mirror of
https://github.com/fabriziosalmi/patterns.git
synced 2026-06-11 15:04:15 -04:00
5c654b3da8
- VitePress: custom theme (SF system fonts, glass nav, soft surfaces, pill buttons, light/dark code blocks, refined feature cards, platform showcase + stat strip). - Replace every emoji across docs and README with inline SVG icons. - Verify and fix doc accuracy against actual scripts: JSON schema (category+pattern only), env-var configuration for json2*/import_* scripts, owasp2json CLI surface. - Add public assets (logo.svg, favicon.svg, hero-shield.svg) and Shiki haproxy alias. - Workflows default to self-hosted runner-02 with a configurable fallback to GitHub runners via the RUNS_ON repo variable. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3.7 KiB
3.7 KiB
Apache Integration
This guide explains how to deploy the generated rules in Apache HTTPD using the ModSecurity engine.
Prerequisites
- Apache HTTPD 2.4+
- The ModSecurity module installed and enabled
::: code-group
sudo apt install libapache2-mod-security2
sudo a2enmod security2
sudo dnf install mod_security
sudo apk add mod_security
:::
Quick start
- Download
apache_waf.zipfrom the latest release. - Extract under your Apache config tree (e.g.
/etc/apache2/waf_patterns/apache/). - Include the
.conffiles from the relevant virtual host or globally.
Files in the archive
The Apache output is split by attack family, each containing standard ModSecurity SecRule directives.
| File | Protection |
|---|---|
sqli.conf |
SQL injection |
xss.conf |
Cross-site scripting |
rce.conf |
Remote code execution |
lfi.conf |
Local file inclusion |
rfi.conf |
Remote file inclusion |
php.conf, java.conf, iis.conf, shells.conf |
Stack-specific exploits |
attack.conf, generic.conf, correlation.conf, evaluation.conf |
Generic anomaly detection |
bots.conf |
Bad-bot User-Agent rules |
Step 1 — Enable the engine
In /etc/apache2/mods-enabled/security2.conf (or equivalent):
<IfModule security2_module>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecAuditEngine RelevantOnly
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogParts ABCDEFHZ
</IfModule>
::: tip Run in detection mode first
Set SecRuleEngine DetectionOnly for the first deployment. Watch the audit log, tune false positives, then flip to On.
:::
Step 2 — Include the rules
Either include all files in one go:
<VirtualHost *:443>
ServerName example.com
Include /etc/apache2/waf_patterns/apache/*.conf
# …other directives
</VirtualHost>
…or pick the categories you want:
Include /etc/apache2/waf_patterns/apache/sqli.conf
Include /etc/apache2/waf_patterns/apache/xss.conf
Include /etc/apache2/waf_patterns/apache/rce.conf
Include /etc/apache2/waf_patterns/apache/bots.conf
Step 3 — Validate and restart
sudo apachectl configtest && sudo systemctl restart apache2
Rule format
Generated rules follow the standard ModSecurity DSL:
SecRule REQUEST_URI "@rx union.*select" \
"id:100001,\
phase:2,\
deny,\
status:403,\
log,\
msg:'SQL Injection Attempt',\
severity:CRITICAL"
Customization
Detection-only mode
Switch a noisy rule from blocking to logging without removing it:
SecRuleUpdateActionById 100001 "pass,log,msg:'SQLi candidate (audit only)'"
Whitelist a path
SecRule REQUEST_URI "@beginsWith /api/webhook" \
"id:1,phase:1,nolog,allow"
Disable a single rule
SecRuleRemoveById 100001
Logs
ModSecurity logs land in:
/var/log/apache2/modsec_audit.log— full audit trail/var/log/apache2/error.log— rule matches and engine messages
Testing
curl -I "https://example.com/?id=1' UNION SELECT * FROM users--"
sudo tail -f /var/log/apache2/error.log
Troubleshooting
- Module not loading — confirm with
apachectl -M | grep security2. Re-enable withsudo a2enmod security2. - No rules triggering — double-check
SecRuleEngine Onand that the include path resolves;apachectl -Slists the parsed config. - Performance regressions — identify hot rules in the audit log and disable or scope them with
SecRuleRemoveById/SecRule … chain.