Web Application Firewall

Liferay Cloud 5.x.x

Liferay Cloud includes a web application firewall called ModSecurity. It inspects requests sent to the web server against a predefined set of custom rules. This step prevents typical web application real time L7 attacks, like XSS, SQL Injection, and other forms of hijacking attempts that might lead to loss of sensitive information.

Liferay Cloud includes additional network security features, including a private network, public load balancer (Layer 7), and CDN.

The Web Application Firewall protects against common attacks.

Note

Custom firewall rules are not available with shared cluster subscriptions.

Enabling ModSecurity

ModSecurity is disabled by default. To enable it, add the LCP_WEBSERVER_MODSECURITY environment variable to your project repository’s webserver/LCP.json file. Attack detection rules are only processed if ModSecurity is enabled. You must add your own rules.

These values are allowed for LCP_WEBSERVER_MODSECURITY:

On: enables ModSecurity. Attack detection rules are processed.
Off: disables ModSecurity. Rules are not processed.
DetectionOnly: enables ModSecurity. Rules are processed, but disruptive actions are not executed (block, deny, drop, allow, proxy, or redirect).

Tip

The LCP_WEBSERVER_MODSECURITY environment variable is equivalent to ModSecurity’s own SecRuleEngine directive.

To enable ModSecurity, set the value of LCP_WEBSERVER_MODSECURITY to On or DetectionOnly, then deploy the change.

Changing ModSecurity’s Configuration

The default ModSecurity settings are recommended. To override the default configuration, create a modsecurity.conf file in your project repository’s webserver/configs/[ENV]/modsec/ directory. You must provide all necessary configurations, because it completely overrides Liferay Cloud’s default modsecurity.conf.

Copy this example of recommended settings as a starting point for your own modsecurity.conf file. If you use this file, replace the line SecRuleEngine DetectionOnly with this line:

SecRuleEngine ${LCP_WEBSERVER_MODSECURITY}

See the ModSecurity Reference Manual for more information on the allowed settings.

Adding Attack Detection Rules

Attack detection rules are not provided by default. You must provide rules according to your specific needs.

OWASP ModSecurity Core Rule Set

The OWASP Foundation’s ModSecurity Core Rule Set (CRS) is recommended for use with Liferay Cloud.

To add the OWASP CRS to ModSecurity,

Download the OWASP CRS here.
Unzip the downloaded archive into a temporary folder.
Copy the rules/ folder from the download into the repository folder webserver/configs/[ENV]/modsec/rules/.
From the copied files, move crs-setup.conf.example to the webserver/configs/[ENV]/modsec/ folder.
Rename crs-setup.conf.example to crs-setup.conf.
Open the crs-setup.conf file and add this to the last line of the file:

include /etc/nginx/modsec/rules/*.conf

Commit the files to your repository and deploy the changes.

The rule set is interpreted once you enable ModSecurity.

Using ModSecurity Audit Logs

When enabled, ModSecurity automatically generates audit logs, recording detailed information for all transactions. To view the logged information, open the modsec_audit.log file in your web server’s /var/log directory.

If you configure ModSecurity by providing your own modsecurity.conf file, you can log the information in the web server’s console (where you can download it) instead of modsec_audit.log. Change this line in your modsecurity.conf file:

SecAuditLog /var/log/modsec_audit.log

Replace /var/log/modsec_audit.log with /dev/stdout to print audit logs for each transaction in the console. The audit logs appear once you deploy the change.

If desired, change the audit log format to JSON by adding one line to the modsecurity.conf file: