External/patterns
1
0
Fork 0
mirror of https://github.com/fabriziosalmi/patterns.git synced 2025-12-17 09:45:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
patterns/docs/apache.md
Fabrizio Salmi ea474cbcf2 Add VitePress documentation with GitHub Pages deployment 
- Create docs/ directory with VitePress configuration
- Add documentation for all web servers (Nginx, Apache, Traefik, HAProxy)
- Add bad bot detection and API reference documentation
- Add GitHub Actions workflow for automatic deployment to GitHub Pages
- Configure VitePress with sidebar, navigation, and search
2025-12-09 08:07:06 +01:00

3.1 KiB
Raw Blame History

Apache Integration

This guide explains how to integrate the WAF patterns with Apache using ModSecurity.

Prerequisites

  • Apache 2.4+
  • ModSecurity module installed

Install ModSecurity

::: code-group

sudo apt install libapache2-mod-security2
sudo a2enmod security2

sudo yum install mod_security

:::

Quick Start

  1. Download apache_waf.zip from Releases
  2. Extract to your Apache configuration directory
  3. Include the files in your Apache configuration

Configuration Files

The Apache WAF package includes ModSecurity rules organized by attack type:

File Protection Type
sqli.conf SQL Injection
xss.conf Cross-Site Scripting
rce.conf Remote Code Execution
lfi.conf Local File Inclusion
rfi.conf Remote File Inclusion
bots.conf Bad Bot Detection

Integration

Step 1: Enable ModSecurity

Create or edit /etc/apache2/mods-enabled/security2.conf:

<IfModule security2_module>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess Off
    SecDebugLogLevel 0
</IfModule>

Step 2: Include WAF Rules

Add to your Apache configuration or virtual host:

<VirtualHost *:80>
    ServerName example.com
    
    # Include all WAF patterns
    Include /path/to/waf_patterns/apache/*.conf
    
    # ... other configurations ...
</VirtualHost>

Or include specific rule sets:

Include /path/to/waf_patterns/apache/sqli.conf
Include /path/to/waf_patterns/apache/xss.conf
Include /path/to/waf_patterns/apache/bots.conf

Step 3: Restart Apache

sudo apachectl configtest && sudo systemctl restart apache2

Rule Format

The rules follow ModSecurity syntax:

SecRule REQUEST_URI "@rx union.*select" \
    "id:100001,\
    phase:2,\
    deny,\
    status:403,\
    msg:'SQL Injection Attempt',\
    severity:CRITICAL"

Customization

Adjust Severity Levels

Modify the action from deny to log for monitoring mode:

SecRule REQUEST_URI "@rx pattern" \
    "id:100001,\
    phase:2,\
    log,\
    pass,\
    msg:'Potential attack detected'"

Whitelist Paths

Add exceptions for specific paths:

SecRule REQUEST_URI "@beginsWith /api/webhook" \
    "id:1,\
    phase:1,\
    allow,\
    nolog"

Logging

ModSecurity logs are typically found at:

  • /var/log/apache2/modsec_audit.log
  • /var/log/httpd/modsec_audit.log

Enable detailed logging:

SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogParts ABCDEFHZ

Testing

# Test SQL injection detection
curl -I "http://example.com/?id=1' UNION SELECT * FROM users--"

# Check Apache error log
sudo tail -f /var/log/apache2/error.log

Troubleshooting

ModSecurity not loading

Ensure the module is enabled: sudo a2enmod security2

Rules not triggering

Check that SecRuleEngine is set to On and rules are being included.

Performance issues

Consider using SecRuleRemoveById to disable noisy rules that cause false positives.