Web Application Firewall (WAF)
Provides robust web protection based on ModSecurity and OWASP CRS.
Overview
Nginx Proxy Guard integrates the industry-standard ModSecurity v3 engine with the OWASP Core Rule Set (CRS) v4.26.0 to protect your applications from a wide range of web attacks such as SQL injection, XSS, path traversal, and command injection.
Key Features
ModSecurity v3.0.15
- Latest version of the open-source WAF engine
- High performance and stability
- Seamless integration with Nginx
OWASP CRS v4.26.0
- Applies the latest Core Rule Set
- Defends against OWASP Top 10 vulnerabilities
- Regular rule updates
Operating Modes
| Mode | Description | When to Use |
|---|---|---|
| Detection | Only logs attacks | Initial setup, false-positive analysis |
| Blocking | Blocks attacks immediately upon detection | Production environments |
The mode can be configured independently per host, so we recommend starting new services in detection mode and switching to blocking mode once they have stabilized.
Paranoia Level (1-4)
You can adjust the security strength across four levels.
| Level | Description | False-Positive Likelihood |
|---|---|---|
| PL1 | Basic protection | Low |
| PL2 | Enhanced protection | Medium |
| PL3 | Strengthened protection | High |
| PL4 | Maximum protection | Very High |
In general, we recommend starting at PL1 or PL2 and adjusting to fit your environment.
WAF Rule Management
Per-Host Exceptions
You can disable individual rules that cause false positives on specific hosts.
- Disable by rule ID
- Change history tracking
- Immediate application (no Nginx restart required)
Global Exceptions
Configure rule exceptions that apply commonly to all hosts.
- Disable/enable global rules
- Manage the global exception list
- View policy change history
Policy Version Management
Every change to a WAF policy is recorded in the history.
- Per-host policy change history
- Global policy change history
- Track the change time, the user who made it, and the change details
WAF Test Interface
Provides an interface for testing WAF rules before applying them to production.
Features
- Single pattern test: Verify whether a specific attack pattern is detected
- Full pattern test: Run a batch test against all test patterns
- Result analysis: Identify which rules were triggered
Test Pattern Examples
| Attack Type | Test Pattern Example |
|---|---|
| SQL Injection | ' OR '1'='1 |
| XSS | <script>alert('xss')</script> |
| Path Traversal | ../../../etc/passwd |
| Command Injection | ; cat /etc/passwd |
Automatic IP Blocking
Provides an automatic blocking feature based on WAF events.
Configuration Options
| Option | Description | Default |
|---|---|---|
| Threshold | Number of events that trigger a block | 10 |
| Time Window | Event aggregation period (seconds) | 300 |
| Block Duration | How long the IP block is maintained (seconds) | 3600 |
How It Works
- The WAF detects an attack pattern
- Events are aggregated within the configured time window
- When the threshold is exceeded, the IP is automatically blocked
- The block is automatically lifted once the block duration expires
WAF Log Analysis
Log Information
- Detected rule ID and description
- Attack type classification
- Request details (URI, method, headers)
- Client IP and GeoIP information
Filtering Options
- Filter by host
- Filter by rule ID
- Specify a time range
- Classify by attack type
Best Practices
Initial Setup
- Start in detection mode: First monitor traffic in detection mode
- Analyze false positives: Identify patterns where legitimate traffic is blocked
- Add rule exceptions: Make exceptions only for the necessary rules
- Switch to blocking mode: Switch to blocking mode once stabilized
Adjusting the Paranoia Level
- Start at PL1 and raise it gradually according to your security requirements
- PL3 and above carry a high likelihood of false positives, so thorough testing is required
- Adjust to fit your specific application requirements
Managing Rule Exceptions
- Minimize global exceptions
- Use per-host exceptions for fine-grained management
- Document and record the reason when adding an exception
- Review the exception list regularly
Defendable Attack Types
| Category | Attack Type |
|---|---|
| Injection | SQL Injection, NoSQL Injection, LDAP Injection, XPath Injection |
| XSS | Reflected XSS, Stored XSS, DOM-based XSS |
| Path Traversal | Directory Traversal, Local File Inclusion, Remote File Inclusion |
| Command Injection | OS Command Injection, Shell Injection |
| Protocol Attacks | HTTP Request Smuggling, HTTP Response Splitting |
| Data Leakage | Credit Card Number Detection, SSN Detection |
| Scanner Detection | Detection of security scanners and vulnerability scanners |