Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: conditionally enable plugins for multi-app environments #130

Merged
merged 5 commits into from
Jun 9, 2024
Merged

feat: conditionally enable plugins for multi-app environments #130

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
941b882
feat: conditionally enable plugins for multi-app environments
EsadCetiner Jun 5, 2024
0d797b2
Apply suggestions from code review
EsadCetiner Jun 9, 2024
ef57f0c
Apply suggestions from code review
EsadCetiner Jun 9, 2024
9bc0449
fix: clarify term virualhost
EsadCetiner Jun 9, 2024
59d9622
Apply suggestions from code review
EsadCetiner Jun 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions content/concepts/plugins.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,46 @@ Disabling a plugin is simple. Either remove the plugin files in the plugins fold

Alternatively, it is also valid to disable a plugin by renaming a plugin file from `plugin-before.conf` to `plugin-before.conf.disabled`.

## Conditionally enable plugins for multi-application environments

If CRS is installed on a reverse-proxy or a web server with multiple web applications, then you may wish to only enable certain plugins (such as rule exclusion plugins) for certain virtual hosts (`VirtualHost` for Apache httpd, `Server` context for Nginx). This ensures that rules designed for a specific web application are only enabled for the intended web application, reducing the scope of any possible bypasses within a plugin.

Most plugins provide an example to disable the plugin in the file `plugin-config.conf`, you can define the `WebAppID` variable for each virtual host and then disable the plugin when the `WebAppID` variable doesn't match.

See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secwebappid

Below is an example for enabling only the WordPress plugin for WordPress virtual hosts:

```
SecRule &TX:wordpress-rule-exclusions-plugin_enabled "@eq 0" \
"id:9507010,\
phase:1,\
pass,\
nolog,\
ver:'wordpress-rule-exclusions-plugin/1.0.0',\
chain"
SecRule WebAppID "!@streq wordpress" \
"t:none,\
setvar:'tx.wordpress-rule-exclusions-plugin_enabled=0'"
```

⚠️ Warning: As of 05/06/2024, Coraza doesn't support the use of WebAppID, you can use the`Host` header instead of the `WebAppID` variable:

```
SecRule &TX:wordpress-rule-exclusions-plugin_enabled "@eq 0" \
"id:9507010,\
phase:1,\
pass,\
nolog,\
ver:'wordpress-rule-exclusions-plugin/1.0.0',\
chain"
SecRule REQUEST_HEADERS:Host "!@streq wordpress.example.com" \
"t:none,\
setvar:'tx.wordpress-rule-exclusions-plugin_enabled=0'"
```

See: https://coraza.io/docs/seclang/variables/#webappid

## What Plugins are Available?

All official plugins are listed on GitHub in the CRS plugin registry repository: https://github.com/coreruleset/plugin-registry.
Expand Down