Incorporate a WAF built into cloudron
It would be awesome to incorporate a application level WAF so we can get some WAF coverage if we are self hosted. Mod security can be integrated with the standard version of NGINX I believe. Here is a link to a setup guide for containerized nginx with modsecurity. Could we get something like this in cloudron? that would be a huge benefit for security out of the box. https://janikvonrotz.ch/2020/02/26/nginx-waf-with-modsecurity-and-owasp-crs/
it should totally possible to move to apache instead of nginx for the reverse proxy, with some effort
I'm not sure if moving from Nginx to Apache is a very "modern" decision. There has been a buzz on this forum about Crowdsec a few weeks ago, maybe this would another approach that is possible (although the downside seems to be that you lock people into a third party SaaS).
In regards to reverse proxies. I recently spent quite some time working with apisix, which is basically nginx/openresty with an additional manage api in lua. It can get its route configuration either from etcd or a yaml file (other backends could afaik be implemented as plugins). And since its based on Nginx its quite fast.
@fbartels prob with crowdsec is that it can't intercept an attack. It acts after the fact, whereas a waf can filter.
I do agree that a Web Application Firewall is a very important security feature that Cloudron should have.
- Moving to Apache/
httpdis not a good idea.
nginxis miles ahead when using it as a reverse proxy.
- My experience with the OWASP ruleset is, that is produces a ton of false positives. The Comodo ruleset is a lot less time consuming to handle, as it rarely causes false positives.
- @Mastadamus' solution is way too hacky, because it requires adding a PPA and compiling the module from source. This could severely impact stability.
Looking for distributions with prebuilt
nginxModSecurity, I only found official packages for Arch Linux and FreeBSD.
However, no packages available in Debian Sid, Fedora Rawhide and OpenSUSE Tumbleweed. Thus it may take some time for them to move to their respective stable downstream releases.
Therefore I would propose to delay this issue until packages are moving into Ubuntu LTS/ other stable distributions. For Ubuntu, this will probably take some time, as Ubuntu 22.04 LTS is just around the corner.
But maybe there will be some official Docker images for
nginxthat will contain ModSecurity a little earlier than that. As dockerizing
nginxis probably a good idea anyways, the possible earlier availability of ModSecurity would increase the benefit of looking into that.
- Moving to Apache/
@wind-gmbh FWIW, we don't use the upstream distro packages. We use the packages straight from nginx.org since they provide better security fixes - https://nginx.org/packages/ubuntu/pool/nginx/n/nginx/ . Looks like https://nginx.org/packages/ubuntu/pool/nginx/n/ is the pre-built modules they have.