ModSecurity for Control Panel Server

WebInfra

What's the consensus when it comes to the ModSecurity OWASP ruleset for the Control Panel server?

Anybody faced any issues or incompatibilities between the ruleset and the panel?

Adam

There is no benefit to running this rule set on the control panel domain.

It's also likely to interfere with phpMyAdmin and webmail without some modification. In future we may develop a more curated rule set for these service domains.

WebInfra

Adam Got it, that's what I am concerned about as well especially with a generic ruleset like OWASP.

On the other hand it does feel concerning to leave the service domains exposed without any WAF protection (Cloudflare is not viable due to the low upload limit imposed by them).

xyzulu

WebInfra (Cloudflare is not viable due to the low upload limit imposed by them).
How much traffic are you pushing to your control panel server that Cloudflare would limit you?

WebInfra

xyzulu It's not about traffic. Cloudflare doesn't allow uploads beyond 100 MB which is a problem for the File Manager and also for cPanel/Plesk Importers.

xyzulu

WebInfra noted.. that makes sense. You could always use Cloudflare proxied and disable if/when you need to do a large upload?

WebInfra

xyzulu That wouldn't work when customers want to upload larger files or import their own cPanel/Plesk backups. 🙂

JohnB

If enhance changed the file upload to use chunking it wouldn't be an issue. Maybe make a feature request.