Firewalls

Using Web Application Firewalls

Overview

Every application managed by Cloud 66 has a Web Application Firewall (WAF) automatically configured. The WAF runs on Nginx (which acts as a reverse proxy for all Cloud 66 applications) and is powered by ModSecurity.

Your application's WAF is a separate and different component from the traditional (IP-table-based) firewall that we install on each server we provision. The WAF allows you to set up a richer and more customisable set of access rules for your application's components than would be possible with IP tables.

Nginx may need to be updated

Older applications will need to apply an application update to install the latest version of NGINX and the components that enable WAF.

If the only rule you need to apply is to force all traffic to your servers to flow through your load balancer(s) then you can find that rule under Traffic Filters.

Configuring your Web Application Firewall

Your application's WAF relies on rules being added to its ModSecurity config file in order to manage traffic flows. We have provided two ways to add rules:

  1. Manually, via the ModSecurity CustomConfig file
  2. Automatically using OWASP rules (see below)

You can add rules via either or both of these methods, though you should take care to ensure that the rules meet your applications traffic requirements.

Enabling and disabling your WAF

You can enable or disable your WAF via your Cloud 66 Dashboard:

Test your changes carefully

Given the nature of firewalls, we strongly recommend you test any changes wherever possible, and that you check any configurations carefully before applying them. Incorrect or faulty rules can make your application inaccessible to your customers.

Adding rules manually to ModSecurity

If you would like to apply custom rules to your WAF, you can do so by editing the ModSecurity CustomConfig file for that application. To do this:

  1. Open your application via your Dashboard
  2. Click through to one of your web or application servers
  3. Click the ↧ More button (top right of the panel) and select NGINX Custom Config.
  4. Click on NGINX - ModSecurity in the top tab
  5. Edit the config as needed and then click the green Preview button
  6. Review the resulting (parsed) configuration template and, if it's correct, add a commit message and click Commit to Server.

This will immediately apply the new rule to your Nginx server, so we recommend testing the change in a non-production environment beforehand.

Using OWASP rules with your WAF

The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of software. The foundation provides a set of recommended rules for use with ModSecurity. You can apply these to your application's WAF via your Cloud 66 Dashboard:

The OWASP rules will now be applied to your Nginx server, which will be reloaded as a result.

Applying "relevant configurations"

If the rule-set you added does have "relevant configuration sections", you should now review and update the OWASP CustomConfig file accordingly.

This config file is automatically included (nested) in the main ModSecurity config file for your application, so you should treat it with the same level of caution. To edit your OWASP config file:

  1. Open your application via your Dashboard
  2. Click on ⚙️ Settings in the left-hand nav
  3. Click on Configuration Files in the sub-nav that opens
  4. Click on NGINX - OWASP in the tabs
  5. Edit the config as needed and then click the green Preview button
  6. Review the resulting (parsed) configuration template and, if it's correct, add a commit message and click Commit to Server.

This will immediately apply the new rule to your Nginx server, so we recommend testing the change in a non-production environment beforehand.

Previous
Configuring firewalls