeks ago, maybe this would another approach that is possible (although the downside seems to be that you lock people into a third party SaaS).

In regards to reverse proxies. I recently spent quite some time working with apisix, which is basically nginx/openresty with an additional manage api in lua. It can get its route configuration either from etcd or a yaml file (other backends could afaik be implemented as plugins). And since its based on Nginx its quite fast.

Mastadamus

@girish modsecurity waf can be used with open source version of nginx. You are right in that nginx plus is more robust but mod security with regular nginx still offers a decent degree of protection
Basic example

Mastadamus

@fbartels prob with crowdsec is that it can't intercept an attack. It acts after the fact, whereas a waf can filter.

wind.gmbh

I do agree that a Web Application Firewall is a very important security feature that Cloudron should have.

However:

• Moving to Apache/ httpd is not a good idea. nginx is miles ahead when using it as a reverse proxy.
• My experience with the OWASP ruleset is, that is produces a ton of false positives. The Comodo ruleset is a lot less time consuming to handle, as it rarely causes false positives.
• @Mastadamus' solution is way too hacky, because it requires adding a PPA and compiling the module from source. This could severely impact stability.

Looking for distributions with prebuilt nginx ModSecurity, I only found official packages for Arch Linux and FreeBSD.
However, no packages available in Debian Sid, Fedora Rawhide and OpenSUSE Tumbleweed. Thus it may take some time for them to move to their respective stable downstream releases.

Therefore I would propose to delay this issue until packages are moving into Ubuntu LTS/ other stable distributions. For Ubuntu, this will probably take some time, as Ubuntu 22.04 LTS is just around the corner.

But maybe there will be some official Docker images for nginx that will contain ModSecurity a little earlier than that. As dockerizing nginx is probably a good idea anyways, the possible earlier availability of ModSecurity would increase the benefit of looking into that.

girish

@wind-gmbh FWIW, we don't use the upstream distro packages. We use the packages straight from nginx.org since they provide better security fixes - https://nginx.org/packages/ubuntu/pool/nginx/n/nginx/ . Looks like https://nginx.org/packages/ubuntu/pool/nginx/n/ is the pre-built modules they have.