Merge pull request #130 from EsadCetiner/docs-multi-app-plugins

feat: conditionally enable plugins for multi-app environments
coreruleset · Jun 9, 2024 · e756353 · e756353
2 parents ade4205 + 59d9622
commit e756353
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/content/concepts/plugins.md b/content/concepts/plugins.md
@@ -106,6 +106,46 @@ Disabling a plugin is simple. Either remove the plugin files in the plugins fold
 
 Alternatively, it is also valid to disable a plugin by renaming a plugin file from `plugin-before.conf` to `plugin-before.conf.disabled`.
 
+## Conditionally enable plugins for multi-application environments
+
+If CRS is installed on a reverse-proxy or a web server with multiple web applications, then you may wish to only enable certain plugins (such as rule exclusion plugins) for certain virtual hosts (`VirtualHost` for Apache httpd, `Server` context for Nginx). This ensures that rules designed for a specific web application are only enabled for the intended web application, reducing the scope of any possible bypasses within a plugin.
+
+Most plugins provide an example to disable the plugin in the file `plugin-config.conf`, you can define the `WebAppID` variable for each virtual host and then disable the plugin when the `WebAppID` variable doesn't match.
+
+See: https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-(v2.x)#secwebappid
+
+Below is an example for enabling only the WordPress plugin for WordPress virtual hosts:
+
+```
+SecRule &TX:wordpress-rule-exclusions-plugin_enabled "@eq 0" \
+    "id:9507010,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'wordpress-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule WebAppID "!@streq wordpress" \
+        "t:none,\
+        setvar:'tx.wordpress-rule-exclusions-plugin_enabled=0'"
+```
+
+⚠️ Warning: As of 05/06/2024, Coraza doesn't support the use of WebAppID, you can use the`Host` header instead of the `WebAppID` variable:
+
+```
+SecRule &TX:wordpress-rule-exclusions-plugin_enabled "@eq 0" \
+    "id:9507010,\
+    phase:1,\
+    pass,\
+    nolog,\
+    ver:'wordpress-rule-exclusions-plugin/1.0.0',\
+    chain"
+    SecRule REQUEST_HEADERS:Host "!@streq wordpress.example.com" \
+        "t:none,\
+        setvar:'tx.wordpress-rule-exclusions-plugin_enabled=0'"
+```
+
+See: https://coraza.io/docs/seclang/variables/#webappid
+
 ## What Plugins are Available?
 
 All official plugins are listed on GitHub in the CRS plugin registry repository: https://github.com/coreruleset/plugin-registry.