# CrowdSec WAF QuickStart for Nginx / OpenResty Protect an [Nginx](https://nginx.com) or [OpenResty](https://openresty.org/en/) server with CrowdSec's [AppSec (WAF) Component](https://docs.crowdsec.net/docs/next/appsec/intro.md#introduction). After the prerequisites below, every step is a single copy-paste command. Most steps are the same for both engines — only step 3 differs, and the tabs there let you pick the right variant. ## Prerequisites[​](#prerequisites "Direct link to Prerequisites") Make sure the following are already done on the machine running your web server (all are single-page install guides): 1. **CrowdSec Security Engine** installed and running — see the [Linux quickstart](https://docs.crowdsec.net/u/getting_started/installation/linux.md). 2. **Nginx or OpenResty bouncer** installed and registered against the CrowdSec LAPI: * Nginx: [`crowdsec-nginx-bouncer`](https://docs.crowdsec.net/u/bouncers/nginx.md#installation) * OpenResty: [`crowdsec-openresty-bouncer`](https://docs.crowdsec.net/u/bouncers/openresty.md#installation) 3. Nginx or OpenResty is currently serving traffic on port 80 (used by the verification step at the end). ## 1. Install the AppSec rule collections[​](#1-install-the-appsec-rule-collections "Direct link to 1. Install the AppSec rule collections") SHCOPY ``` sudo cscli collections install \ crowdsecurity/appsec-virtual-patching \ crowdsecurity/appsec-generic-rules ``` This pulls the [`appsec-virtual-patching`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-virtual-patching) collection (rules for known CVEs, auto-updated daily) and the [`appsec-generic-rules`](https://app.crowdsec.net/hub/author/crowdsecurity/collections/appsec-generic-rules) collection (common attack patterns), plus the default AppSec configuration. ## 2. Turn on the AppSec Component[​](#2-turn-on-the-appsec-component "Direct link to 2. Turn on the AppSec Component") Create the acquisition file, then restart CrowdSec: SHCOPY ``` sudo mkdir -p /etc/crowdsec/acquis.d sudo tee /etc/crowdsec/acquis.d/appsec.yaml > /dev/null <<'EOF' appsec_configs: - crowdsecurity/appsec-default labels: type: appsec listen_addr: 127.0.0.1:7422 source: appsec EOF sudo systemctl restart crowdsec ``` warning Keep `listen_addr` on `127.0.0.1` — the AppSec Component must not be reachable from the internet. It should only be queried by your local web server / reverse proxy. ## 3. Point the bouncer at the AppSec Component[​](#3-point-the-bouncer-at-the-appsec-component "Direct link to 3. Point the bouncer at the AppSec Component") * Nginx * OpenResty SHCOPY ``` sudo sed -i 's|^APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|' \ /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf sudo systemctl restart nginx ``` SHCOPY ``` sudo sed -i 's|^APPSEC_URL=.*|APPSEC_URL=http://127.0.0.1:7422|' \ /etc/crowdsec/bouncers/crowdsec-openresty-bouncer.conf sudo systemctl restart openresty ``` The default bouncer config already contains an empty `APPSEC_URL=` line, so `sed -i` replaces it in place — the command is idempotent and safe to re-run. ## 4. Verify[​](#4-verify "Direct link to 4. Verify") Send a request that should trip an AppSec rule: SHCOPY ``` curl -I http://localhost/.env ``` You should get an `HTTP/1.1 403 Forbidden` response. We're hitting a `.env` file, a [common way to retrieve credentials left by mistake](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access) — the AppSec Component detects and blocks it. Check that CrowdSec recorded the block: SHCOPY ``` sudo cscli metrics show appsec ``` Example metrics output sudo cscli metrics show appsec SHsudo cscli metrics show appsecCOPY ``` Appsec Metrics: ╭─────────────────┬───────────┬─────────╮ │ Appsec Engine │ Processed │ Blocked │ ├─────────────────┼───────────┼─────────┤ │ 127.0.0.1:7422/ │ 2 │ 1 │ ╰─────────────────┴───────────┴─────────╯ Appsec '127.0.0.1:7422/' Rules Metrics: ╭─────────────────────────────────┬───────────╮ │ Rule ID │ Triggered │ ├─────────────────────────────────┼───────────┤ │ crowdsecurity/vpatch-env-access │ 1 │ ╰─────────────────────────────────┴───────────╯ ``` What just happened? 1. `curl` hit your web server at `/.env`. 2. The bouncer forwarded the request to the AppSec Component on `127.0.0.1:7422`. 3. The request matched the [`vpatch-env-access`](https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-env-access) rule. 4. The AppSec Component answered `403`, the bouncer enforced it, and the web server returned the CrowdSec ban page. If you'd rather see the block in a browser, visit `http:///.env` — you'll get the CrowdSec ban page: ![appsec-denied](/assets/images/appsec_denied-6e67f77eebc0aafccfbb7304136ad33e.png) ## Monitor in the Console[​](#monitor-in-the-console "Direct link to Monitor in the Console") If you haven't enrolled the Security Engine yet, follow [how to enroll in the Console](https://docs.crowdsec.net/u/getting_started/post_installation/console.md). Once enrolled, AppSec alerts show up alongside the rest of your alerts: ![appsec-console](/assets/images/appsec_console-59b5f39cf3f7fc002e61539c0e866f23.png) ## Next steps[​](#next-steps "Direct link to Next steps") * Monitor WAF alerts with `sudo cscli alerts list` or in the [CrowdSec Console](https://app.crowdsec.net). * Review the [AppSec troubleshooting guide](https://docs.crowdsec.net/docs/next/appsec/troubleshooting.md) if you need to investigate or refine the deployment. * Explore [WAF deployment strategies](https://docs.crowdsec.net/docs/next/appsec/advanced_deployments.md), [rules syntax](https://docs.crowdsec.net/docs/next/appsec/rules_syntax.md), [rule creation](https://docs.crowdsec.net/docs/next/appsec/create_rules.md), and [benchmarks](https://docs.crowdsec.net/docs/next/appsec/benchmark.md) to go further.