Re: [mod-security-users] Redirect question
Brought to you by:
victorhora,
zimmerletw
From: Ryan B. <Ryan.Barnett@Breach.com> - 2007-03-21 14:18:25
|
> -----Original Message----- > From: mod...@li... [mailto:mod- > sec...@li...] On Behalf Of Michael > Reynolds > Sent: Tuesday, March 20, 2007 8:42 PM > To: mod...@li... > Subject: Re: [mod-security-users] Redirect question >=20 > Ryan Barnett wrote: > <snip> > > 2) Specify the exact transformation functions you want to apply to the > > rule - > <snip> >=20 > This bit did the trick perfectly, though I had to prepend t:none. [Ryan Barnett] Excellent. >=20 > I'll just use this thread for my next question, as it's relatively > similar... Is it possible to create a request header as an action with > the new mod_security? I ask because some things, such as sbox for > instance, are very touchy about what variables get passed onto the > scripting systems. I'd like to add a header such as 'X-Using-TOR: Yes' > so that clients can easily and efficiently detect TOR for things such as > ecommerce. If it's not currently possible with mod_security, is it even > possible at all with the apache module system, and if so, how do I > properly suggest such a feature for addition to mod_security? >=20 [Ryan Barnett] ModSecurity does not currently alter the actual/raw requests or responses. It makes copies of the data into memory where all of the handling takes place. It will initiate "disruptive" actions on the requests (such as deny, redirect, proxy, etc...) but it will not alter data and then still send it on its way. Some manipulation type functions are in discussions right now with the Breach R&D team so look for some advancements in the future (such as URL/Cookie encryption and signing, etc...). Now, back to your scenario - while ModSecurity can not directly handle adding headers, it can help other Apache Modules in this process. Here is what I suggest - 1) Modify your previous rulset to use ModSecurity to identify TOR clients and then add an Environment Variable. Add the "setenv" action - SecRule REQUEST_URI "!^(/favicon.ico|/skins/|/raw/|/images/|/wiki/tor_banned$)" "t:none,log,msg:'TOR Exit Node',setenv:tor_client,chain" SecRule REMOTE_ADDR "@rbl tor.ahbl.org" 2) Use the Apache RequestHeader directive to add an additional client request header if the ENV variable is set by ModSecurity. This is useful when proxying clients to back-end apps. RequestHeader set X-Using-TOR "YES" env=3Dtor_client This should set (I didn't get a chance to test this fully in a proxy env) the additional request header when you proxy the request to the backend. > PS: I'm quite amazed how fast I got a response. Most corporate backed > open source products you get no response from the company, just the > community. Brownie points and all that. Thanks. >=20 [Ryan Barnett] We try our best :) Sometimes we are fast and sometimes it takes a bit longer but we always try to answer all questions. --=20 Ryan C. Barnett ModSecurity Community Manager Breach Security: Director of Application Security Training Web Application Security Consortium (WASC) Member Author: Preventing Web Attacks with Apache =20 -------------- Web Security Threat Report Webinar on May 9, 2007 (12 pm EST) Learn More About the Breach Webinar Series: http://www.breach.com/webinars.asp -------------- |