Improve 'Hardening and security guidance' section to include ModSecurity #2273
Comments
|
Hey! I'm not familiar with this mod, could you maybe open a pr for this? :) |
|
I haven't used Mod Security extensively sadly. In September I could look more into it though. If someone who is already experienced with v3 and has the time and will to do it in the coming weeks that would be great though. |
|
Maybe @nachoparker has an update ;-) |
|
I only remember that we had ModSecurity rules available in the far past, but there were quite some issues with outdated rules IIRC. Unfortunately I also couldn't find any traces of this. Maybe @LukasReschke knows more :) |
|
So we did have ModSecurity rules that relied on whitelisting only for controllers and the parameters. (Including typechecking) That isn't maintained anymore though. And I'd advise against the default rules as you can expect unexpected breakage :-) (if people want to run this, I'd advise them to first run it in logging mode to understand what works and what doesn't) |
|
Make sure to set a proper request body limit: https://sabre.io/dav/large-files/ |
ModSecurity is a widely known Apache2 module that acts as a web application firewall.
Providing official guidance on how to set up modsec to work properly with Nextcloud would further enhance Nextcloud's efforts and commitments to security.
The only thorough article I could find to set up Nextcloud with ModSecurity was posted three years ago by nextcloud/nextcloudpi's maintainer nachoparker here. However, the article is based on ModSecurity v2, while v3 has been released for a while now.
The text was updated successfully, but these errors were encountered: