Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

How to enable ModSecurity and Check if it's Working (Liferay PaaS)

Written By

Madhusudan Sharma

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Issue

  • How to enable ModSecurity in Liferay PaaS and test whether it is working or not.

Environment  

  • Liferay DXP 7.4

Resolution

  • Follow the below steps to Enable ModSecurity with OWASP Rules: (Please note that Attack detection rules are not provided by default. You must provide rules according to your specific needs)
    1. Enable the ModSecurity in your environment by adding the     LCP_WEBSERVER_MODSECURITY environment variable to the project repository’s webserver/LCP.json file. (Configure value as 'On' for LCP_WEBSERVER_MODSECURITY variable)
    2. Add the OWASP Foundation’s ModSecurity Core Rule Set (CRS) with the help of the below steps:
    • Download the rules collection from here.
    • Unzip the files to a temporary folder.
    • Move the rules folder to the project repository /webserver/configs/[ENV]/modsec/
    • Move the crs-setup.conf.example file to the project repository /webserver/configs/[ENV]/modsec/ and rename the file to crs-setup.conf
    • Edit the crs-setup.conf file and add code "include /etc/nginx/modsec/rules/*.conf" to the last line of the file without "".
    3. Finally, commit the changes to the repository and deploy the same.
  • To test the OWASP Foundation’s ModSecurity Core Rule Set (CRS) (or check if ModSecurity is Working), you may use a third-party scanning tool - Nikto Web Scanner (GitHub - sullo/nikto: Nikto web server scanner) with the help of the command -  docker run --rm alpine/nikto -h https://webserver-myapp-prd.liferay.cloud/ (Replace https://webserver-myapp-prd.liferay.cloud with your URL) on a Linux-based local machine.
  • During the execution of the above command, the Webserver will log messages in the console as below: 
ModSecurity: Access denied with code 403 (phase 2). Matched "Operator `Ge' with 
parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) 
[file "/etc/nginx/modsec/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"]
 [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"]
 [data ""] [severity "2"] [ver "OWASP_CRS/3.3.2"] [maturity "0"] [accuracy "0"]
 [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] 
[tag "attack-generic"] [hostname "10.192.2.190"] [uri "/KKPeaADb.axd"]
 [unique_id "1653418308"] [ref ""], client: 200.138.53.22, server: , request: 
"GET /KKPeaADb.axd HTTP/1.1", host: "webserver-myapp-prd.liferay.cloud"

The message above suggests to us that the CRS is working (Hence, ModSecurity is Working). 

Additional Information

  • The default ModSecurity settings are recommended. If you want to override these settings, create a modsecurity.conf file in your project repository’s webserver/configs/[ENV]/modsec/ directory.

You must provide all necessary configurations, because it completely overrides Liferay Cloud’s default modsecurity.conf    

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?