Re: [mod-security-users] Geo Proxy Blocking - I WANT THIS!
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <RBa...@tr...> - 2011-02-03 16:49:53
|
From: Sergio <se...@gm...<mailto:se...@gm...>> Date: Thu, 3 Feb 2011 10:28:56 -0600 To: Ryan Barnett <rba...@tr...<mailto:rba...@tr...>> Cc: Liddy <lid...@gm...<mailto:lid...@gm...>>, "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] Geo Proxy Blocking - I WANT THIS! Hi Ryan, just doing a follow up on this rule, it is blocking private firewalls: Match of "streq %{tx.geo_x-forwarded-for}" against "GEO:COUNTRY_CODE" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "31"] [id "999997"] [msg "GEO Mismatch of X-Forwarded and Remote-addr Country"] [data "IP Country is: ES and X-Forwarded-For is: CG"] [03/Feb/2011:08:43:07 --0600] TUq@@66E8RIAAHj9MR4AAAAs 80.38.240.209 43866 xxx.xxx.xxx.xxx 80 --02259232-B-- GET /favicon.ico HTTP/1.0 Host: www.foo.com<http://www.foo.com> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20<http://2.0.0.20> Accept: image/png,*/*;q=0.5 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Via: 1.1 proxy:3128 (squid/2.6.STABLE18) X-Forwarded-For: 172.17.97.224 Cache-Control: max-age=259200 Connection: keep-alive But the address information for the X-Forwarded-For IP: 172.17.97.224 is part of a special address block (172.16.0.0/12<http://172.16.0.0/12>) that is reserved for private networks. See RFC 1918<http://tools.ietf.org/html/rfc1918> for more information. So, to fix this what I need to do? Do I need just to modify the line SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" to SecRule REQUEST_HEADERS:X-Forwarded-For "^\b\d{1,3}(?<!192|127|172|10)\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" ?? Yes, that should do it. -Ryan |