Re: [mod-security-users] phase 1 rules and vhost decision
Brought to you by:
victorhora,
zimmerletw
From: Achim <web...@si...> - 2013-11-26 09:48:42
|
are you talking about http or https? Am 25.11.2013 12:51, schrieb Thomas Eckert: > Anyone ideas on this ? > > > On Wed, Nov 20, 2013 at 10:21 AM, Thomas Eckert <tho...@gm... >> wrote: > >> Trying to figure this out, hopefully someone can point me in the right >> direction. >> >> Apache 2.4.3 >> mod_security 2.7.3 >> owasp crs 2.2.7 >> >> I'm seeing 'phase:1' rules - e.g. owasp crs proto violations - being >> applied to incoming client traffic before apache's core decides which vhost >> to send that traffic to. Given the fact those rules are actually included >> in a vhost, this does not make sense to me. There are no rule >> definitions/includes anywhere but in the vhosts. >> >> Looking at the code the phase:1 rules seem to be performed on Apache's >> post_request hook, which means the before mentioned rules are really >> applied before apache decides on which vhost to use. >> >> Easy to reproduce: use two vhosts, one with proto violations from owasp >> crs enabled and one vhost without any mod_security rules. Connect to the >> second, do 'GET ..' and see the proto violations rules kick in. >> >> In another module, I need to be able to do some vhost-based logic *before* >> the rules kick in. That logic needs the vhost information to work and >> that's simply not possible on the post_request hook. >> >> How is 'phase:1' supposed to work in regards to vhosts ? Is the above >> described behaviour 'as-wanted' and if so why ? |