Re: mod_security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Julien Gerhards wrote:

Hi,

I try to use mod_security but it doesn t filter anything !
My vhostconf :

<VirtualHost *:80>
    ServerSignature Off
    ServerName cache-ext
    ErrorLog logs/cache-ext_error.log
    CustomLog logs/cache-ext_access.log combined
   <IfModule mod_proxy.c>
      <LocationMatch "^[^/]">
         Deny from all
      </LocationMatch>
      <IfModule mod_rewrite.c>
         RewriteEngine On
#        RewriteCond %{REQUEST_URI} ^/img=(.+)$
         RewriteRule ^/img=(.+)$ $1 [L,P]
         RewriteLog /var/log/RewriteLog.log
         RewriteRule ^[/img=](.+)$ - [F]
         </IfModule>
      AllowEncodedSlashes on
      ProxyRequests On
      ProxyVia On
      <IfModule mod_disk_cache.c>
         CacheEnable disk /
         CacheRoot "/var/cache/mod_proxy"
      </IfModule>
      <IfModule mod_mem_cache.c>
         CacheEnable mem /
         MCacheMaxObjectSize 1024000
         MCacheSize 102400
      </IfModule>
      <proxy *>
    #     deny from all
      </proxy>
      <proxymatch ^/img=(.+)$>
         allow from all
     </proxymatch>
     <IfModule mod_security.c>
        SecFilterEngine On
        SecFilterDefaultAction "deny,log,status:403"
        SecFilterDebugLevel 9
        SecFilterSelective  macbidouille.com
        SecAuditLog logs/audit_log
     </IfModule>
</IfModule>
</VirtualHost>

It should respond me an 403 error for every URL with a macbidouille.com in the URL.

Any ideas?


Yes.
mod_security is not a standard Apache module. As the site for mod_security (http://www.modsecurity.org/) states : Community support is available on the mod-security-users/lists.sourceforge.net mailing list. You must subscribe first (by clicking here) in order to post. The list archives are available as News (NNTP), Threaded HTTP, Bloggy HTTP, and RSS. 

So I think you will have more chances there.

Apart from that, the above rule
RewriteRule ^[/img=](.+)$ - [F]
actually means :
for URLs starting with either one of the characters /,i,m,g or =,..
do the following..
I'm not quite sure that this is what you want.
And apart from that, for your original question which was that you only want to "forward proxy" to some 100 selected and willing external sites, I suggest that you have a look at this 
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
the section entitled "RewriteMap Directive", and in there the part about a plain text rewrite map. I am not familiar with it, and have not tried it, but I would suggest something like this : 

- you have incoming URLs like :
/img=http://somewillinghost.company.com/some/path/some.jpg
- you want to forward-proxy these requests to the given willing site "somewillinghost.company.com", and to 99 other similar willing ones, but not proxy requests to "cia.gov.us" or the whole planet. 
- so you want to do a RewriteRule that will do
RewriteRule "^/img=(.+)$" $1 [P,L]
but *only* if the target site in your list of allowed ones.
Fair enough ?
Then you would first create a small text file, for example /etc/apache2/allowed-sites.txt 
containing lines like

somewillinghost.company.com  somewillinghost.company.com
someotherwillinghost.company2.biz someotherwillinghost.company2.biz
athirdhost.stillwilling.org athirdhost.stillwilling.org
etc... (all your willing targets)

then you would put the following directives in your httpd.conf :

RewriteMap willing /etc/apache2/allowed-sites.txt
RewriteRule "^/img=http://([^.]+\.[^.]+\.[^/]+)/(.+)$ http://${willing:$1 | some.bad.host}/$2 [P,L] 

(the RewriteRule above is one line).
(some.bad.host is the "default value". If the right allowed host is not found in your rewritemap file, then this hostname will be substituted. That could be another virtual host on your server which always answers "forbidden". 

The idea is :
in the RewriteRule above, the first parenthesised group () matches the hostname of the part after "img=" in the incoming URL, and becomes $1. 
The part after the host is $2.
Then with $1 (the hostname), you find a match in the first column of your text rewritemap file. If you find it, the whole expression "${willing:$1 | some.bad.host}" is replaced by the content of column 2 (which is the same as column one, or as $1). So this call gets proxied to the requested host. If $1 does not match a line in your rewritemap file however, then "${willing:$1 | some.bad.host}" is replaced by "some.bad.host", which essentially leads nowhere (I have checked). 

I have never tried something like the above, but it should be fun.






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux