Webserver Port #9

Closed
opened 2020-08-27 05:46:24 -05:00 by DarkFeather · 2 comments
Owner

We need to drop lighttpd for OpenResty for HTTP/2 streaming proxy support. This means all vhosts on lighttpd and the security hardening need to come with.

We need to drop lighttpd for OpenResty for HTTP/2 streaming proxy support. This means all vhosts on lighttpd and the security hardening need to come with.
Author
Owner

We should include ModSecurity as a Web Application Firewall, to serve in a similar capacity to sshguard.

https://aur.archlinux.org/packages/modsecurity/

This will result in a 3-layer firewalling model for our three externally-facing ports.

  1. Router firewall
  2. Host firewall
  3. Application firewall (sshguard, ModSecurity, IRC z-line)

This need for WAF puts a kink into #12 -- using HA Proxy in this way would break the header and WAF controls we're using today.

We should include ModSecurity as a Web Application Firewall, to serve in a similar capacity to sshguard. https://aur.archlinux.org/packages/modsecurity/ This will result in a 3-layer firewalling model for our three externally-facing ports. 1. Router firewall 1. Host firewall 1. Application firewall (sshguard, ModSecurity, IRC z-line) This need for WAF puts a kink into #12 -- using HA Proxy in this way would break the header and WAF controls we're using today.
DarkFeather added the
RFC
label 2020-11-05 15:33:56 -06:00
DarkFeather added this to the Kanban project 2022-08-04 00:40:39 -05:00
DarkFeather added the
On-hold
label 2022-08-04 00:46:51 -05:00
DarkFeather added
Peer-review
and removed
On-hold
RFC
labels 2023-11-09 13:11:09 -06:00
Author
Owner

!27 implements the WAF portion. Because OpenResty isn't keeping up with core Nginx development, it throws an error like the below:

nginx: [emerg] module "/usr/lib/nginx/modules/ngx_http_modsecurity_module.so" version 1024000 instead of 1021004 in /opt/openresty/nginx/conf/nginx.conf:4

I'd rather not pull a fork of the libmodsecurity package & connector just for OpenResty. As such, we're moving to mainline nginx.

This can close -- when !27 closes, the work will have been delivered.

!27 implements the WAF portion. Because OpenResty isn't keeping up with core Nginx development, it throws an error like the below: ``` nginx: [emerg] module "/usr/lib/nginx/modules/ngx_http_modsecurity_module.so" version 1024000 instead of 1021004 in /opt/openresty/nginx/conf/nginx.conf:4 ``` I'd rather not pull a fork of the [libmodsecurity](https://archlinux.org/packages/extra/x86_64/libmodsecurity/) package & connector just for OpenResty. As such, we're moving to mainline nginx. This can close -- when !27 closes, the work will have been delivered.
Sign in to join this conversation.
No description provided.