nodebb, nginx, and modsecurity?
-
I'm curious to know if any nodebb gurus are serving up nodebb via nginx https enabled reverse proxy and using modsecurity?
-
You can set up nginx to terminate the SSL connection, but I personally have not tried using modsecurity.
NodeBB comes with a preset helmet config, which usually helps close off the service. It's not a WAF, per se, but is part of a coordinated setup to secure your web service.
-
@gotwf said in nodebb, nginx, and modsecurity?:
I'm curious to know if any nodebb gurus are serving up nodebb via nginx https enabled reverse proxy and using modsecurity?
Yes, except for modsecurity.
-
Maybe not a lot of interest in this due to complexity of deploying/configuring ModSecurity, combined w/absence of nodebb stack specific rulesets. Security is difficult so not much can be done about the deploy/config aspects but ModSecurity devs are starting to focus some efforts on the latter.
For those interested, and willing to roll up their sleeves, development of node.js targeted attack ruleset is slated for next release of OWASP CRS, scheduled for Sept. 2019. More info here:
some node.js unserialization + javascript RCE snippets by lifeforms 路 Pull Request #1487 路 SpiderLabs/owasp-modsecurity-crs
Libraries performing insecure unserialization: node-serialize: _$$ND_FUNC$$_ (CVE-2017-5941) funcster: __js_function See: https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserializatio...
GitHub (github.com)
P.S.; Obviously ModSecurity can be deployed on Apache setups as well but my sense is that Nginx is the overwhelming favorite w/the nodebb community and I didn't want to start a new thread.
