Select local web sevice->Port and optionally SSL or not. If you use SSL, make sure your cert & keys are right.

Hi Scott - gave this a shot but did not get the desired result.

Enabled WAF for local web service on Port 8080

embedded * * * * 80
embedded * * * * 443
local proxy - / - - 8080

Started Nginx & it was serving the content, however ASL reported the Local IP as the Offender.

Attacker: 197.221.19.226

--7239dd5d-A--
[16/May/2012:22:46:31 +0200] T7QSJ8XdE@IAAHHjK6AAAAAE 197.221.19.226 38839 197.221.19.226 8080

--7239dd5d-B--
GET /?-s HTTP/1.0
Host: www.2large.co.za
X-Real-IP: 115.241.246.86
X-Forwarded-For: 115.241.246.86
Connection: close
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (MSIE 6.0; Windows NT 5.1)
Accept-Language: en-us
Accept: */*

Thats right, outside of plesk there is no system to configure the downstream daemon to know about logging. You'll need to sort that out with whatever daemon(s) you use independently.

So can you clarify, are you saying that if you connect to your system, through the T-WAF, from an external IP 1.2.3.4 and run a test attack thru T-WAF that the T-WAF is not reporting 1.2.3.4 as the attackers IP but rather the local systems IP?

Or is nginx reporting the local systems IP as the source of the attack?

Yes That is correct.

Would it be possible to get access to your system to see how its configured? If so, please follow the process at the URL below and send an email to support AT atomicorp DOT com:

https://www.atomicorp.com/wiki/index.ph ... _system.3F

Sure thing, please see your email.

So I logged in, and it looks like you uninstalled everything so I'm still not clear on what you did, you may have proxied to apache itself were you have apache configured to use its own own embedded WAF or maybe something else. It sounds like the former was your problem. So could you elabortate a little more about exactly what you had setup, and we can help you.

Going forward, if you are running traffic thru the T-WAF (or anything else for that matter, any proxy) and back to apache you need to install mod_rpaf in apache:

https://www.atomicorp.com/wiki/index.ph ... the_WAF.3F

If you put something in front of the T-WAF, you'd have to do the same thing.

If you are using the T-WAF in front of apache, then you need to disable embedded mode for apache. Its not necessary.

In your post you said you did this:

embedded * * * * 80
embedded * * * * 443
local proxy - / - - 8080

So looking at your apache logs I see requests from 197.221.19.x for port 8080 going to apache. Were you proxying things back to apache?

Heres an example I found:

[19/May/2012:10:58:03 +0200] T7dgm8XdE@IAAHlkQN4AAAAC 197.221.19.227 35995 197.221.19.227 8080 <- thats the destination port and you have the T-WAF setup to proxy it

--57596b39-B--
POST /some_url.html HTTP/1.0
Host: http://www.domain.com
X-Real-IP: 1.2.3.4
X-Forwarded-For: 1.2.3.4

Or did you have nginx proxying to apache? Keep in mind that if you put a proxy in front of apache, and modsecurity is in embedeed mode that you will see the local IP address as the source. So you need to disable embedded mode if you put the T-WAF in front of apache, or if you put something else in front of apache and you want to use the WAF in embedded mode you need to install mod_rpaf.

https://www.atomicorp.com/wiki/index.ph ... the_WAF.3F

In any event, could you explain again what you setup? I'm not clear what was listening on what port, what was proxying, what was forwarding to what, etc. Right now it looks like this was as simple as embededed mode being enabled, and you had not installed mod_rpaf. Please let me know.

@mikeshinn -

Thank you for taking a look and sorry for creating confusion by removing everything.
I did not anticipate you looking into it over the weekend.

Early on Saturday morning, I decided to turn off Nginx and let things stay as "normal" until Monday.
Something went horribly wrong and I was unable to access any sites on port 80 or 8080
I had to remove everything and reboot the server it back to its previous state.

I will attempt to reconfigure everything this evening following the guidelines & your comments.
This time I will document my steps in more detail.

No worries, just let us know what you setup and how its configured.