Support

Admin Tools

#26811 WAF in Admin Tools Professional as a single solution for my webshop?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Saturday, 28 January 2017 17:17 CST

Stroetmann
Hello, I am looking for your WAF in Admin Tools Professional as a single solution for my webshop.
Is it possible to use your WAF outside of Joomla?
I am particularly interested in the Secret Administration URL parameters. Of course the other very useful things are also welcome.
I look forward to your answer.

Thank you.

nicholas
Akeeba Staff
Manager
Admin Tools is a component which only works with Joomla. It integrates in the Joomla application workflow and relies on its knowledge of how Joomla works to protect you. You can't use it as a generic web application firewall in front of another PHP application.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Stroetmann
Ok. But would not that be a great thing? Just like Backup PHP Solo.

nicholas
Akeeba Staff
Manager
Unfortunately it's not that easy. Akeeba Solo is versatile because it can run next to and separately from the site it is backing up. It's standalone. A web application firewall, however, is by definition something that runs with your site. The only way to do that is having a deep integration with the system.

For example, CSRFShield can only run if you hook into the post-rendering step of the application, manipulating the output. You can't do that in WordPress, for example, since it doesn't have a post-rendering step to begin with (it simply echoes stuff to the page as it goes, a terrible idea for performance and security). Blocking user accounts needs, of course, integration with the software powering the site since each one (and each major version of it) has a different way to do that. Even displaying the block message page requires deep integration: in Joomla we are abusing the internal component router so that it loads a special view of our component, one which (by means of other esoteric Joomla black magic) is not available directly from the web (if you try it makes Joomla believe that the component is not installed).

To put this into perspective, a web application firewall is very much like bulletproofing a car. Sure you can do some bulletproofing on any car with generic means, e.g. bullet resistant glass panes. However, if you want a car that can withstand a real world attack you need to have both a car that can take the extra weight of bulletproofing and have room for all the armor you're going to add and a lot of experience on that car manufacturer and model to make sure that you don't leave any vulnerable points.

I know that we could publish a very, very basic, generic "firewall". However, I wouldn't be able to recommend this in good conscience to my clients. Between us publishing the digital equivalent of snake oil and simply not publishing anything at all I prefer that we did the latter.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!