Simple WAF setup

Hi guys,

I was looking for a simple WAF setup and reeeealllly hoping there is a WAF fly layer coming soon. If not, is there any plans for creating a built-in that has all the recommended configurations for OWASP Top10 and the like that would be suitable for both frontends and APIs?


We vaguely plan to ship some WAF-like features, but I don’t know when!

Right now the simplest thing to do is run nginx + modsecurity. You can launch this pretty fast by:

  1. flyctl init
  2. Choose “Docker Image”, enter owasp/modsecurity-crs:3.3-nginx
  3. Set port to 80 when prompted (not the default)
  4. Edit fly.toml and add env variables for PROXY="1" and UPSTREAM="your-app"

You’ll end up with a config like this:

image = "owasp/modsecurity-crs:3.3-nginx"


  internal_port = 80
  protocol = "tcp"

    hard_limit = 250
    soft_limit = 200

    handlers = ["http"]
    port = "80"

    handlers = ["tls", "http"]
    port = "443"

    interval = 10000
    timeout = 2000

I’m having problems executing this example. When I run fly deploy it exits with the following errors:
2021-01-20T18:38:48Z [info] Starting init (commit: 7cf0409)…
2021-01-20T18:38:48Z [info] Running: / nginx -g daemon off; as root
2021-01-20T18:38:48Z [info] 2021/01/20 18:38:48 [notice] 502#502: ModSecurity-nginx v1.0.1 (rules loaded inline/local/remote: 0/913/0)
2021-01-20T18:38:52Z [info] Health check status changed to ‘warning’
2021-01-20T18:38:57Z [info] Health check status changed to ‘critical’
2021-01-20T18:39:34Z [info] Shutting down virtual machine
2021-01-20T18:39:34Z [info] Program exited with code: 0
***v3 failed - Failed due to unhealthy allocations - no stable job version to auto revert to

Oh make sure it’s set to internal_port: 80 in fly.toml. It probably defaulted to 8080, which is wrong.

Yes! Thanks for the quick reply. May want to highlight that in the fly.toml example above ;->

1 Like



Came across this during my Cloudflare experiments. Was interested in knowing how this approach went.

Am I right in thinking that since there isn’t support for a Docker-compose style of running nginx and nodejs together, to make this work you would have two apps: this nginx-owasp one (which would provide the IP you would point your public domain at) based on the config above, and then separately still have the existing app?

And set the UPSTREAM as the existing app’s … IP? Or would that be https://[name]


Setting the upstream to <app> would work best, but you need to make sure it’s a variable for proxy_pass so nginx will resolve DNS more than once.

For what it’s worth, when we build docker-compose support in, it will launch multiple apps. So what you’re thinking is pretty close to “correct”.

Ok. Thanks @kurt