What is the recommended WAF to run in-front of Discourse? I recently succeeded in modifying the nginx config installed in the Discourse docker container to include ModSecurity and the OWASP (Open Web Application Security Project) CRS (Core Rule Set). https://www.modsecurity.org/crs/ So far my te…

A note about why WAFs are important: they provide broad protection against 0days not only from the web application, but also its entire stack of dependencies of the web app. It’s been pointed out to me that the Discourse team has a bug bounty program, which is great! HackerOne …but, of course, t…

This is a bad idea and it is not recommended. The benefit of this type of thing for a JavaScript app is extremely limited and it adds significant complexity to your hosting setup.

related: I just found this guide from @joelradon on how to install Discourse with the NAXSI WAF in nginx before the Discourse docker container: How to build a Discourse Installation with an Open Source WAF

It’s no more supportable than what you’re asking above. If it helps I can add an unsupported tag there too?

I think the desire for some magic device that auto mitigates issues is somewhat misguided in the Discourse setup. We have a bounty program, we patch issues in Discourse within hours of when they are reported. Sites run tests-passed by default which in today’s case contains commits from today. Sure …

I was successfully able to persist my nginx ModSecurity config changes across launcher rebuild app runs as follows: First, we update the local copy of install-nginx that came from the discourse_docker repo and is cloned to /var/discourse/. cd /var/discourse/image/base cp install-nginx install-ngin…

I do agree with you that ModSecurity or similar WAFs are not a golden bullet. But I know (at least?) one vulnerability that was found in RoR which affected Discourse that would have been mitigated by a ModSecurity-like mechanism. When we were patching this we saw in our logs that it had been used …

I liken WAFs to signature-based virus scanners which IMO are not very useful in environments with a limited attack surface (e.g. your non-Windows servers) They’re not going to catch everything but they will (in theory) catch common patterns of attacks (e.g. SQLI) and known exploits (e.g. the RoR vu…

Discourse + Web Application Firewall (WAF) mod_security

サポートインストール

codinghorror (Jeff Atwood) 2019 年 11 月 17 日午後 6:27 3

これは悪いアイデアであり、推奨されません。JavaScript アプリにとってこのようなことの利点は極めて限定的であり、ホスティング設定に大きな複雑さを加えます。

Xhr search requests return 406

トピック		返信	表示
ModSecurity exceptions Support	7	692	2023 年 2 月 17 日
How to run Discourse in Apache vhost, not Nginx Self-hosting unsupported-install	30	2464	2023 年 8 月 14 日
How to build a Discourse Installation with an Open Source WAF Self-hosting unsupported-install	1	1876	2019 年 10 月 5 日
Cloudflare Security WAF (Web Application Firewall) + Discourse? Support	1	480	2025 年 6 月 25 日
Akamai WAF configuration and false positive Support	2	166	2025 年 3 月 31 日

Discourse + Web Application Firewall (WAF) mod_security

関連トピック