ModSecurity exceptions

szogoon · 7 أغسطس 2019، 1:33م

Have someone installed Discourse behind nginx/Apache with ModSecurity and CRS v3?
Is there any known list of rules to disable or modify for Discourse?
For now we have disabled ~11 rules and I think that is not the end.

Falco · 7 أغسطس 2019، 3:02م

Why would you use that?

Discourse is open source and with way more activity than ModSecurity, which sounds like something useful when put to front some black box web software.

codinghorror · 8 أغسطس 2019، 4:26ص

I promise you this will end very badly for everyone involved. It is not a good idea.

szogoon · 8 أغسطس 2019، 7:29ص

So you are telling me that introducing WAF will only create new troubles and Discourse doesn’t contain any vulnerabilities?

eviltrout · 8 أغسطس 2019، 6:25م

Nobody can promise will full confidence that their software doesn’t contain vulnerabilities. We do however patch security issues promptly and responsibly when reported, and have a bug bounty program.

Having said that, ModSecurity is not the answer. You will have a very hard time if you choose to do this.

szogoon · 8 أغسطس 2019، 8:22م

Thank you for the answers. We will consider removing ModSecurity.

الموضوع		الردود	مرات العرض
Discourse + Web Application Firewall (WAF) mod_security Hosting unsupported-install	8	3543	20 نوفمبر 2019
How to run Discourse in Apache vhost, not Nginx Installation unsupported-install	30	2362	14 أغسطس 2023
Akamai WAF configuration and false positive Support	2	80	31 مارس 2025
Cloudflare Security WAF (Web Application Firewall) + Discourse? Support	1	374	25 يونيو 2025
How secure is Discourse? Support	11	5669	15 مايو 2019

ModSecurity exceptions

الموضوعات ذات الصلة