Re: [mod-security-users] My variable seems to never expire...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

@Ervin Thanks. These rules seems to work:

#
# Rate-limiting rules identified by PHPSESSIONID on /api requests
#
# Variables:
# SESSION:API_REQ_COUNTER       counter of API requests
# TX:API_REQ_COUNTER_MAX        max number of API requests which can pass
in %{tx.api_req_counter_timeout} seconds
# TX:API_REQ_COUNTER_TIMEOUT    period in seconds a blocked PHP session id
will be blocked on API requests
#
# As a precondition for these rules, please set the following 2 variables:
#  - TX:API_REQ_COUNTER_MAX
#  - TX:API_REQ_COUNTER_TIMEOUT
#

# Define TX:API_REQ_COUNTER_MAX and TX_REQ_COUNTER_TIMEOUT
SecAction \
    "id:1,\
    phase:1,\
    nolog,\
    pass,\
    t:none,\
    setvar:tx.api_req_counter_timeout=60,\
    setvar:tx.api_req_counter_max=100"

#
# Define SESSION
#
SecRule REQUEST_COOKIES:PHPSESSID "!^$" \
    "id:2,\
    phase:1,\
    pass,\
    nolog,\
    setsid:%{REQUEST_COOKIES.PHPSESSID}"

###################################################
# TEMPORARY WORKAROUND FOR not working `expirevar`
###################################################
# Expire variables
SecRule &SESSION:API_REQ_COUNTER__EXPIRE_TIMESTAMP "@eq 1" \
  "id:3,\
  phase:1,\
  pass,\
  t:none,\
  nolog,\
  chain"
    SecRule SESSION:API_REQ_COUNTER__EXPIRE_TIMESTAMP "@lt %{TIME_EPOCH}" \
    "setvar:'!session.api_req_counter',\
    setvar:'!session.api_req_counter__expire_timestamp'"
###################################################
###################################################

#
# If it's an API request:
#   1. Identify API requests
#   2. update counter
#   3. if session:api_req_counter__expire_timestamp is not define, define it
#
SecRule REQUEST_URI "@beginsWith /api/" \
    "id:4,\
    phase:1,\
    pass,\
    nolog,\
    setvar:'tx.is_api_req=1',\
    setvar:'session.api_req_counter=+1',\
    expirevar:'session.api_req_counter=%{tx.api_req_counter_timeout}',\
    chain"
      SecRule &SESSION:API_REQ_COUNTER__EXPIRE_TIMESTAMP "@eq 0" \

"setvar:'session.api_req_counter__expire_timestamp=%{TIME_EPOCH}',\

setvar:'session.api_req_counter__expire_timestamp=+%{tx.api_req_counter_timeout}'"

#
# If max counter is reached AND it's an API request, deny it
#
SecRule SESSION:API_REQ_COUNTER "@gt %{tx.api_req_counter_max}" \
    "id:5,\
    deny,\
    status:429,\
    log,\
    msg:'RATELIMITED',\
    chain"
    SecRule TX:IS_API_REQ "@eq 1"

Le mar. 15 sept. 2020 à 23:18, Ervin Hegedüs <ai...@gm...> a écrit :

> Hi Mikaël,
>
> On Tue, Sep 15, 2020 at 10:49:55PM +0200, Mikaël Pirio wrote:
> > Hi Ervin,
> >
> > Thank you very much. I suspected it but I wanted to have confirmation 😢
> ...
>
> sorry for bad news..
>
> > Do you know if there is a way to emulate this behavior?
>
> try to check this hack:
>
>
> https://github.com/SpiderLabs/ModSecurity/issues/1803#issuecomment-474884652
>
> but the other user wrote that it didn't worked for him (I also
> didn't checked the details...)
>
>
> https://github.com/SpiderLabs/ModSecurity/issues/1803#issuecomment-661514169
>
>
>
> a.
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>