Tony Olekshy wrote, on 2025-02-24 at 11:32 MST:
>
> Our Apache httpd.conf is configured to include these lines for
> blocking requests from a list of IP addresses without logging
> them — in this order and mixed with other lines — yet some such
> requests are logged anyway:
>
> CustomLog logs/access_log combined env=!DontLogIt
>
> <VirtualHost *:80>
>
> RewriteMap ipb "prg:/some-path/ip-block/filter"
> RewriteCond ${ipb:%{REMOTE_ADDR}/%{HTTP_HOST}} X
> RewriteRule ^ - [F,L,E=DontLogIt]
>
> That ip-block/filter program writes to stdout, for each case of
> request data Apache sends to its stdin, whether the request IP
> address is on a block list, and this configuration successfully
> blocks almost all the requests from those IP addresses — without
> logging them.
>
> However, some requests, such as the following, remain logged by
> Apache even when they are from IP addresses in the block list,
> and regardless of whether we have LogLevel set to info or warn:
>
> /file%3a/////etc%2fpasswd%00
> /%0d%0aSet-Cookie:crlfinjection=1;
> /cgi-bin.%2e/.%2e/.%2e/.%2e/bin/sh
> //%2f..=%5c..=%5c..=%5cetc%5cpasswd%00
>
> Why is that happening, and what can we do to prevent logging of
> those requests too, when they arrive from a blocked IP address?
>
> Sincerely Yours
> Tony Olekshy
> apache@xxxxxxxxxxx
Frank Gingras wrote, on 2026-02-31 at 12:44 MST:
>
> Tony, An IP block should not have issues with URL encoding - can
> you provide your vhost configuration?
Thank you for responding, Frank. Please pardon me if I am doing
this wrong, for though I have been using Apache http since 1999,
is the first time I have needed to request assistance via the
Apache http mailing lists. Here is the port 80 VirtualHost from
our httpd.conf files (desensitized, in which I have replaced our
site and application names with Foo and Bar):
<VirtualHost *:80>
RewriteEngine On
AllowEncodedSlashes NoDecode
# Forbid requests from known bad crawling IP address blocks.
#
RewriteMap ipb "prg:/Bar/site/acme/ip-block/filter"
RewriteCond ${ipb:%{REMOTE_ADDR}/%{HTTP_HOST}/%{REQUEST_URI}} X
RewriteRule ^ - [NE,F,L,E=DontLogIt]
# Map valid public and CGI Foo site URLs to the file system.
#
AliasMatch \
^/foo/([-a-zA-Z0-9]*)/(.*) ${BarSite}/foo/$1/public/$2
ScriptAliasMatch \
^/foo/([-a-zA-Z0-9]*)([.]x.*) ${BarSite}/foo/$1/cgi/$1$2
<Directory ${BarSite}/foo/*/public>
#
AllowOverride None
Require all granted
</Directory>
<Directory ${BarSite}/foo/*/cgi>
#
AllowOverride None
Options None
Require all granted
</Directory>
</VirtualHost>
Our whole httpd.conf and our httpd -S output, desensitized, are
available here:
http://web.avra.ca/apache/httpd-conf.txt
http://web.avra.ca/apache/httpd-s.txt
Note that it is not only encoded URLs that are not being blocked,
so are URLs like /../../../etc/passwd. These configurations are
running on Red Hat Enterprise Linux extended life support version
seven and its current Apache httpd. Please let me know if there
is anything else that I can do to contribute to determining a
resolution to this anomaly.
Yours, &c, Tony Olekshy
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|