ModSecurity exceptions

szogoon · 7 באוגוסט,‏ 2019,‏ 1:33pm

Have someone installed Discourse behind nginx/Apache with ModSecurity and CRS v3?
Is there any known list of rules to disable or modify for Discourse?
For now we have disabled ~11 rules and I think that is not the end.

Falco · 7 באוגוסט,‏ 2019,‏ 3:02pm

Why would you use that?

Discourse is open source and with way more activity than ModSecurity, which sounds like something useful when put to front some black box web software.

codinghorror · 8 באוגוסט,‏ 2019,‏ 4:26am

I promise you this will end very badly for everyone involved. It is not a good idea.

szogoon · 8 באוגוסט,‏ 2019,‏ 7:29am

So you are telling me that introducing WAF will only create new troubles and Discourse doesn’t contain any vulnerabilities?

eviltrout · 8 באוגוסט,‏ 2019,‏ 6:25pm

Nobody can promise will full confidence that their software doesn’t contain vulnerabilities. We do however patch security issues promptly and responsibly when reported, and have a bug bounty program.

Having said that, ModSecurity is not the answer. You will have a very hard time if you choose to do this.

szogoon · 8 באוגוסט,‏ 2019,‏ 8:22pm

Thank you for the answers. We will consider removing ModSecurity.

נושא		תגובות	צפיות
Discourse + Web Application Firewall (WAF) mod_security Hosting unsupported-install	8	3530	20 בנובמבר,‏ 2019
How to run Discourse in Apache vhost, not Nginx Installation unsupported-install	30	2358	14 באוגוסט,‏ 2023
Akamai WAF configuration and false positive Support	2	72	31 במרץ,‏ 2025
Cloudflare Security WAF (Web Application Firewall) + Discourse? Support	1	354	25 ביוני,‏ 2025
How secure is Discourse? Support	11	5632	15 במאי,‏ 2019

ModSecurity exceptions

נושאים קשורים