Managed WAF
The managed WAF puts ModSecurity with the OWASP CRS (Core Rule Set) in front of your sites to block common web attacks — SQL injection, XSS, LFI, RCE, and more — right at Nginx. Per-site WAF is a Pro feature; the per-source firewall is available on every plan.
Enable the WAF (Pro)
Section titled “Enable the WAF (Pro)”The engine installs in one click. Open a site’s Firewall tab and install ModSecurity:
- MZPanel ships a custom-compiled Nginx, so the connector is built against this box’s
exact Nginx version (with
--with-compat). The build only produces a module; your running Nginx is untouched until the next reload. - Once installed, you turn the WAF on per site. Each site gets its own rule file included into its Nginx server block, so settings don’t leak between sites.
Modes — detect vs. block
Section titled “Modes — detect vs. block”The WAF runs in one of three modes:
| Mode | Behavior |
|---|---|
| Off | No inspection. |
| Detect (learning) | Matches are logged only — traffic passes. Use this to surface false positives before enforcing. |
| Block | Malicious requests are rejected with 403. |
Malware scanning (ClamAV)
Section titled “Malware scanning (ClamAV)”MZPanel scans site webroots for malware and web shells with ClamAV. Detected files are moved to quarantine (outside the webroot) rather than deleted — MZPanel never auto-cleans or rewrites your files, so a false positive can’t break your site. From the panel you restore or delete quarantined files yourself.
Firewall rules
Section titled “Firewall rules”Independently of the WAF, MZPanel manages a per-source firewall (Free) so you can allow or block traffic by IP or CIDR. This is the same mechanism used to grant a specific source IP access to a remote database, and it folds into the server’s Security view alongside login-attempt history.