azurit
commented
9 months ago Hi @logopk, yes, of course i will try to do it (but it does not depend only on me).
Open logopk opened 9 months ago
azurit
commented
9 months ago Hi @logopk, yes, of course i will try to do it (but it does not depend only on me).
RedXanadu
commented
9 months ago Hi @logopk,
Are you planning on using geo IP rules in your CRS setup? It would be good to understand your use case.
For what it's worth, there's a general feeling that geo IP logic does not belong in CRS, which is why it was removed. There are better places to handle geo IP-related logic (at the proxy level, at the web server, via a network firewall, at the edge, etc.)
It's a similar situation to anti-DoS rules: it is possible to implement via SecRules, but there are many better places to perform it, and the support varies between engines and engine versions (and the anti-DoS logic has also been removed from the core of CRS).
logopk
commented
9 months ago @RedXanadu Understood. I am using maxminddb in apache. When I started I used rewrite rules but then I noticed the geoip plugin. I had the impression that all security rules should be handled in on piece of software. So CRS seemed to be a good place. Am I wrong? Regards Peter
dune73
commented
9 months ago Hey @logopk, I think there are pros and cons here. CRS kicked the GeoIP stuff because it's no longer in line with the pattern based stuff we are doing. But your reasoning about the single place makes a lot of sense. Hence the plugin option.
@azurit : Moving the GeoIP stuff into our repo would be cool, I think. Where do you see the problems?
RedXanadu
commented
9 months ago There's the added complication that ModSec on Apache (assuming you're using v2, @logopk) does not handle the MaxMind database format. You would have to roll your own database files. Do-able (I maintained this for several years for customers who insisted on using MaxMind inside ModSec), but it's more steps and more complication.
The Apache MaxMind module is more flexible and more mature, if you want to keep everything in one place (Apache).
dune73
commented
9 months ago Well, that ModSec2 shortcoming is not necessarily set in stone ...
logopk
commented
9 months ago I use modmaxmind with modsec2 and the database format is no problem.
dune73
commented
9 months ago Well done.
I think the plugin should offer that option (or any other ENV variable) for full flexibility.
azurit
commented
9 months ago I think the plugin should offer that option (or any other ENV variable) for full flexibility.
It is offering it.
dune73
commented
9 months ago Ready for the migration of the plugin, then I guess. :)
fzipi
commented
6 months ago Can we close this one?
logopk
commented
6 months ago @fzipi I don't see it in the plugin registry yet!?
azurit
commented
6 months ago Let's keep this open until the plugin is included.
Hi @azurit,
do you plan to transfer the geoIP Plugin to the CRS plugin-registry?
Thanks
Peter