Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite
Brought to you by:
victorhora,
zimmerletw
From: Stock, S. <ste...@td...> - 2011-05-23 12:37:13
|
Hi Josh, thanks for your reply. Thanks to Chris I figured that out already :-) I tried http://sonbisapp1vt:6260/%{REQUEST_URI}/%{QUERY_STRING} But that was rewritten to /PathTo/Controller%3FInterface=test/%3FInterface=test So I already tried what you suggested here, which brought me one step closer. However, the "?" is still not handled right (it's interpreted as "%3F" for some reason). I expect to get a rewrite to http://sonbisapp1vt:6260/PathTo/Controller?Interface=test. This is what I really get: ---snipp--- message /PathTo/Controller%3FHTTPInterface=test description The requested resource (/PathTo/Controller%3FHTTPInterface=test) is not available ---snipp--- @Chris: I have tried both single and double quotes, eg proxy:'http://xxx' and "proxy:http://" Both lead to the same result, eg "?" is not handled right (or the way I expect it to be handled). This is sort of driving me nuts. Any ideas? Thanks and regards, Stefan Stefan Stock Principal, SO-SAP-Operations-3 TDS INFORMATIONSTECHNOLOGIE AG Konrad-Zuse-Straße 16, 74172 Neckarsulm Tel. +49 7132 366-1435 Fax. +49 7132 366-2435 vor...@td... www.tds.fujitsu.com HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm Vorstand: Dr. Heiner Diefenbach Vorsitzender des Aufsichtsrats: Benno Zollner -----Ursprüngliche Nachricht----- Von: Josh Amishav-Zlatin [mailto:ja...@gm...] Gesendet: Montag, 23. Mai 2011 13:51 An: Stock, Stefan Cc: Christian Bockermann; mod...@li... Betreff: Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite On Mon, May 23, 2011 at 2:26 PM, Stock, Stefan <ste...@td...> wrote: > So, here is what I did: > NOTE: in the actual config I put actual numbers where the Xes are > #Internal requests are forwarded to an internal server. Destination URL needs to be the same as source URL > SecRule REQUEST_URI "/PathTo/Controller" chain,proxy:http://sonbisapp1vt:6260/$REQUEST_URI$ARGS > SecRule "ARGS:HTTPInterface" "webedi" Hi Stefan, Try using %{REQUEST_URI} instead, e.g.: SecRule REQUEST_URI "/PathTo/Controller" chain,proxy:http://sonbisapp1vt:6260/%{REQUEST_URI} -- - Josh > > > Her is my problem: > How do I write the "proxy:" directive to forward my request? > In mod_rewrite I would write: > http://sonbisapp1vt:6260/$1. > This way source URL = destination URL. > > > However, mod_security literally rewrites the source to " http://sonbisapp1vt:6260/$REQUEST_URI$ARGS", which of course doesn't work. > What would I replace "$REQUEST_URI$ARGS" with? > How do I use variables? > > I do not actually want to use the PassProxyReverse directive, since not all URLs are to be rewritten 1:1. > > I hope I made it clearer this time. > Thanks again. > Regards, > Stefan > > Stefan Stock > Principal, SO-SAP-Operations-3 > > TDS INFORMATIONSTECHNOLOGIE AG > Konrad-Zuse-Straße 16, 74172 Neckarsulm > Tel. +49 7132 366-1435 > Fax. +49 7132 366-2435 > vor...@td... > www.tds.fujitsu.com > > HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm > Vorstand: Dr. Heiner Diefenbach > Vorsitzender des Aufsichtsrats: Benno Zollner > > > -----Ursprüngliche Nachricht----- > Von: Christian Bockermann [mailto:ch...@jw...] > Gesendet: Montag, 23. Mai 2011 11:18 > An: Stock, Stefan > Cc: mod...@li... > Betreff: Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite > > Hi Stefan, > > maybe it's just missing quotes. Can you try with > > SecRule ARGS:Interface test "phase:1,proxy:'http://internalserver:port/directory/Controller?Interface=test'" > > I'm not 100% sure what you're trying to achieve, but if it is just that you > want to "exclude" certain URLs from being proxied to your internal server, then > the ProxyPass directive gives a fine solution for you: > > > # Enable the proxy engine, do not rewrite the original Host:-header > # > ProxyRequests On > ProxyPreserveHost On > > # prevent the /do-not-proxy/* stuff from being proxied to the internal server, > # but instead serve this from *this* local Apache > # > ProxyPass /do-not-proxy ! > > # The default reverse-proxying of the complete / namespace to the internal server > # > ProxyPass / http://internalserver:port/ > ProxyPassReverse / http://internalserver:port/ > > > > > Mixing ModSecurity & mod_rewrite > -------------------------------- > > Another way, you might want to consider ModSecurity for "marking" requests is > using environment variables and use the rewrite-engine to do the translation. > This might result in a somewhat "cleaner" configuration (untested): > > ### > ### Mark requests and specify their target-URL with ModSecurity > ### > # > # Set URL for Interface=test URLs > # > SecRule ARGS:Interface test "phase:1,setenv:target_url='/my-special-target/test',pass" > > > ### > ### Do the request-proxying with mod_rewrite > ### > # > RewriteEngine On > > # if a target URL is available, then use that for proxying > # > RewriteCond %{ENV:TARGET_URL} !^$ > RewriteRule (.*) http://internalserver:port/%{ENV:TARGET_URL} [P,L] > > # otherwise do the default-rewrite/proxying > # > RewriteRule ^/(.*) http://internalserver:port/$1 [P,L] > > > > > Regards, > > Chris > > > Am 23.05.2011 um 10:26 schrieb Stock, Stefan: > >> Hi all, >> >> >> >> I am running mod_security 2.5. >> >> I am trying to forward certain requests via reverse proxy. >> >> How do I do this in mod_security? >> >> >> >> Example: http://URL/directory/Controller?Interface=test is supposed to be forwarded to >> >> http://internalserver:port/directory/Controller?Interface=test >> >> >> >> my entry in security.conf >> >> >> >> SecRule "ARGS:Interface" "test" proxy: http://internalserver:port/directory/Controller?Interface=test >> >> >> >> That doesn't work, however. My guess ist hat the "?" is interpreted wrong. >> >> How do I escape that? >> >> >> >> Also, how I can I work with variables here? >> >> Certain URLs should be rewritten 1:1. >> >> >> >> Example: >> >> Mod_rewrite looks something like this: >> >> RewriteCond %{QUERY_STRING} ^.*$ >> >> RewriteRule ^/(.*)$ http://internalserver:port/$1 [P,L] >> >> >> >> How do I apply that to mod_security2?? >> >> >> >> Any help would be much appreciated. >> >> >> >> Stefan Stock >> Principal, SO-SAP-Operations-3 >> >> >> TDS INFORMATIONSTECHNOLOGIE AG >> Konrad-Zuse-Straße 16, 74172 Neckarsulm >> Tel. +49 7132 366-1435 >> Fax. +49 7132 366-2435 >> vor...@td... >> www.tds.fujitsu.com >> >> >> HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm >> Vorstand: Dr. Heiner Diefenbach >> Vorsitzender des Aufsichtsrats: Benno Zollner >> >> >> >> ------------------------------------------------------------------------------ >> What Every C/C++ and Fortran developer Should Know! >> Read this article and learn how Intel has extended the reach of its >> next-generation tools to help Windows* and Linux* C/C++ and Fortran >> developers boost performance applications - including clusters. >> http://p.sf.net/sfu/intel-dev2devmay_______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php > > ------------------------------------------------------------------------------ > What Every C/C++ and Fortran developer Should Know! > Read this article and learn how Intel has extended the reach of its > next-generation tools to help Windows* and Linux* C/C++ and Fortran > developers boost performance applications - including clusters. > http://p.sf.net/sfu/intel-dev2devmay > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > |