I've seen the module named standalone in the package of Mod_Security; but I'm not sure how to use it after making and installing it! Is there any good resources for the start up?
Asked
Active
Viewed 2,173 times
2 Answers
1
It does not appear to be possible; based on what the ModSecurity website says for its modes of operation:
Reverse proxies are effectively HTTP routers, designed to stand between web servers and their clients. When you install a dedicated Apache reverse proxy and add ModSecurity to it, you get a "proper" network web application firewall, which you can use to protect any number of web servers on the same network. Many security practitioners prefer having a separate security layer. With it you get complete isolation from the systems you are protecting. On the performance front, a standalone ModSecurity will have resources dedicated to it, which means that you will be able to do more (i.e., have more complex rules). The main disadvantage of this approach is the new point of failure, which will need to be addressed with a high-availability setup of two or more reverse proxies.
They are considering it separate by created a dedicated host that is used for proxying to internal hosts.
That works; but it's technically not standalone.
I also filed a bug, and it was confirmed by Felipe Zimmerle:
Standalone is a wrapper to Apache internals that allows ModSecurity to be executed. That wrapper still demand Apache pieces. It is true that you can extend your application using the Standalone version although, you will need some Apache pieces
0
As you have noted ModSecurity is an add on to an existing web server - originally as an Apache module (hence the name) but now also available for Nginx and IIS.
You can run it in embedded mode (i.e. as part of your main web server) or run it in reverse proxy mode (which is basically the same but you set up a separate web server and run it on that, and then direct all traffic through that).
To be perfectly honest I've never found much point in the reverse proxy method. I guess it does mean you could use it on non-supported web servers (i.e. if you are not using Apache, Nginx nor IIS), and it would reduce the load on your main web server, but other than that it seems like an extra step and infrastructure for no real gains. Some people might also prefer to do the ModSecurity checks in front of several web servers but I woudl argue if you have several web servers, then it is likely for performance and resiliency reasons so why not spread the ModSecurity to this level too rather than creating a single point of failure which might be a bottleneck in front of it. Only other reason would be to apply session level rules (e.g. if people are changing session ids), which might ultimately be spread between different web servers but I've never been convinced that those rules are that great anyway.
When I build ModSecurity I get a mod_security2.so library being built but no separate standalone file(s) so I presume you're just seeing this from hunting through the source (I do see a standalone)? I'd say just because there is a "standalone" folder in the source is not a guarantee that it can run as a completely separate, standalone piece.
I'd question why you want to run this as a standalone app even if you could? Web servers have a lot of functionality in them and depending on ModSecurity, which was written for web security, rather than web security and all the other things a web server does (e.g. be quick, understand HTTP protocol, gzip and ungzip...etc), needlessly stretches what ModSecurity would need to handle. So why not use a web server to take care of this and let ModSecurity do what it's good at?
If you are using ModSecurity then I guess you have web apps (presumably with a web server), so why not use it through that?
Finally is there any problem with installing this through Apache (or Nginx or IIS)? It's free software that's well supported and easy to set up.
I guess ultimately I don't understand the reason for your question. Is there a particular problem you are trying to solve, or is this more just curiosity?
Barry Pollard
- 40,655
- 7
- 76
- 92
-
Well, that was part of why I was asking where you saw it could run in standalone mode? Was it just by examining the source? It is probably badly named as think they mean "standalone from Apache" since it was originally an Apache module. – Barry Pollard Nov 04 '15 at 18:17
-
I only see it there under "Installation for NGINX->Manually Installing ModSecurity Module on NGINX" sections which to me would be pretty clear as to the intention of that. Don't see any reference to it elsewhere. Now granted it does say "standalone library... is a common base for IIS version, nginx version, and server-less command line version of ModSecurity" so not sure if it can be built as a command line version as not heard of that before. Is there a reason you want this as per my original answer? Not trying to be difficult, just trying to help understand the issue and so how to answer it. – Barry Pollard Nov 04 '15 at 19:10
-
Well I honestly don't know what to tell you, if you feel the authors of this free and open source product are being disingenuous when you look at their source code. Personally I don't feel they are promoting this as a standalone application and all their installation instructions refer to Apache, Nginx or IIS. However it is totally opensource and you have the source code so if you want to create a truly standalone version then you are free to do so and Felipe directed you to an example of how to do this in his answer to you: https://github.com/SpiderLabs/ModSecurity/issues/952 – Barry Pollard Nov 04 '15 at 19:31