Web Application Firewall (WAF)
The Web Application Firewall (Mod Security) allows you to scan individual parts or the entire GET and POST request for potential attacks. Depending on the settings, the WAF can be used with either NGINX or Apache.
Enable the Web Application Firewall
First, log in to the Plesk Control Panel and navigate to the menu item Tools & Settings → Web Application Firewall (ModSecurity). Here, change the setting to Detection Only or On to enable the WAF.
| Mode | Description |
|---|---|
| Off | Incoming HTTP requests and their corresponding responses are not checked. |
| Detection Only | Each incoming HTTP request and its corresponding response are compared against a set of rules. If this check is successful, the HTTP request is forwarded to the website content. If the check fails, the event is logged and ModSecurity takes no further action. Other services, such as Fail2Ban, can still perform their own actions on HTTP requests that failed the check. |
| Enable | Each incoming HTTP request and its corresponding response are compared against a rule set. If this check is successful, the HTTP request is forwarded to the website content. If the check fails, the event is logged, a notification is sent, and an HTTP response with an error code is returned. |
Disabling the Web Application Firewall
First, log in to the Plesk Control Panel and navigate to the menu item Tools & Settings → Web Application Firewall (ModSecurity). Here, change the setting to Off to completely disable the WAF.
Disabling the Web Application Firewall poses a potential security risk and should only be done for testing purposes.
Troubleshooting
ModSecurity Audit Log
The ModSecurity audit log file is the most useful source of information in the system. As soon as ModSecurity detects an event, it generates an entry in the audit log file.
Example log entry for the URL https://www.creoline.de/.env
--c495fc5c-A--
[10/Sep/2021:13:31:33 +0000] YTteNQUBTQYAAFwXTCwAAABN XXX.XXX.XXXX.XXX 39132 5.1.77.6 7081
--c495fc5c-B--
GET /.env HTTP/1.0
Host: www.creoline.de
X-Real-IP: XXX.XXX.XXX.XXX
X-Accel-Internal: /internal-nginx-static-location
Connection: close
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
Accept: */*
--c495fc5c-F--
HTTP/1.1 403 Forbidden
Last-Modified: Sun, 05 Mar 2017 01:28:46 GMT
ETag: "3fc-549f1b33767e0"
Accept-Ranges: bytes
Content-Length: 1020
Connection: close
Content-Type: text/html
--c495fc5c-H--
Message: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "120"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]
Apache Error: [file "apache2_util.c"] [line 273] [level 3] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "/.env" at REQUEST_URI. [file "/etc/apache2/modsecurity.d/rules/comodo_free/02_Global_Generic.conf"] [line "120"] [id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"] [hostname "www.creoline.de"] [uri "/.env"] [unique_id "YTteNQUBTQYAAFwXTCwAAABN"]
Action: Intercepted (phase 1)
Stopwatch: 1631280693566204 805 (- - -)
Stopwatch2: 1631280693566204 805; combined=333, p1=255, p2=0, p3=0, p4=0, p5=78, sr=112, sw=0, l=0, gc=0
Producer: ModSecurity for Apache (http://www.modsecurity.org/); CWAF_Apache.
Server: Apache
Engine Mode: "ENABLED"
--c495fc5c-Z--Each rule violation is structured in the log file as follows:
- Request
- Response
- Rule Information
The rule information contains the following details:
[id "210492"] [rev "3"] [severity "CRITICAL"] [tag "CWAF"] [tag "Generic"]| Value | Description |
|---|---|
| ID | Rule ID |
| REV | Version defined by the rule set operator |
| Severity | The severity of the rule violation |
| Tag | The assigned groups of the rule set |
Location of the Logs
The Web Application Firewall logs are stored in the /var/log/ directory with the filename modsec_audit.log. Depending on the configured log rotation (logrotate), additional archived logs are automatically created with the name modsec_audit.log.1.gz.
Disable a Rule
To disable a rule based on its rule ID or parent tag, navigate to the Disable Security Rules section. Here, you can disable individual rules based on the rule ID or the tag.
Common False Positives
When using Shopware with the Web Application Firewall enabled, the following rules may cause unintended blocking of requests:
| Rule ID | Shopware Action | Request URI |
|---|---|---|
| 210580 | Save Customer Profile | POST /account |
| Customer Login | GET /account/login | |
| Retrieve notifications from the Shopware API | GET /api/notification/message | |
| FriendsOfShopware/FroshTools Health Check | GET /api/_action/frosh-tools/health/status | |
| 211180 | Shop Home Page | GET /myShop/index.php |
| 214540 | Google Tag Manager | |
| 214940 | Google Tag Manager | |
| 210710 | Shopware Image Upload |