Re: [mod-security-users] phase 1 rules and vhost decision
Brought to you by:
victorhora,
zimmerletw
From: Thomas E. <tho...@gm...> - 2013-11-25 11:51:42
|
Anyone ideas on this ? On Wed, Nov 20, 2013 at 10:21 AM, Thomas Eckert <tho...@gm... > wrote: > Trying to figure this out, hopefully someone can point me in the right > direction. > > Apache 2.4.3 > mod_security 2.7.3 > owasp crs 2.2.7 > > I'm seeing 'phase:1' rules - e.g. owasp crs proto violations - being > applied to incoming client traffic before apache's core decides which vhost > to send that traffic to. Given the fact those rules are actually included > in a vhost, this does not make sense to me. There are no rule > definitions/includes anywhere but in the vhosts. > > Looking at the code the phase:1 rules seem to be performed on Apache's > post_request hook, which means the before mentioned rules are really > applied before apache decides on which vhost to use. > > Easy to reproduce: use two vhosts, one with proto violations from owasp > crs enabled and one vhost without any mod_security rules. Connect to the > second, do 'GET ..' and see the proto violations rules kick in. > > In another module, I need to be able to do some vhost-based logic *before* > the rules kick in. That logic needs the vhost information to work and > that's simply not possible on the post_request hook. > > How is 'phase:1' supposed to work in regards to vhosts ? Is the above > described behaviour 'as-wanted' and if so why ? > |