What is the recommended WAF to run in-front of Discourse? I recently succeeded in modifying the nginx config installed in the Discourse docker container to include ModSecurity and the OWASP (Open Web Application Security Project) CRS (Core Rule Set). https://www.modsecurity.org/crs/ So far my te…

A note about why WAFs are important: they provide broad protection against 0days not only from the web application, but also its entire stack of dependencies of the web app. It’s been pointed out to me that the Discourse team has a bug bounty program, which is great! HackerOne …but, of course, t…

This is a bad idea and it is not recommended. The benefit of this type of thing for a JavaScript app is extremely limited and it adds significant complexity to your hosting setup.

related: I just found this guide from @joelradon on how to install Discourse with the NAXSI WAF in nginx before the Discourse docker container: How to build a Discourse Installation with an Open Source WAF

It’s no more supportable than what you’re asking above. If it helps I can add an unsupported tag there too?

I think the desire for some magic device that auto mitigates issues is somewhat misguided in the Discourse setup. We have a bounty program, we patch issues in Discourse within hours of when they are reported. Sites run tests-passed by default which in today’s case contains commits from today. Sure …

I was successfully able to persist my nginx ModSecurity config changes across launcher rebuild app runs as follows: First, we update the local copy of install-nginx that came from the discourse_docker repo and is cloned to /var/discourse/. cd /var/discourse/image/base cp install-nginx install-ngin…

I do agree with you that ModSecurity or similar WAFs are not a golden bullet. But I know (at least?) one vulnerability that was found in RoR which affected Discourse that would have been mitigated by a ModSecurity-like mechanism. When we were patching this we saw in our logs that it had been used …

I liken WAFs to signature-based virus scanners which IMO are not very useful in environments with a limited attack surface (e.g. your non-Windows servers) They’re not going to catch everything but they will (in theory) catch common patterns of attacks (e.g. SQLI) and known exploits (e.g. the RoR vu…

Discourse + 网络应用防火墙（WAF）mod_security

支持安装

codinghorror (Jeff Atwood) 2019 年11 月 17 日 18:27 3

这是一个糟糕的想法，不建议采用。对于 JavaScript 应用而言，此类方案带来的好处极为有限，却会给您的托管环境带来显著的复杂性。

Xhr search requests return 406

话题		回复	浏览量
ModSecurity exceptions Support	7	688	2023 年2 月 17 日
How to run Discourse in Apache vhost, not Nginx Self-hosting unsupported-install	30	2439	2023 年8 月 14 日
How to build a Discourse Installation with an Open Source WAF Self-hosting unsupported-install	1	1873	2019 年10 月 5 日
Cloudflare Security WAF (Web Application Firewall) + Discourse? Support	1	470	2025 年6 月 25 日
Akamai WAF configuration and false positive Support	2	162	2025 年3 月 31 日

Discourse + 网络应用防火墙（WAF）mod_security

相关话题