http://coldfusion.com logo
#cfml-general
Title
# cfml-general
l

luongj

04/29/2022, 4:14 PM
@nickg You should consider implementing something higher up so it doesn't even hit your app server -- either modesecurity at your webserver level, a reverse proxy behind your load balancer, or something external like CloudFlare outside your perimeter. I've actually worked on a lot of this stuff lately.
n

nickg

04/29/2022, 5:01 PM
@luongj I would be interested in Cloudflare. Do you know if they have a free tier? How is the pricing.
@luongj re: modsecurity, that looks like a unix tool. we're using IIS at the moment - do you know if there is a similar tool in IIS?
l

luongj

04/29/2022, 5:05 PM
RE: CloudFlare, haven't worked with them, but they are very popular and have a free tier, but you probably want to go to at least the Pro Tier to get the WAF. I'm not sure if the "Free Managed Ruleset" will get you there. https://www.cloudflare.com/plans/#overview
I haven't worked with IIS in forever, but it looks like there is a module there for you, too. https://wiki.atomicorp.com/wiki/index.php/Modsecurity_iis
n

nickg

04/29/2022, 5:07 PM
@luongj Thank you. Are these issues that you are actively managing / mitigating? If so, how? If not, again, I really appreciate the info.
l

luongj

04/29/2022, 5:10 PM
@nickg For some context, I work on an ecommerce platform on Google Cloud. We historically used Akamai (which is basically the same place as where CloudFlare sits), but now use a combination of Google Cloud security services (pretty weak), Apache+modsecurity, and a reverse-proxy based on nginx called Wallarm. I recently evaluated some others. If you don't want to air out specifics of your context, you can DM me.
n

nickg

04/29/2022, 5:17 PM
@luongj Thanks! That's very helpful.