[mod-security-users] Hooking order
Brought to you by:
victorhora,
zimmerletw
From: Marc S. <mar...@ap...> - 2008-12-30 09:44:41
|
Hello, I have a question about hooking order, leading to interaction with some modules. If I look to the code, and compare the hooking orders with some other common modules, I see the following: 1. ap_hook_fixups - mod_env & mod_setenvif are loaded as APR_HOOK_MIDDLE - MS is loaded as APR_HOOK_REALLY_FIRST Does this mean that environment variables we set up with SetEnv/SetEnvIf are only be available in phase 2 ? Shouldn't MS be called after environment modifications, to allow rules depending on environment variables set with SetEnv/SetEnvIf ? Could it present a risk to use SetEnv/SetEnvIf with input not yet processed by MS ? 2. ap_hook_fixups - mod_rewrite is loaded as APR_HOOK_REALLY_FIRST, like MS During phase 1, the order of processing is not specified. Which module will be called first ? The last one in the conf file, right ? Shouldn't we add mod_rewrite in the known modules list, before or after MS ? Same question as above: should MS be called before or after mod_rewrite ? Functionality vs. security ? 3. ap_register_output_filter_protocol No order specified between MS & mod_proxy_html (phase 3). Which module will be called first ? The last one in the conf file, right ? Shouldn't we add mod_proxy_html in the known modules list ? I guess that it should be called before MS to allow checking for internal path leakage (which may be modified by mod_proxy_html) ? A description of the order compared to other modules, within phases, would be very interesting. Examples of common modules, like mod_rewrite, mod_env, etc. would help most of the users. Thanks Marc |