Configuration steps

A separate ModSecurity configuration is available for each Reverse Proxy instance. This file allows you to tune the ModSecurity engine for optimal performance, such as setting the maximum amount of data which will be parsed from a response body.

The configuration file itself contains comments which provide a description of each configuration entry, full documentation for the configuration entries is available in the ModSecurity Reference Manual.

Refer to the Limitations section for configuration entries which are fixed and cannot be changed.

The instance-specific WAF configuration file is managed on the Reverse Proxy page, see Configuring Web Application Firewall for details.

The Web Application Firewall rules and setup file are shared by all Reverse Proxy instances on the appliance.

The OWASP ModSecurity Core Rule Set (CRS) is installed into the environment by default. The configuration file for the ruleset, crs-setup.conf, is used to fine tune the CRS processing. The file itself contains comments which provide a description of each configuration entry.

For more instructions about managing rules files in Verify Identity Access, see Managing the Web Application Firewall rules.

By default, Reverse Proxy instances will not use the ModSecurity engine for rules processing. To enable the Web Application Firewall rules processing, each Reverse Proxy instance must be configured with a list of request matching patterns. These patterns are used by the Reverse Proxy to determine which requests should be passed to the ModSecurity engine for processing.

See the stanza reference for [waf] for further details.