Web Application Firewall (WAF)

The Web Application Firewall (Mod Security) offers the option of checking individual parts or the entire GET and POST request for possible attacks. Depending on the setting, the WAF can be used for either NGINX or Apache.


Activate Web Application Firewall

First log in to the Plesk Control Panel and navigate to the menu item Tools & Settings → Web Application Firewall (ModSecurity). Change the setting here to the value Detection only or On to activate the WAF.


Plesk - Web Application Firewall](/api/attachments.redirect?id=bc0540af-ebbd-4060-af5b-5ff0a21c56ab)


Mode Explanation
Off Incoming HTTP requests and associated responses are not checked.
Detection only Each incoming HTTP request and the associated response are compared with a rule set. If this check is successful, the HTTP request is forwarded to the website content. If the check fails, the event is logged and ModSecurity takes no further action. Other services such as Fail2Ban can still perform their own actions for HTTP requests that have failed the check.
On Each incoming HTTP request and the corresponding response are compared with a rule set. If this check is successful, the HTTP request is forwarded to the website content. If the check fails, the event is logged, a notification is sent and an HTTP response with an error code is returned.



Deactivate web application firewall

First log in to the Plesk Control Panel and navigate to the menu item Tools & Settings → Web Application Firewall (ModSecurity). Change the setting here to the value Off to completely deactivate the WAF.


Deactivating the Web Application Firewall represents a potential security risk and should only be used for test purposes.

Troubleshooting

ModSecurity audit log

The ModSecurity audit log file is the most useful source of information in the system. As soon as ModSecurity detects that an event occurs, it generates an entry in the audit log file.


Example log entry for the URL https://www.creoline.de/.env


--c495fc5c-A--
[10/Sep/2021:13:31:33 +0000] YTteNQUBTQYAAFwXTCwAAABN XXX.XXX.XXXX.XXX 39132 5.1.77.6 7081
--c495fc5c-B--
GET /.env HTTP/1.0
Host: www.creoline.de
X-Real-IP: XXX.XXX.XXX.XXX
X-Accel-Internal: /internal-nginx-static-location
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
Accept: */*

--c495fc5c-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sun, 05 Mar 2017 01:28:46 GMT
ETag: "3fc-549f1b33767e0"
Accept-Ranges: bytes
Content-Length: 1020
Connection: close
Content-Type: text/html

--c495fc5c-H--
Message: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "120"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache-Error: [file "apache2_util.c"] [line 273] [level 3] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "120"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "www.creoline.de"] [uri "/.env"] [unique_id "YTteNQUBTQYAAFwXTCwAAABN"]
Action: Intercepted (phase 1)
Stopwatch: 1631280693566204 805 (- - -)
Stopwatch2: 1631280693566204 805; combined=333, p1=255, p2=0, p3=0, p4=0, p5=78, sr=112, sw=0, l=0, gc=0
Producer: ModSecurity for Apache (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine mode: "ENABLED"

--c495fc5c-Z--


Each rule violation is organized in the log file as follows:


  1. request
  2. response
  3. rule information


You will find the following details in the rule information:

[id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]


value description
ID Rule ID
REV Version defined by the operator of the rule set
Severity The severity of the rule violation
Tag The assigned groups of the rule set


Storage location of the logs

The Web Application Firewall logs are saved in the directory /var/log/ with the file name modsec_audit.log. Depending on the configured log rotation (logrotate), further archived logs with the name modsec_audit.log.1.gz are created automatically.


Deactivate rule

To deactivate a rule using the rule ID or the parent tag, navigate to the Disable security rules section. Here you can deactivate individual rules using the Rule ID or Tag.


Deactivate security rule - WAF



Frequent false positives

When using Shopware with an activated Web Application Firewall, the following rules can lead to unwanted blocking of requests:


Rule-ID Shopware Action Request-URI
210580 Save customer profile POST /account
Customer Login GET /account/login
Request notifications from Shopware API GET /api/notification/message
FriendsOfShopware/FroshTools Health Check GET /api/_action/frosh-tools/health/status
211180 Shop Homepage GET /myShop/index.php
214540 Google Tag Manager
214940 Google Tag Manager
210710 Shopware Image Upload