patterns/docs/apache.md

# Apache Integration

This guide explains how to integrate the WAF patterns with Apache using ModSecurity.

## Prerequisites

- Apache 2.4+
- ModSecurity module installed

### Install ModSecurity

::: code-group

```bash [Debian/Ubuntu]
sudo apt install libapache2-mod-security2
sudo a2enmod security2
```

```bash [RHEL/CentOS]
sudo yum install mod_security
```

:::

## Quick Start

1. Download `apache_waf.zip` from [Releases](https://github.com/fabriziosalmi/patterns/releases)
2. Extract to your Apache configuration directory
3. Include the files in your Apache configuration

## Configuration Files

The Apache WAF package includes ModSecurity rules organized by attack type:

| File | Protection Type |
|------|-----------------|
| `sqli.conf` | SQL Injection |
| `xss.conf` | Cross-Site Scripting |
| `rce.conf` | Remote Code Execution |
| `lfi.conf` | Local File Inclusion |
| `rfi.conf` | Remote File Inclusion |
| `bots.conf` | Bad Bot Detection |

## Integration

### Step 1: Enable ModSecurity

Create or edit `/etc/apache2/mods-enabled/security2.conf`:

```apache
<IfModule security2_module>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess Off
    SecDebugLogLevel 0
</IfModule>
```

### Step 2: Include WAF Rules

Add to your Apache configuration or virtual host:

```apache
<VirtualHost *:80>
    ServerName example.com
    
    # Include all WAF patterns
    Include /path/to/waf_patterns/apache/*.conf
    
    # ... other configurations ...
</VirtualHost>
```

Or include specific rule sets:

```apache
Include /path/to/waf_patterns/apache/sqli.conf
Include /path/to/waf_patterns/apache/xss.conf
Include /path/to/waf_patterns/apache/bots.conf
```

### Step 3: Restart Apache

```bash
sudo apachectl configtest && sudo systemctl restart apache2
```

## Rule Format

The rules follow ModSecurity syntax:

```apache
SecRule REQUEST_URI "@rx union.*select" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    msg:'SQL Injection Attempt',\
    severity:CRITICAL"
```

## Customization

### Adjust Severity Levels

Modify the action from `deny` to `log` for monitoring mode:

```apache
SecRule REQUEST_URI "@rx pattern" \
    "id:100001,\
    phase:2,\
    log,\
    pass,\
    msg:'Potential attack detected'"
```

### Whitelist Paths

Add exceptions for specific paths:

```apache
SecRule REQUEST_URI "@beginsWith /api/webhook" \
    "id:1,\
    phase:1,\
    allow,\
    nolog"
```

## Logging

ModSecurity logs are typically found at:
- `/var/log/apache2/modsec_audit.log`
- `/var/log/httpd/modsec_audit.log`

Enable detailed logging:

```apache
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogParts ABCDEFHZ
```

## Testing

```bash
# Test SQL injection detection
curl -I "http://example.com/?id=1' UNION SELECT * FROM users--"

# Check Apache error log
sudo tail -f /var/log/apache2/error.log
```

## Troubleshooting

### ModSecurity not loading
Ensure the module is enabled: `sudo a2enmod security2`

### Rules not triggering
Check that `SecRuleEngine` is set to `On` and rules are being included.

### Performance issues
Consider using `SecRuleRemoveById` to disable noisy rules that cause false positives.
Add VitePress documentation with GitHub Pages deployment - Create docs/ directory with VitePress configuration - Add documentation for all web servers (Nginx, Apache, Traefik, HAProxy) - Add bad bot detection and API reference documentation - Add GitHub Actions workflow for automatic deployment to GitHub Pages - Configure VitePress with sidebar, navigation, and search 2025-12-09 08:07:06 +01:00			`# Apache Integration`

			`This guide explains how to integrate the WAF patterns with Apache using ModSecurity.`

			`## Prerequisites`

			`- Apache 2.4+`
			`- ModSecurity module installed`

			`### Install ModSecurity`

			`::: code-group`

			```bash [Debian/Ubuntu]
			`sudo apt install libapache2-mod-security2`
			`sudo a2enmod security2`
			```

			```bash [RHEL/CentOS]
			`sudo yum install mod_security`
			```

			`:::`

			`## Quick Start`

			1. Download `apache_waf.zip` from [Releases](https://github.com/fabriziosalmi/patterns/releases)
			`2. Extract to your Apache configuration directory`
			`3. Include the files in your Apache configuration`

			`## Configuration Files`

			`The Apache WAF package includes ModSecurity rules organized by attack type:`

			`\| File \| Protection Type \|`
			`\|------\|-----------------\|`
			\| `sqli.conf` \| SQL Injection \|
			\| `xss.conf` \| Cross-Site Scripting \|
			\| `rce.conf` \| Remote Code Execution \|
			\| `lfi.conf` \| Local File Inclusion \|
			\| `rfi.conf` \| Remote File Inclusion \|
			\| `bots.conf` \| Bad Bot Detection \|

			`## Integration`

			`### Step 1: Enable ModSecurity`

			Create or edit `/etc/apache2/mods-enabled/security2.conf`:

			```apache
			`<IfModule security2_module>`
			`SecRuleEngine On`
			`SecRequestBodyAccess On`
			`SecResponseBodyAccess Off`
			`SecDebugLogLevel 0`
			`</IfModule>`
			```

			`### Step 2: Include WAF Rules`

			`Add to your Apache configuration or virtual host:`

			```apache
			`<VirtualHost *:80>`
			`ServerName example.com`

			`# Include all WAF patterns`
			`Include /path/to/waf_patterns/apache/*.conf`

			`# ... other configurations ...`
			`</VirtualHost>`
			```

			`Or include specific rule sets:`

			```apache
			`Include /path/to/waf_patterns/apache/sqli.conf`
			`Include /path/to/waf_patterns/apache/xss.conf`
			`Include /path/to/waf_patterns/apache/bots.conf`
			```

			`### Step 3: Restart Apache`

			```bash
			`sudo apachectl configtest && sudo systemctl restart apache2`
			```

			`## Rule Format`

			`The rules follow ModSecurity syntax:`

			```apache
			`SecRule REQUEST_URI "@rx union.*select" \`
			`"id:100001,\`
			`phase:2,\`
			`deny,\`
			`status:403,\`
			`msg:'SQL Injection Attempt',\`
			`severity:CRITICAL"`
			```

			`## Customization`

			`### Adjust Severity Levels`

			Modify the action from `deny` to `log` for monitoring mode:

			```apache
			`SecRule REQUEST_URI "@rx pattern" \`
			`"id:100001,\`
			`phase:2,\`
			`log,\`
			`pass,\`
			`msg:'Potential attack detected'"`
			```

			`### Whitelist Paths`

			`Add exceptions for specific paths:`

			```apache
			`SecRule REQUEST_URI "@beginsWith /api/webhook" \`
			`"id:1,\`
			`phase:1,\`
			`allow,\`
			`nolog"`
			```

			`## Logging`

			`ModSecurity logs are typically found at:`
			- `/var/log/apache2/modsec_audit.log`
			- `/var/log/httpd/modsec_audit.log`

			`Enable detailed logging:`

			```apache
			`SecAuditEngine RelevantOnly`
			`SecAuditLog /var/log/apache2/modsec_audit.log`
			`SecAuditLogParts ABCDEFHZ`
			```

			`## Testing`

			```bash
			`# Test SQL injection detection`
			`curl -I "http://example.com/?id=1' UNION SELECT * FROM users--"`

			`# Check Apache error log`
			`sudo tail -f /var/log/apache2/error.log`
			```

			`## Troubleshooting`

			`### ModSecurity not loading`
			Ensure the module is enabled: `sudo a2enmod security2`

			`### Rules not triggering`
			Check that `SecRuleEngine` is set to `On` and rules are being included.

			`### Performance issues`
			Consider using `SecRuleRemoveById` to disable noisy rules that cause false positives.