RE: [users@httpd] Blocking invalid URIs?

<Oliver.Schaudt@xxxxxxxxx> · Sat, 11 Mar 2006 20:34:46 +0100

The thing what you need is mod_security
http://www.modsecurity.org/ 
which is acting as a module inside Apache.
Here eare rules for it http://www.modsecurity.org/projects/rules/index.html
They are snort-like

mod_security block your invalid url's.

bye 

Oliver

-----Ursprüngliche Nachricht-----
Von: John Rodenbiker [mailto:jrodenbiker@xxxxxxxxxxxxxx]
Gesendet: Sa 11.03.2006 02:06
An: users@xxxxxxxxxxxxxxxx
Betreff: Re: [users@httpd] Blocking invalid URIs?

-- 
Freedom, Truth, Love, Beauty.
John Rodenbiker
jrodenbiker@xxxxxxxxxxxxxx

On Mar 10, 2006, at 4:25 PM, Sean Conner wrote:

> It was thus said that the Great John Rodenbiker once stated:
>>
>> Is there a way to have httpd drop requests to URIs that don't actually
>> exist in my environment?
>
>   It's turned on by default in Apache.  In other words, any content
> *outside* of the DocumentRoot is not served up, no matter how many 
> "../" are
> thrown at the web server.  Don't put anything you don't want seen in 
> the
> DocumentRoot.

That's good to know, thank you.

The reason I ask is because there is a company trying to sell a "web 
application firewall" that appears to do just what I asked, except for 
$9995. Are these guys full of it, or what are they really offering?
http://www.webscurity.com/products.htm

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx