Have someone installed Discourse behind nginx/Apache with ModSecurity and CRS v3?
Is there any known list of rules to disable or modify for Discourse?
For now we have disabled ~11 rules and I think that is not the end.
Why would you use that?
Discourse is open source and with way more activity than ModSecurity, which sounds like something useful when put to front some black box web software.
I promise you this will end very badly for everyone involved. It is not a good idea.
So you are telling me that introducing WAF will only create new troubles and Discourse doesn’t contain any vulnerabilities?
Nobody can promise will full confidence that their software doesn’t contain vulnerabilities. We do however patch security issues promptly and responsibly when reported, and have a bug bounty program.
Having said that, ModSecurity is not the answer. You will have a very hard time if you choose to do this.
Thank you for the answers. We will consider removing ModSecurity.