Thanks for sharing Paul. I think that it is valuable for Mod users to
share this type of information to how others are handling things.
Two questions -
1) Do you only have 1 vhost? If so, they you don't really need a Vhost
:) If you have more than 1, how are your other Vhost configured?
2) How are you handling exceptions and custom rules? Are you applying
them directly to the Vhosts or handling them within their own custom
If you have custom rule files that will apply to all Vhosts, then you
can call them up like this -
SecRule RESPONSE_STATUS "!^(?:30|\d\d)$"
If you have individual custom rules that only apply the current Vhost,
then you should probably handle it just as your are with the 1st SecRule
that you have. This way, the rule is tied to the Vhost container.
Ryan C. Barnett
ModSecurity Community Manager
Breach Security: Director of Training
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
> -----Original Message-----
> From: Paul Greenwood [mailto:Paul.Greenwood@...]
> Sent: Thursday, August 23, 2007 4:13 PM
> To: Ryan Barnett; yoann.juet@...; mod-security-
> Subject: RE: [mod-security-users] Custom ruleset per vhost
> I set mine up like this:
> In the httpd.conf:
> <IfModule security2_module>
> Include conf/modsecurity_crs_10_config.conf
> In the httpd-vhosts.conf
> <Virtual x.x.x.x:80>
> <IfModule security2_module>
> SecRule RESPONSE_STATUS "!^(?:30|\d\d)$"
> Include conf/modsecurity_crs_20_protocol_violations.conf
> Include conf/modsecurity_crs_21_protocol_anomalies.conf
> Include conf/modsecurity_crs_30_http_policy.conf
> Include conf/modsecurity_crs_35_bad_robots.conf
> Include conf/modsecurity_crs_40_generic_attacks.conf
> Include conf/modsecurity_crs_45_trojans.conf
> Include conf/modsecurity_crs_50_outbound.conf
> Include conf/modsecurity_crs_55_marketing.conf
> I don't know if this is the right way to do it but it has been working
> for a month now for my wiki and ecommerce site.
> -----Original Message-----
> From: mod-security-users-bounces@...
> [mailto:mod-security-users-bounces@...] On Behalf Of
> Ryan Barnett
> Sent: Thursday, August 23, 2007 2:11 PM
> To: yoann.juet@...;
> Subject: Re: [mod-security-users] Custom ruleset per vhost
> Here are some general guidelines. You may need to adjust these
> depending on how you are using Vhosts.
> 1) Load the ModSecurity DSO in the main httpd.conf file
> 2) Enable Mod rules in the main httpd.conf file to handle requests
> Host header does not match a Vhost. Most often, people call up the
> Rules using a wild-card Include like this -
> Include conf/rules/*.conf
> This will activate all Core Rule files that end with ".conf". Also
> in mind that when using the wild-card, the names of the files become
> important from a rule ordering perspective. The impact to Vhosts of
> activating these rules in the main section of the httpd.conf file is
> that you then probably use "SecRuleInheritance Off" to disable them
> later in the Vhost configs so that you start with a clean slate. Any
> SecRules configured in the main config could impact all Vhosts.
> 3) Use Includes in the main httpd.conf file to call up the individual
> Vhost file(s). For example, in Apache 2.2.4 -
> # Virtual hosts
> Include conf/extra/httpd-vhosts.conf
> 4) In the Vhost file(s) - place all relevant Mod rules in each Vhost
> container. Again, make sure to use SecRuleInheritance Off at the
> beginning of the Vhost to clear out any inherited configs.
> 5) Within the Vhost container, you can then handle custom rules BEFORE
> and AFTER the Core Rules by either specifying the individual rules or
> using more Includes.
> Hope this helps.
> Ryan C. Barnett
> ModSecurity Community Manager
> Breach Security: Director of Training
> Web Application Security Consortium (WASC) Member
> CIS Apache Benchmark Project Lead
> SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
> Author: Preventing Web Attacks with Apache
> > -----Original Message-----
> > From: mod-security-users-bounces@... [mailto:mod-
> > security-users-bounces@...] On Behalf Of Yoann
> > Sent: Thursday, August 23, 2007 9:50 AM
> > To: mod-security-users@...
> > Subject: [mod-security-users] Custom ruleset per vhost
> > Hi all,
> > Can you please tell me what is the best practice for defining custom
> > rulesets per vhost. I'm planning to create a MS2 subdirectory per
> > with the following files :
> > - modsecurity_crs_15_customrules.conf (custom rules)
> > - modsecurity_crs_60_customrules.conf (custom rules)
> > - symlink to modsecurity_crs_20-55_* files from the core ruleset
> > and then add an Include directive inside each apache's vhost
> > configuration file.
> > Does that make sense ? Is there a better approach ?
> > Thanks, --Yoann
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> mod-security-users mailing list
> Email Policy
> The information in this email, including any attachments, is
> confidential to the intended recipient and may be legally privileged.
> If you are not the intended recipient of this message you may not
> copy, distribute, disclose or rely on the information contained in it
> nor use it's contents in any way. Please contact the sender
> immediately and delete this message, together with any attachments,
> from your system. The unauthorized use, dissemination, distribution
> or reproduction of this e-mail, including attachments is prohibited
> and may be unlawful.
> We do not accept any liability or responsibility for changes made to
> this e-mail after it was sent, or viruses transmitted through this
> e-mail or any attachment. You should take full responsibility for
> virus checking.