Ryan Barnett wrote:
> Ivan can speak better on this, however I believe that the problem is
> that Apache does some processing early in the request loop cycle
> before mod_security has a hook to inspect it.
> Take a look here at the Apache request loop -
> http://modperlbook.org/html/ch01_04.html. Then compare this will the
> hooks that mod_security has into Apache. -
> NULL, /* [#8] MIME-typed-dispatched handlers */
> NULL, /* [#1] URI to filename translation */
> NULL, /* [#4] validate user id from request */
> NULL, /* [#5] check if the user is ok _here_ */
> NULL, /* [#3] check access by host address */
> NULL, /* [#6] determine MIME type */
> sec_check_access, /* [#7] pre-run fixups */
> sec_logger, /* [#9] log a transaction */
> NULL, /* [#2] header parser */
> sec_child_init, /* child_init */
> NULL, /* child_exit */
> NULL /* [#0] post read-request */
> Apache runs through steps 0 - 6 before mod_security has a hook to
> perform any actions.
That's correct. For me it was always a matter of choice whether I
want to protect applications, or Apache itself. At the moment
mod_security is configured to protect applications. A further problem
is that, as Apache processes phases 0-6, it creates a lot of
information (which mod_security uses) which would otherwise be
unavailable in hook #0 (for example).
My idea is to split rule processing into two phases. One would happen
in hook #0, and the other #6.
However, as I was making improvements to 1.9 I solved one of the
major obstacles to move mod_security from hook #7 into earlier phase.
I won't bother you with programming details but now it may be possible
to run from hook #0. I don't have time to test it thoroughly but since
there is demand for it, I'll do a couple of test to see if it works,
and if does I will release 1.9dev3 (by the end of week) with a
configuration option to choose the hook to run at.
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org