I do agree that a Web Application Firewall is a very important security feature that Cloudron should have.
- Moving to Apache/
httpdis not a good idea.
nginxis miles ahead when using it as a reverse proxy.
- My experience with the OWASP ruleset is, that is produces a ton of false positives. The Comodo ruleset is a lot less time consuming to handle, as it rarely causes false positives.
- @Mastadamus' solution is way too hacky, because it requires adding a PPA and compiling the module from source. This could severely impact stability.
Looking for distributions with prebuilt
nginx ModSecurity, I only found official packages for Arch Linux and FreeBSD.
However, no packages available in Debian Sid, Fedora Rawhide and OpenSUSE Tumbleweed. Thus it may take some time for them to move to their respective stable downstream releases.
Therefore I would propose to delay this issue until packages are moving into Ubuntu LTS/ other stable distributions. For Ubuntu, this will probably take some time, as Ubuntu 22.04 LTS is just around the corner.
But maybe there will be some official Docker images for
nginx that will contain ModSecurity a little earlier than that. As dockerizing
nginx is probably a good idea anyways, the possible earlier availability of ModSecurity would increase the benefit of looking into that.