ModSecurity VS lua-resty-waf

First of all, if you have any experience with Traefik, I'd suggest you to do the reverse proxy stuff with it and install the Crowdsec instance along it. As I didn't have experience using Traefik I went with NPM but now I guess it would have been easier considering the research I had to do... Another reason is, I wanted to implement a geo block and/or another security layer by using ModSecurity (https://github.com/SpiderLabs/ModSecurity ) besides Crowdsec too. Afaik Traefik has a plugin that integrates ModSecurity easily - unless NPM.

I don't know about Blackboard, but Moodle will allow quizzes to be run in popups that block most extensions from working; lockdown browsers will block such extensions; and, if you have access to the server, a modified firewall (e.g., ModSecurity) may\* allow blocking this and similar extensions.

> ModSecurity for WAF: https://github.com/SpiderLabs/ModSecurity

This might be of interest to some: https://www.modsecurity.org/

> Trustwave is announcing the End-of-Life (EOL) of our support for ModSecurity effective July 1, 2024. We will then hand over the maintenance of ModSecurity code back to the open-source community.

Probably not too big of a deal, though.

Also, this might be useful: https://owasp.org/www-project-modsecurity-core-rule-set/

Though there has been some critique of ModSecurity and that ruleset in the past, as something dated and with false positives.

Anyone have any good alternatives?

Is there a reason no one hasn't made a Docker template for OWASP Coraza (https://github.com/corazawaf/coraza) or ModSecurity (https://github.com/SpiderLabs/ModSecurity) for the use of a reverse proxy?

Since Nginx has different use cases, protecting your application depends on how and where you use it. It's recommended that you have a reliable WAF solution since they block most harmful requests in the first place. In this article, you'll compare three tools—ModSecurity, F5 Nginx App Protect, and open-appsec—based on their active development, advanced security features, and open source commitment to help you figure out which tool is right for you.

I'm currently erring toward ModSecurity & the Nginx connector now that it's been de-Apache'd.

Is anyone on HN doing WordPress administration? I recently 'inherited' a webshop built on WP/WooCommerce, and all the conflicting security advice in the WP space is making my head spin.

There are a dozen competing 'security' plugins, with some saying 'you don't need any of them, WP is secure enough by default', and others saying 'you actually need ModSecurity [1] / Jeff Starr's nG firewall [2]'.

The agency that (shoddily...) built the webshop installed Wordfence Free [3], so I've just kept that for now, though I feel it's kind of slow (but that might just be caused by the bottom-of-barrel performance of the shared webhost it's currently running on).

[1] https://github.com/SpiderLabs/ModSecurity

[2] https://perishablepress.com/7g-firewall/

[3] https://www.wordfence.com/

By Web Firewall did you mean smth like this ?

I just learned about about https://github.com/p0pr0ck5/lua-resty-waf while looking into the topic how to secure my reverse proxy server, besides that I only read that this is pretty much NGINX security enhanced with some extra plugins and performance tweaks, other than that don't know nothing about it.