Web Application Firewalls and Farcry

Just wondering who’s using what.

I use Fuseguard for some, but I’m just starting to dip my toe in with mod_security for apache using the OWASP rules. Primarily to knock a few things off even before it get the CF or Railo. This involves extending the rule set to cater for CF/Railo but mostly for Farcry’s webtop processes etc. It doesn’t appear to be a big task and at this stage my biggest issue has been not being able to whitelist furls, in particular those which produce long urls like pagination with extra details.

Does anyone thing there would be value in the availability of a definitive mod_security whitelist for FarCry?

1 Like

Hi Phil,

I don’t have any mod_security rules but I’d be interested in hearing what you come up with. If there’s something specific I can help with let me know :smile:

As for pagination, it could be anything with either a page query string variable or a /page/ token in the URL string, or it could be custom if you use your own paginationID in <skin:pagination>.

It’s also worth noting that sometimes requests in the webtop go via the front-end index.cfm controller (calls to arrays and library webskins mostly).


Unfortunately most examples of whitelist rules use the locationmatch tag in apache and I believe that will only see the physical page called. So all front end requests it will be index.cfm. The below works because of the physical nature of the files.

# Remove rule the interferes with the cache names
<LocationMatch /cache/*>
<IfModule mod_security2.c>
     SecRuleRemoveById 981231

But this won’t;

<LocationMatch /my-awesome-web-pages/*>
<IfModule mod_security2.c>
     SecRuleRemoveById 960015