Keycloak with mod-security

Question

I plan to use Keycloak as our primary login app, but before i move forward with deployment, i need to address one concern. The issue arose when i enabled mod-security on the Apache server. This resulted in several Keycloak screens and operations becoming blocked, including the ability to update the theme. if i disable the mod-security everything works fine

am i doing anything wrong or am i miss some kind of setting for mod-security in keycloak

kindly suggest some solution

I try to disable few rules, but there are too many and also for disabling rule, i need to provide some proper reason to do so.

Please provide enough code so others can better understand or reproduce the problem. — Community, Feb 09 '23 at 16:08
There is nothing to provide any code here, it's plain and simple deploy as is — Thavarajan M, Feb 10 '23 at 04:48

score 0 · Answer 1 · answered Feb 11 '23 at 15:59

OWASP ModSecurity Core Rule Set Dev on Duty here. Are you using the Core Rule Set (CRS)? Are those the rules you are having trouble with, or are you using some other rule set? Please confirm.

Assuming you are using CRS, have you tuned your WAF installation for your web application (Keycloak)? Tuning is a required step before CRS can be properly and correctly used in front of a web application. This is especially true if using a higher paranoia level, i.e. paranoia level 2 and above.

There are some great guides and documentation available online which cover the tuning process. The CRS false positives and tuning documentation is very good. There is also a popular series of tutorials on netnea.com which cover every step from the very beginning: compiling the ModSecurity WAF engine, installing CRS, tuning by writing rule exclusions, and more.

Keycloak with mod-security

1 Answers1