httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] mod_security
Date Wed, 06 May 2009 19:09:04 GMT
Julien Gerhards wrote:
> Hi,
> 
> I try to use mod_security but it doesn t filter anything !
> My vhostconf :
> 
> <VirtualHost *:80>
>     ServerSignature Off
>     ServerName cache-ext
>     ErrorLog logs/cache-ext_error.log
>     CustomLog logs/cache-ext_access.log combined
>    <IfModule mod_proxy.c>
>       <LocationMatch "^[^/]">
>          Deny from all
>       </LocationMatch>
>       <IfModule mod_rewrite.c>
>          RewriteEngine On
> #        RewriteCond %{REQUEST_URI} ^/img=(.+)$
>          RewriteRule ^/img=(.+)$ $1 [L,P]
>          RewriteLog /var/log/RewriteLog.log
>          RewriteRule ^[/img=](.+)$ - [F]
>          </IfModule>
>       AllowEncodedSlashes on
>       ProxyRequests On
>       ProxyVia On
>       <IfModule mod_disk_cache.c>
>          CacheEnable disk /
>          CacheRoot "/var/cache/mod_proxy"
>       </IfModule>
>       <IfModule mod_mem_cache.c>
>          CacheEnable mem /
>          MCacheMaxObjectSize 1024000
>          MCacheSize 102400
>       </IfModule>
>       <proxy *>
>     #     deny from all
>       </proxy>
>       <proxymatch ^/img=(.+)$>
>          allow from all
>      </proxymatch>
>      <IfModule mod_security.c>
>         SecFilterEngine On
>         SecFilterDefaultAction "deny,log,status:403"
>         SecFilterDebugLevel 9
>         SecFilterSelective  macbidouille.com
>         SecAuditLog logs/audit_log
>      </IfModule>
> </IfModule>
> </VirtualHost>
> 
> It should respond me an 403 error for every URL with a macbidouille.com in the URL.
> 
> Any ideas?
> 
Yes.
mod_security is not a standard Apache module.  As the site for 
mod_security (http://www.modsecurity.org/) states :
Community support is available on the 
mod-security-users/lists.sourceforge.net mailing list. You must 
subscribe first (by clicking here) in order to post. The list archives 
are available as News (NNTP), Threaded HTTP, Bloggy HTTP, and RSS.

So I think you will have more chances there.

Apart from that, the above rule
RewriteRule ^[/img=](.+)$ - [F]
actually means :
for URLs starting with either one of the characters /,i,m,g or =,..
do the following..
I'm not quite sure that this is what you want.

And apart from that, for your original question which was that you only 
want to "forward proxy" to some 100 selected and willing external sites, 
I suggest that you have a look at this
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html
the section entitled "RewriteMap Directive", and in there the part about 
a plain text rewrite map.
I am not familiar with it, and have not tried it, but I would suggest 
something like this :

- you have incoming URLs like :
/img=http://somewillinghost.company.com/some/path/some.jpg
- you want to forward-proxy these requests to the given willing site 
"somewillinghost.company.com", and to 99 other similar willing ones, but 
not proxy requests to "cia.gov.us" or the whole planet.
- so you want to do a RewriteRule that will do
RewriteRule "^/img=(.+)$" $1 [P,L]
but *only* if the target site in your list of allowed ones.
Fair enough ?

Then you would first create a small text file, for example 
/etc/apache2/allowed-sites.txt
containing lines like

somewillinghost.company.com  somewillinghost.company.com
someotherwillinghost.company2.biz someotherwillinghost.company2.biz
athirdhost.stillwilling.org athirdhost.stillwilling.org
etc... (all your willing targets)

then you would put the following directives in your httpd.conf :

RewriteMap willing /etc/apache2/allowed-sites.txt
RewriteRule "^/img=http://([^.]+\.[^.]+\.[^/]+)/(.+)$ 
http://${willing:$1 | some.bad.host}/$2 [P,L]

(the RewriteRule above is one line).
(some.bad.host is the "default value". If the right allowed host is not 
found in your rewritemap file, then this hostname will be substituted.
That could be another virtual host on your server which always answers 
"forbidden".

The idea is :
in the RewriteRule above, the first parenthesised group () matches the 
hostname of the part after "img=" in the incoming URL, and becomes $1.
The part after the host is $2.
Then with $1 (the hostname), you find a match in the first column of 
your text rewritemap file. If you find it, the whole expression 
"${willing:$1 | some.bad.host}" is replaced by the content of column 2 
(which is the same as column one, or as $1). So this call gets proxied 
to the requested host.
If $1 does not match a line in your rewritemap file however, then 
"${willing:$1 | some.bad.host}" is replaced by "some.bad.host", which 
essentially leads nowhere (I have checked).

I have never tried something like the above, but it should be fun.






---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message