First of all thank you for your reply, I know it takes time to copy and paste all that stuff and I appreciate it. I tried to implement your solution but it isn't working so I am definitely going to take you up on your offer to ask freely .
Is this your full docker-compose.yml, traefik.yml and dynamic-configuration.yml?
If not is it possible to show the full files (of course obscuring any sensitive info)?
Can I use the actual service I want protected by the WAF in the BACKEND variable if it is in the same docker-compose.yml?
Did you get whoami from containous/whoami? I did that and it doesn't seem to be responding.
These are my docker compose up, docker ps and docker logs. Traefik is not starting properly.
$ docker compose up -d
[+] Running 5/5
⠿ Network traefik_mod_traefik Created 0.2s
⠿ Container traefik_mod-dummy-1 Started 5.3s
⠿ Container traefik_mod-website-1 Started 4.9s
⠿ Container traefik Started 5.8s
⠿ Container traefik_mod-modsecurity-1 Started 5.6s
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a7c4dcf6d606 containous/whoami "/whoami" 19 seconds ago Up 14 seconds 80/tcp traefik_mod-dummy-1
8dd4132bca0f owasp/modsecurity-crs:apache "/docker-entrypoint.…" 19 seconds ago Up 14 seconds (health: starting) 80/tcp traefik_mod-modsecurity-1
70bbee479389 containous/whoami "/whoami" 19 seconds ago Up 14 seconds 80/tcp traefik_mod-website-1
$ docker logs traefik
2023/01/31 12:25:33 command traefik error: field not found, node: file
So I took a nap and reworked everything and now my sites are being served and I see WAF in the traefik dashboard but it's not actually blocking anything. If I test use a "bad" URL https://vw2.example.com/images/GET%20/?s=%EF%BD%94%EF%BD%85%EF%BD%93%EF%BD%94 I still get the regular 404 page for the service instead of the expected Access Denied 403. What am I doing wrong?
Yes, but it only makes sense if that is the only container you want to protect behind WAF. If you want to protect a second one and the one used in the BACKEND variable is down, accessing the second one fails as well.
Yes, but any container that returns a 2xx code on your specific request works as well
The link you provided is also not blocked on my traefik proxy, but if you add something like ?test=../test in the URL it works.