Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite
Brought to you by:
victorhora,
zimmerletw
From: Stock, S. <ste...@td...> - 2011-05-23 11:26:27
|
Hi Chris, I think it wasn't clear from the way I described my issue what I am trying to accomplish. An internal application requests the following URL: http://webserver:80/PathTo/Controller?Interface=test This request is forwarded to another internal server to the same URL http://internalserver:internalport/PathTo/Controller?Interface=test Only machines within our network may request that URL. Certain Requests need to be rewritten internally to a different path. So, here is what I did: NOTE: in the actual config I put actual numbers where the Xes are #Allow access to http://webserver:80/PathTo/Controller?Interface=test from within network only SecRule "REMOTE_ADDR" "!^x.x.x.x*$" "chain,redirect:/errordocs/404custom.html" SecRule "ARGS:Interface" "test" #Internal requests are forwarded to an internal server. Destination URL needs to be the same as source URL SecRule REQUEST_URI "/PathTo/Controller" chain,proxy:http://sonbisapp1vt:6260/$REQUEST_URI$ARGS SecRule "ARGS:HTTPInterface" "webedi" Her is my problem: How do I write the "proxy:" directive to forward my request? In mod_rewrite I would write: http://sonbisapp1vt:6260/$1. This way source URL = destination URL. However, mod_security literally rewrites the source to " http://sonbisapp1vt:6260/$REQUEST_URI$ARGS", which of course doesn't work. What would I replace "$REQUEST_URI$ARGS" with? How do I use variables? I do not actually want to use the PassProxyReverse directive, since not all URLs are to be rewritten 1:1. I hope I made it clearer this time. Thanks again. Regards, Stefan Stefan Stock Principal, SO-SAP-Operations-3 TDS INFORMATIONSTECHNOLOGIE AG Konrad-Zuse-Straße 16, 74172 Neckarsulm Tel. +49 7132 366-1435 Fax. +49 7132 366-2435 vor...@td... www.tds.fujitsu.com HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm Vorstand: Dr. Heiner Diefenbach Vorsitzender des Aufsichtsrats: Benno Zollner -----Ursprüngliche Nachricht----- Von: Christian Bockermann [mailto:ch...@jw...] Gesendet: Montag, 23. Mai 2011 11:18 An: Stock, Stefan Cc: mod...@li... Betreff: Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite Hi Stefan, maybe it's just missing quotes. Can you try with SecRule ARGS:Interface test "phase:1,proxy:'http://internalserver:port/directory/Controller?Interface=test'" I'm not 100% sure what you're trying to achieve, but if it is just that you want to "exclude" certain URLs from being proxied to your internal server, then the ProxyPass directive gives a fine solution for you: # Enable the proxy engine, do not rewrite the original Host:-header # ProxyRequests On ProxyPreserveHost On # prevent the /do-not-proxy/* stuff from being proxied to the internal server, # but instead serve this from *this* local Apache # ProxyPass /do-not-proxy ! # The default reverse-proxying of the complete / namespace to the internal server # ProxyPass / http://internalserver:port/ ProxyPassReverse / http://internalserver:port/ Mixing ModSecurity & mod_rewrite -------------------------------- Another way, you might want to consider ModSecurity for "marking" requests is using environment variables and use the rewrite-engine to do the translation. This might result in a somewhat "cleaner" configuration (untested): ### ### Mark requests and specify their target-URL with ModSecurity ### # # Set URL for Interface=test URLs # SecRule ARGS:Interface test "phase:1,setenv:target_url='/my-special-target/test',pass" ### ### Do the request-proxying with mod_rewrite ### # RewriteEngine On # if a target URL is available, then use that for proxying # RewriteCond %{ENV:TARGET_URL} !^$ RewriteRule (.*) http://internalserver:port/%{ENV:TARGET_URL} [P,L] # otherwise do the default-rewrite/proxying # RewriteRule ^/(.*) http://internalserver:port/$1 [P,L] Regards, Chris Am 23.05.2011 um 10:26 schrieb Stock, Stefan: > Hi all, > > > > I am running mod_security 2.5. > > I am trying to forward certain requests via reverse proxy. > > How do I do this in mod_security? > > > > Example: http://URL/directory/Controller?Interface=test is supposed to be forwarded to > > http://internalserver:port/directory/Controller?Interface=test > > > > my entry in security.conf > > > > SecRule "ARGS:Interface" "test" proxy: http://internalserver:port/directory/Controller?Interface=test > > > > That doesn't work, however. My guess ist hat the "?" is interpreted wrong. > > How do I escape that? > > > > Also, how I can I work with variables here? > > Certain URLs should be rewritten 1:1. > > > > Example: > > Mod_rewrite looks something like this: > > RewriteCond %{QUERY_STRING} ^.*$ > > RewriteRule ^/(.*)$ http://internalserver:port/$1 [P,L] > > > > How do I apply that to mod_security2?? > > > > Any help would be much appreciated. > > > > Stefan Stock > Principal, SO-SAP-Operations-3 > > > TDS INFORMATIONSTECHNOLOGIE AG > Konrad-Zuse-Straße 16, 74172 Neckarsulm > Tel. +49 7132 366-1435 > Fax. +49 7132 366-2435 > vor...@td... > www.tds.fujitsu.com > > > HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm > Vorstand: Dr. Heiner Diefenbach > Vorsitzender des Aufsichtsrats: Benno Zollner > > > > ------------------------------------------------------------------------------ > What Every C/C++ and Fortran developer Should Know! > Read this article and learn how Intel has extended the reach of its > next-generation tools to help Windows* and Linux* C/C++ and Fortran > developers boost performance applications - including clusters. > http://p.sf.net/sfu/intel-dev2devmay_______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |