|
From: Derek W. <the...@gm...> - 2014-08-15 21:03:44
|
I use mod_security to add a layer of security for my web servers. All servers are configured with at least SecChrootDir, production edge servers make use of the OWASP rule sets. We are developing new applications with Google api for php and running into problems with this library running under our development servers that only make use of the SecChrootDir function of mod_security. Even have SecRuleEngine Off to see if that makes a difference. The particular part of the Google api library that we can't get to work when mod_security SecChrootDir is enabled is the certificate verification process. During this process the php process needs to open a certificate file that is located outside the webroot. We get a vague access denied and or file not found error for the cert file. The permissions are set of the cert file (a public cert chain file) so that any user on the system can read and execute the file. The function php is using the curl to access the file. We have verified the SElinux is not restricting access to the file, php safe_mode, or PHP open_basedir. Two solutions could be to: I suspect that I could put the public cert file in a web accessible location but then I'd need to modify the google api code, Or link from a webroot location to the true location but prefer not to enable links for the webserver The version of Mod security is mod_security-2.7.3-3 apache 2.2 Any thoughts advice? Configuration changes? Thanks Derek |
