Skip to main content

AppSec WAF

The AppSec engine works as WAF analyzing traffic and blocking malicious activity based and on the predefined rule set of known attack vectors.

  • Installing the ruleset
cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/appsec-crs
  • Setting up data source
mkdir -p /etc/crowdsec/acquis.d/

nano -w /etc/crowdsec/acquis.d/appsec.yaml
appsec_configs:
  - crowdsecurity/appsec-default
  - crowdsecurity/crs
labels:
  type: appsec
listen_addr: 127.0.0.1:7422
source: appsec
  • Restarting the service
systemctl restart crowdsec
  • Now is the time to install remediation component for our Web server
apt install lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson
apt install crowdsec-nginx-bouncer
  • Generating Cloudflare Turnstile captcha
  • Modifying the bouncer config (more on this here)
nano -w /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
ENABLED=true
API_URL=http://127.0.0.1:8080
# Authentication options, either using an API key or TLS client certificate.
API_KEY=*************
USE_TLS_AUTH=false
TLS_CLIENT_CERT=/path/to/client.crt
TLS_CLIENT_KEY=/path/to/client.key
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# By default internal requests are ignored, such as any path affected by rewrite rule.
# set ENABLE_INTERNAL=true to allow checking on these internal requests.
ENABLE_INTERNAL=false
# live or stream
MODE=stream
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=turnstile
# Captcha Secret Key
SECRET_KEY==*************
# Captcha Site key
SITE_KEY==*************
CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html
CAPTCHA_EXPIRATION=3600

APPSEC_URL=http://127.0.0.1:7422
APPSEC_FAILURE_ACTION=passthrough
APPSEC_CONNECT_TIMEOUT=100
APPSEC_SEND_TIMEOUT=100
APPSEC_PROCESS_TIMEOUT=1000
ALWAYS_SEND_TO_APPSEC=false
SSL_VERIFY=true
  • Setting up a resolver and trusted CA certs
nano -w /etc/nginx/conf.d/crowdsec_nginx.conf
resolver 1.1.1.1 ipv6=off;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
  • Testing
cscli decisions add -i 127.0.0.1 -t captcha
  • Restarting nginx
systemctl restart nginx
Back to top