# CrowdSec WAF General Setup This guide covers the core AppSec Component setup that applies to all web servers and reverse proxies. After completing these steps, configure your remediation component (bouncer) to forward requests to the AppSec Component. ## Prerequisites[​](#prerequisites "Direct link to Prerequisites") * **CrowdSec Security Engine** (>= 1.5.6) installed and running * A compatible remediation component (bouncer) for your web server or reverse proxy ## AppSec Component Setup[​](#appsec-component-setup "Direct link to AppSec Component Setup") AppSec setup has two steps: * Download rules and configuration collections. * Configure AppSec as a new acquisition datasource ([AppSec datasource](https://docs.crowdsec.net/docs/next/log_processor/data_sources/appsec.md)). The following sections will guide you through the default setup. After installation, verify everything works with the [🩺 Health Check](https://docs.crowdsec.net/u/getting_started/health_check.md). ### Collection Installation[​](#collection-installation "Direct link to Collection Installation") Install the essential AppSec collections that provide virtual patching rules and generic attack detection: SHCOPY ``` sudo cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules ``` These collections include: * **Virtual Patching Rules**: Protection against known vulnerabilities (CVEs) * **Generic Attack Detection**: Common web attack patterns * **AppSec Configuration**: Default [AppSec configuration file](https://docs.crowdsec.net/docs/next/appsec/configuration.md) linking rules together * **CrowdSec Parsers & Scenarios**: For processing AppSec events and creating alerts ### Acquisition Configuration[​](#acquisition-configuration "Direct link to Acquisition Configuration") Configure CrowdSec to expose the AppSec Component by creating an acquisition file ([AppSec datasource](https://docs.crowdsec.net/docs/next/log_processor/data_sources/appsec.md)). 1. Create the acquisition directory (if it doesn't exist): SHCOPY ``` sudo mkdir -p /etc/crowdsec/acquis.d/ ``` 2. Create the AppSec acquisition configuration: SHCOPY ``` sudo cat > /etc/crowdsec/acquis.d/appsec.yaml << EOF appsec_configs: - crowdsecurity/appsec-default labels: type: appsec listen_addr: 127.0.0.1:7422 source: appsec name: myAppSecComponent EOF ``` **Configuration explained:** * `appsec_configs`: Uses the [AppSec configuration(s)](https://docs.crowdsec.net/docs/next/appsec/configuration.md) from the installed collections * `listen_addr`: IP and port where the AppSec Component listens (default: 127.0.0.1:7422) * `source`: Identifies this as an AppSec data source * `name`: A friendly name for your AppSec component Security Note Do not expose the AppSec Component to the internet. It should only be accessible from your web server or reverse proxy. ### Start the AppSec Component[​](#start-the-appsec-component "Direct link to Start the AppSec Component") Restart CrowdSec to activate the AppSec Component: SHCOPY ``` sudo systemctl restart crowdsec ``` ## Testing WAF Component[​](#testing-waf-component "Direct link to Testing WAF Component") ### Testing Configuration[​](#testing-configuration "Direct link to Testing Configuration") Check that the AppSec Component is running: * Netstat * SS SHCOPY ``` sudo netstat -tlpn | grep 7422 ``` SHCOPY ``` sudo ss -tlpn | grep 7422 ``` Output example SHCOPY ``` tcp 0 0 127.0.0.1:7422 0.0.0.0:* LISTEN 12345/crowdsec ``` note The output may look differently depending on which command you used but as long as you see the port and the process `crowdsec`, it means the AppSec Component is running. Check CrowdSec logs for successful startup: SHCOPY ``` sudo tail -f /var/log/crowdsec.log ``` Look for messages like: TEXTCOPY ``` INFO[...] Starting Appsec server on 127.0.0.1:7422/ INFO[...] Appsec Runner ready to process event ``` ## Next steps[​](#next-steps "Direct link to Next steps") Now that the AppSec Component is configured and running, you need to: 1. **Configure your remediation component** to forward requests to `http://127.0.0.1:7422` 2. **Test the setup** [by triggering a rule](#testing-detection) 3. **Monitor alerts** with `sudo cscli alerts list` or in the [CrowdSec Console](https://app.crowdsec.net) For specific remediation component configuration, see: * [Nginx/OpenResty Setup](https://docs.crowdsec.net/docs/next/appsec/quickstart/nginxopenresty.md) * [OpenResty Setup](https://docs.crowdsec.net/docs/next/appsec/quickstart/nginxopenresty.md) * [Traefik Setup](https://docs.crowdsec.net/docs/next/appsec/quickstart/traefik.md) * [HAProxy (SPOA) Setup](https://docs.crowdsec.net/docs/next/appsec/quickstart/haproxy_spoa.md) * [WordPress Setup](https://docs.crowdsec.net/docs/next/appsec/quickstart/wordpress.md) * [Check the hub for other remediation components supporting AppSec](https://app.crowdsec.net/hub/remediation-components) Once your remediation component is in place, continue with: * Reviewing the [AppSec troubleshooting guide](https://docs.crowdsec.net/docs/next/appsec/troubleshooting.md) if you need to investigate or refine the deployment. * Exploring [WAF deployment strategies](https://docs.crowdsec.net/docs/next/appsec/advanced_deployments.md) when you are ready to expand beyond the initial setup. ### Testing Detection[​](#testing-detection "Direct link to Testing Detection") If you've enabled an WAF-capable bouncer with CrowdSec WAF, you can trigger the `crowdsecurity/appsec-generic-test` dummy scenario. This scenario does not lead to a decision, but it is a good way to confirm the setup is working. Trigger the dummy scenario by accessing a probe path on your web server: 1️⃣ Access your service URL with this path: `/crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl` SHCOPY ``` curl -I https:///crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl ``` 2️⃣ Confirm the alert has triggered for `crowdsecurity/appsec-generic-test` SHCOPY ``` sudo cscli alerts list | grep crowdsecurity/appsec-generic-test ``` 3️⃣ The alert will also appear in the Console alerts ![appsec-generic-test console view](/assets/images/appsec-generic-test-console-39bef8607ed94199fee42f2ffde09c50.png) info This scenario can only be triggered again after a 1-minute delay. ## Optional: Advanced Configuration[​](#optional-advanced-configuration "Direct link to Optional: Advanced Configuration") ### Multiple AppSec Configurations[​](#multiple-appsec-configurations "Direct link to Multiple AppSec Configurations") You can [load multiple AppSec configurations](https://docs.crowdsec.net/docs/next/appsec/configuration_creation_testing.md#defining-multiple-appsec-configurations) for different rule sets: YAMLCOPY ``` # /etc/crowdsec/acquis.d/appsec.yaml appsec_configs: - crowdsecurity/appsec-default # Virtual patching rules (in-band) - crowdsecurity/crs # OWASP CRS rules (out-of-band) labels: type: appsec listen_addr: 127.0.0.1:7422 source: appsec name: myAppSecComponent ``` ### Custom Port Configuration[​](#custom-port-configuration "Direct link to Custom Port Configuration") To use a different port, update the `listen_addr` in your acquisition file and ensure your remediation component points to the same address. ## Troubleshooting[​](#troubleshooting "Direct link to Troubleshooting") If the AppSec Component fails to start: 1. **Check port availability**: Ensure port 7422 isn't already in use 2. **Verify collections**: Run `sudo cscli collections list` to confirm installation 3. **Check configuration syntax**: Validate your `appsec.yaml` file 4. **Review logs**: Check `/var/log/crowdsec.log` for error messages For detailed troubleshooting, see the [AppSec Troubleshooting Guide](https://docs.crowdsec.net/docs/next/appsec/troubleshooting.md).