Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite
|
From: Stock, S. <ste...@td...> - 2011-05-23 12:37:13
|
Hi Josh,
thanks for your reply.
Thanks to Chris I figured that out already :-)
I tried http://sonbisapp1vt:6260/%{REQUEST_URI}/%{QUERY_STRING}
But that was rewritten to /PathTo/Controller%3FInterface=test/%3FInterface=test
So I already tried what you suggested here, which brought me one step closer.
However, the "?" is still not handled right (it's interpreted as "%3F" for some reason).
I expect to get a rewrite to http://sonbisapp1vt:6260/PathTo/Controller?Interface=test.
This is what I really get:
---snipp---
message /PathTo/Controller%3FHTTPInterface=test
description The requested resource (/PathTo/Controller%3FHTTPInterface=test) is not available
---snipp---
@Chris: I have tried both single and double quotes, eg proxy:'http://xxx' and "proxy:http://"
Both lead to the same result, eg "?" is not handled right (or the way I expect it to be handled).
This is sort of driving me nuts.
Any ideas?
Thanks and regards,
Stefan
Stefan Stock
Principal, SO-SAP-Operations-3
TDS INFORMATIONSTECHNOLOGIE AG
Konrad-Zuse-Straße 16, 74172 Neckarsulm
Tel. +49 7132 366-1435
Fax. +49 7132 366-2435
vor...@td...
www.tds.fujitsu.com
HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm
Vorstand: Dr. Heiner Diefenbach
Vorsitzender des Aufsichtsrats: Benno Zollner
-----Ursprüngliche Nachricht-----
Von: Josh Amishav-Zlatin [mailto:ja...@gm...]
Gesendet: Montag, 23. Mai 2011 13:51
An: Stock, Stefan
Cc: Christian Bockermann; mod...@li...
Betreff: Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite
On Mon, May 23, 2011 at 2:26 PM, Stock, Stefan
<ste...@td...> wrote:
> So, here is what I did:
> NOTE: in the actual config I put actual numbers where the Xes are
> #Internal requests are forwarded to an internal server. Destination URL needs to be the same as source URL
> SecRule REQUEST_URI "/PathTo/Controller" chain,proxy:http://sonbisapp1vt:6260/$REQUEST_URI$ARGS
> SecRule "ARGS:HTTPInterface" "webedi"
Hi Stefan,
Try using %{REQUEST_URI} instead, e.g.:
SecRule REQUEST_URI "/PathTo/Controller"
chain,proxy:http://sonbisapp1vt:6260/%{REQUEST_URI}
--
- Josh
>
>
> Her is my problem:
> How do I write the "proxy:" directive to forward my request?
> In mod_rewrite I would write:
> http://sonbisapp1vt:6260/$1.
> This way source URL = destination URL.
>
>
> However, mod_security literally rewrites the source to " http://sonbisapp1vt:6260/$REQUEST_URI$ARGS", which of course doesn't work.
> What would I replace "$REQUEST_URI$ARGS" with?
> How do I use variables?
>
> I do not actually want to use the PassProxyReverse directive, since not all URLs are to be rewritten 1:1.
>
> I hope I made it clearer this time.
> Thanks again.
> Regards,
> Stefan
>
> Stefan Stock
> Principal, SO-SAP-Operations-3
>
> TDS INFORMATIONSTECHNOLOGIE AG
> Konrad-Zuse-Straße 16, 74172 Neckarsulm
> Tel. +49 7132 366-1435
> Fax. +49 7132 366-2435
> vor...@td...
> www.tds.fujitsu.com
>
> HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm
> Vorstand: Dr. Heiner Diefenbach
> Vorsitzender des Aufsichtsrats: Benno Zollner
>
>
> -----Ursprüngliche Nachricht-----
> Von: Christian Bockermann [mailto:ch...@jw...]
> Gesendet: Montag, 23. Mai 2011 11:18
> An: Stock, Stefan
> Cc: mod...@li...
> Betreff: Re: [mod-security-users] using mod_security2: a. with proxy requests and b. instead of mod_rewrite
>
> Hi Stefan,
>
> maybe it's just missing quotes. Can you try with
>
> SecRule ARGS:Interface test "phase:1,proxy:'http://internalserver:port/directory/Controller?Interface=test'"
>
> I'm not 100% sure what you're trying to achieve, but if it is just that you
> want to "exclude" certain URLs from being proxied to your internal server, then
> the ProxyPass directive gives a fine solution for you:
>
>
> # Enable the proxy engine, do not rewrite the original Host:-header
> #
> ProxyRequests On
> ProxyPreserveHost On
>
> # prevent the /do-not-proxy/* stuff from being proxied to the internal server,
> # but instead serve this from *this* local Apache
> #
> ProxyPass /do-not-proxy !
>
> # The default reverse-proxying of the complete / namespace to the internal server
> #
> ProxyPass / http://internalserver:port/
> ProxyPassReverse / http://internalserver:port/
>
>
>
>
> Mixing ModSecurity & mod_rewrite
> --------------------------------
>
> Another way, you might want to consider ModSecurity for "marking" requests is
> using environment variables and use the rewrite-engine to do the translation.
> This might result in a somewhat "cleaner" configuration (untested):
>
> ###
> ### Mark requests and specify their target-URL with ModSecurity
> ###
> #
> # Set URL for Interface=test URLs
> #
> SecRule ARGS:Interface test "phase:1,setenv:target_url='/my-special-target/test',pass"
>
>
> ###
> ### Do the request-proxying with mod_rewrite
> ###
> #
> RewriteEngine On
>
> # if a target URL is available, then use that for proxying
> #
> RewriteCond %{ENV:TARGET_URL} !^$
> RewriteRule (.*) http://internalserver:port/%{ENV:TARGET_URL} [P,L]
>
> # otherwise do the default-rewrite/proxying
> #
> RewriteRule ^/(.*) http://internalserver:port/$1 [P,L]
>
>
>
>
> Regards,
>
> Chris
>
>
> Am 23.05.2011 um 10:26 schrieb Stock, Stefan:
>
>> Hi all,
>>
>>
>>
>> I am running mod_security 2.5.
>>
>> I am trying to forward certain requests via reverse proxy.
>>
>> How do I do this in mod_security?
>>
>>
>>
>> Example: http://URL/directory/Controller?Interface=test is supposed to be forwarded to
>>
>> http://internalserver:port/directory/Controller?Interface=test
>>
>>
>>
>> my entry in security.conf
>>
>>
>>
>> SecRule "ARGS:Interface" "test" proxy: http://internalserver:port/directory/Controller?Interface=test
>>
>>
>>
>> That doesn't work, however. My guess ist hat the "?" is interpreted wrong.
>>
>> How do I escape that?
>>
>>
>>
>> Also, how I can I work with variables here?
>>
>> Certain URLs should be rewritten 1:1.
>>
>>
>>
>> Example:
>>
>> Mod_rewrite looks something like this:
>>
>> RewriteCond %{QUERY_STRING} ^.*$
>>
>> RewriteRule ^/(.*)$ http://internalserver:port/$1 [P,L]
>>
>>
>>
>> How do I apply that to mod_security2??
>>
>>
>>
>> Any help would be much appreciated.
>>
>>
>>
>> Stefan Stock
>> Principal, SO-SAP-Operations-3
>>
>>
>> TDS INFORMATIONSTECHNOLOGIE AG
>> Konrad-Zuse-Straße 16, 74172 Neckarsulm
>> Tel. +49 7132 366-1435
>> Fax. +49 7132 366-2435
>> vor...@td...
>> www.tds.fujitsu.com
>>
>>
>> HRB 106645, Amtsgericht Stuttgart, Sitz der Gesellschaft: Neckarsulm
>> Vorstand: Dr. Heiner Diefenbach
>> Vorsitzender des Aufsichtsrats: Benno Zollner
>>
>>
>>
>> ------------------------------------------------------------------------------
>> What Every C/C++ and Fortran developer Should Know!
>> Read this article and learn how Intel has extended the reach of its
>> next-generation tools to help Windows* and Linux* C/C++ and Fortran
>> developers boost performance applications - including clusters.
>> http://p.sf.net/sfu/intel-dev2devmay_______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> ModSecurity Services from Trustwave's SpiderLabs:
>> https://www.trustwave.com/spiderLabs.php
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
|