You can also do redirects with ModSecurity instead of deny. Just change the action settings and redirect them to your friendly blocked page.
Ryan C. Barnett
----- Original Message -----
From: mod-security-users-bounces@... <mod-security-users-bounces@...>
To: mod-security-users@... <mod-security-users@...>
Sent: Sat May 03 09:26:02 2008
Subject: [mod-security-users] Newbie Question - ModSec + SquidGuard
Firstly let me say that, having just installed ModSecurity I am *very*
impressed with it. Thank you to all the devs for such a great product.
I am not a sysadmin, I just have a simple, largely static, website with
a few bits of dynamic content (eg a squirrelmail webmail package serving
up my family's mail from behind a AuthUserFile password protected area).
I protect my children from undesirable web content by using a squid
proxy server + squidGuard filter.
Prior to installing ModSecurity this worked just fine, redirecting to a
page informing them that the site is blocked.
Now they just get a 400 Bad Request which can be confusing.
I think that ModSecurity is blocking access to the squidGuard.cgi app
which serves up the squidGuard blocking page, but I think ModSecurity is
blocking because it's come via a numeric IP. (see extract from
Access denied with code 400 (phase 2). Pattern match "^[\\d\\.]+$" at
REQUEST_HEADERS:Host. [id "960017"] [msg "Host header is a numeric IP
address"] [severity "CRITICAL"]
This causes problems because my internal network relies heavily on
numerical IP addresses.
Commenting out the above rule in
modsecurity_crs_21_protocol_anomalies.conf allows it all to work
properly again but I am not sure this is the best way to solve the
Should I create a local rule? If so how? (I might need some
Thanks in advance for any help.