I thought that mod_security is a front-end to web server applications, I mean that all client requests pass through mod_security and if itīs not blocked then mod_security pass to apache (or other web server application as iis or nginx) except response headers, in that case, mod_security gets web application server response and scan response headers, so mod_security acts as a door between client requests and server response scannning in both directions before pass http/s traffic:

In vhosts directives, I have never seen mod_security customized rules except to module disabling but I could be wrong and someone write specific rules for a specific virtual host.

In servers I manage, I only have general rules applied to all virtual hosts except disabled ones.

Some weeks ago a client triggered mod_security rules because of content management systems method and http version. I ask him to change get to post and use latest http version (1.2). If you are right, I should be able to develop own rules for that virtual hosts to allow get method and http 1.1 version.

Kind regards,

2013/11/25 Thomas Eckert <thomas.r.w.eckert@gmail.com>
Anyone ideas on this ?

On Wed, Nov 20, 2013 at 10:21 AM, Thomas Eckert <thomas.r.w.eckert@gmail.com> wrote:
Trying to figure this out, hopefully someone can point me in the right direction.

Apache 2.4.3
mod_security 2.7.3
owasp crs 2.2.7

I'm seeing 'phase:1' rules - e.g. owasp crs proto violations - being applied to incoming client traffic before apache's core decides which vhost to send that traffic to. Given the fact those rules are actually included in a vhost, this does not make sense to me. There are no rule definitions/includes anywhere but in the vhosts.

Looking at the code the phase:1 rules seem to be performed on Apache's post_request hook, which means the before mentioned rules are really applied before apache decides on which vhost to use.

Easy to reproduce: use two vhosts, one with proto violations from owasp crs enabled and one vhost without any mod_security rules. Connect to the second, do 'GET ..' and see the proto violations rules kick in.

In another module, I need to be able to do some vhost-based logic *before* the rules kick in. That logic needs the vhost information to work and that's simply not possible on the post_request hook.

How is 'phase:1' supposed to work in regards to vhosts ? Is the above described behaviour 'as-wanted' and if so why ?

Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: