ModSecurity exceptions

szogoon · August 7, 2019, 1:33pm

Have someone installed Discourse behind nginx/Apache with ModSecurity and CRS v3?
Is there any known list of rules to disable or modify for Discourse?
For now we have disabled ~11 rules and I think that is not the end.

Falco · August 7, 2019, 3:02pm

Why would you use that?

Discourse is open source and with way more activity than ModSecurity, which sounds like something useful when put to front some black box web software.

codinghorror · August 8, 2019, 4:26am

I promise you this will end very badly for everyone involved. It is not a good idea.

szogoon · August 8, 2019, 7:29am

So you are telling me that introducing WAF will only create new troubles and Discourse doesn’t contain any vulnerabilities?

eviltrout · August 8, 2019, 6:25pm

Nobody can promise will full confidence that their software doesn’t contain vulnerabilities. We do however patch security issues promptly and responsibly when reported, and have a bug bounty program.

Having said that, ModSecurity is not the answer. You will have a very hard time if you choose to do this.

szogoon · August 8, 2019, 8:22pm

Thank you for the answers. We will consider removing ModSecurity.

Topic		Replies	Views
Discourse + Web Application Firewall (WAF) mod_security hosting unsupported-install	8	3237	November 20, 2019
How to run Discourse in Apache vhost, not Nginx installation unsupported-install	30	2102	August 14, 2023
Show Discourse version on the /about page feature	10	2889	October 28, 2017
Apache w/ SSL + Discourse: Next steps? installation	12	1462	August 1, 2020
A "safe mode" to easily disable all third party plugins feature rfc	7	6400	November 26, 2016

ModSecurity exceptions

Related Topics