ModSecurity
Deploying ModSecurity WAF with Docker
Introduction
Web applications are constantly targeted by attacks such as SQL injection, cross-site scripting (XSS), and remote command execution. One effective way to protect your application is by deploying a Web Application Firewall (WAF).
In this guide, we will deploy ModSecurity with the OWASP Core Rule Set (CRS) using Docker to protect a website or API.
What is ModSecurity?
ModSecurity is an open-source Web Application Firewall that analyzes HTTP traffic and blocks malicious requests based on predefined security rules.
It helps detect and mitigate attacks such as:
- SQL Injection
- Cross-Site Scripting (XSS)
- Local File Inclusion
- Command Injection
- Known vulnerability exploits
The OWASP Core Rule Set (CRS) provides a maintained collection of rules designed to detect common web attacks.
Architecture
The WAF sits between the internet and your application.
1
2
3
4
5
6
7
Internet
│
ModSecurity (WAF)
│
Reverse Proxy / Application
│
Your Website
All requests are inspected by the firewall before reaching your application.
Prerequisites
Before starting, ensure you have:
- Docker installed
- Docker Compose installed
- A backend web service to protect
Step 1: Create a Project Directory
Create a directory for the WAF configuration.
1
2
mkdir modsecurity
cd modsecurity
Step 2: Create a Docker Compose File
Create a file called docker-compose.yml.
1
2
3
4
5
6
7
8
9
10
11
12
13
services:
waf:
image: owasp/modsecurity-crs:nginx
container_name: modsecurity-waf
ports:
- "8080:80"
environment:
- PARANOIA=1
- ANOMALY_INBOUND=5
- ANOMALY_OUTBOUND=4
volumes:
- ./nginx.conf:/etc/nginx/templates/conf.d/default.conf.template
This container includes:
- Nginx
- ModSecurity
- OWASP Core Rule Set
Step 3: Configure Nginx Reverse Proxy
Create a file named nginx.conf.
1
2
3
4
5
6
7
8
9
10
11
12
13
server {
listen 80;
location / {
proxy_pass http://backend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Replace backend:80 with the address of your application server.
Step 4: Start the WAF
Start the container using Docker Compose.
1
docker compose up -d
The firewall will now listen on port 8080.
Step 5: Test the Firewall
You can test the protection with a simple SQL injection example.
1
http://yourdomain/?id=1' OR '1'='1
If ModSecurity is active, the request should be blocked with a 403 Forbidden response.
Step 6: Check Security Logs
To inspect detected attacks, check the container logs.
1
docker logs modsecurity-waf
You can also inspect the ModSecurity audit logs inside the container.
1
/var/log/modsec_audit.log
Conclusion
Deploying ModSecurity with Docker is a fast and efficient way to add a Web Application Firewall to your infrastructure.
Combined with the OWASP Core Rule Set, it provides strong protection against many common web attacks.
In production environments, you can further improve security by combining a WAF with tools such as:
- IP reputation filtering
- Rate limiting
- Intrusion detection systems
A layered security approach significantly reduces the risk of successful attacks.