Whitelisting and Managing WAF Rules in cPFence

To manage the OpenLiteSpeed (OLS)/LiteSpeed (LS) Web Application Firewall (WAF) through cPFence, it’s important to know how to manage them through the CLI or by manual configuration.

CLI Options for Managing WAF Rules

The cPFence CLI currently supports several options for managing WAF rules:

 

  • Globally Disable a WAF rule by ID

cpfence --disable-waf-rule RULE-ID

This command disables a specific OLS/LS WAF rule by its ID. The rule will be disabled for all sites on the server, meaning it’s a total disable across the board.

 

  • Globally Re-enable a disabled WAF rule by ID
cpfence --enable-waf-rule RULE-ID

This command re-enables a rule that was previously disabled (server-wide).

 

  • Disable OLS/LS WAF entirely for a specific domain
cpfence --disable-waf-domain example.com

This command disables OLS/LS WAF entirely for a specific domain.

 

  • Re-enable OLS/LS WAF for a previously disabled domain
cpfence --enable-waf-domain example.com

This command re-enables OLS/LS WAF for a previously disabled domain.

 

  • Disable one or more specific WAF rules for a domain
cpfence --disable-waf-domain-byid example.com 7001,7002,7003
or 
cpfence --disable-waf-domain-byid example.com 7001

This command disables one or more specific WAF rules for a domain by providing a list of rule IDs or one ID.

 

  • Re-enable one or more WAF rules for a specific domain
cpfence --enable-waf-domain-byid example.com

This command re-enables one or more WAF rules for a specific domain that were previously disabled using RuleRemoveById.

 

These features provide greater flexibility in managing WAF rules on a per-domain basis, allowing users to disable or re-enable specific rules or the entire WAF as needed.

 

Important Note :

LiteSpeed is known to occasionally not regenerate the full virtual host, which can cause changes to not apply correctly. To force the changes to be applied for the website you're trying to whitelist, you can trigger a rebuild of the control panel’s virtual host by toggling the "Force HTTPS" setting on and off in the Security tab of the Enhance control panel for the website.

 

Manual Whitelisting

Whitelist Configuration File

All your WAF whitelist rules should be added to the following file:

/opt/cpfence/user-config/cpfwaf/whitelist_ols.conf

This file is where you define exceptions and rules for WAF behavior, which apply to all sites on the server.

 

Warning: Do Not Remove The following Critical Default Configuration Entry!!

In the whitelist configuration file, make sure that the following line is not removed as it is essential for cPFence functionality

Include /opt/cpfence/app/cpfwaf/Whitelist_Rules.conf

 

After making any changes to the whitelist configuration file, you must run the following commands to apply the changes:

/opt/cpfence/app/cpfcron

You can perform whitelisting manually by editing the whitelist file (whitelist_ols.conf). When doing this, remember to add each rule entry on a new line. After modifying the file, be sure to run the /opt/cpfence/app/cpfcron command to apply the changes.

 

Here are some examples:

  • Disable a rule manually for all sites:

SecRuleRemoveById Numeric_rule_id
  • Whitelist a specific URL:
SecRule REQUEST_URI "@contains /wp-admin/page.php" "id:6003,phase:1,pass,nolog,ctl:RuleRemoveById=200007,225170,200002,210230"
  • Whitelist for a specific domain:
SecRule REQUEST_HEADERS:Host "@streq example.com" "id:6002,phase:1,pass,nolog,ctl:RuleRemoveById=200007,225170,200002,210230"
  • Completely disable WAF for a domain:
SecRule REQUEST_HEADERS:Host "@streq example.com" "id:6001,phase:1,pass,nolog,ctl:ruleEngine=Off"

 

Important Notes :

  1. You can disable or whitelist a single rule ID or multiple rule IDs in each entry. For example, to remove a single rule, use ctl:RuleRemoveById=200007. You can also list multiple rule IDs, separated by commas, like this: ctl:RuleRemoveById=200007,225170,210230.
  2. Each whitelisting rule must have a unique ID. The ID should be unique and should not be reused for other rules. Please note that IDs in the range 1000–1999 are reserved for cPFence internal use, so use IDs outside of this range, such as 6001, 6002, etc., for your custom rules.

 

 

  • whitelist rule
  • 0 Utenti hanno trovato utile questa risposta
Hai trovato utile questa risposta?

Articoli Correlati

How to Enable / Disable WAF Rule by ID ?

This guide provides instructions for enabling and disabling specific WAF rules in cPFence for...

How to Enable / Disable WAF?

This guide provides simple instructions for enabling and disabling the Web Application Firewall...

How to Block or Whitelist Certain User Agents ?

This guide will help you block or whitelist specific user agents in cPFence. You can manage these...

How to Identify Problematic WAF Rule IDs in cPFence?

When your website encounters a WAF-related error (typically a 403 Forbidden error), you may need...

How to Use the cPFence WAF Testing Tool ?

To manually test the WAF (Web Application Firewall) on your WordPress site, you can trigger...