Re: [mod-security-users] modsecurity on http-https redirect on apache

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

This should not be the case at all. I am running at least 15 sites with
nginx as reverse proxy and apache as virtual host and all that works
perfectly fine.
However I am offloading my https traffic on my nginx server and then
inspecting it only then clean traffic is sent to my backend apache server.

Though I am stil on PL1 and figuring out how the rule chain works and
understanding lot other concepts
like Anomaly mode
PL levels
Phase

etc...

On Thu, Mar 18, 2021 at 4:48 PM logo <lo...@kr...> wrote:

> Hi Franz,
>
> Am 18.03.2021 um 09:07 schrieb Christian Folini <
> chr...@ne...>:
>
> Hey Franz,
>
> ModSec works in multiple phases and the redirect is relatively early. In
> fact Mod_rewrite works in two phases IIRC and here it is faster than
> ModSec.
> The rule in question runs in phase 2 and that's relatively late.
>
> You have 3 options:
> - Forget about it. I mean who cares since the attack can not affect you due
>  to the redirect anyways.
> - Implement the redirect in ModSecurity in ModSec phase 2 after the Core
> Rule
>  Set include. (-> custom rule)
> - Move the Redirect into the VH or potentially into the container if that
>  is possible (have not done this in years). That might force apache to
>  execute it later and ModSec comes first. But you need to test this.
>
> Best,
>
> Christian
>
> On Thu, Mar 18, 2021 at 08:54:18AM +0100, Franz Angeli wrote:
>
> Hi,
>
> Sorry but i'm new on modsecurity, i've installed a Debian apache
> server with modsecurity with no custom rules for testing/learning.
>
> If i try to use:
>
> curl https://www.example.test/index.html?exec=/bin/bash
>
>
> is this to https or http?
>
> all working fine with:
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>403 Forbidden</title>
> </head><body>
> <h1>Forbidden</h1>
> <p>You don't have permission to access this resource.</p>
> </body></html>
>
> and on modsecurity log:
>
> Message: Warning. Matched phrase "bin/bash" at ARGS:exec. [file
> "/etc/modsecurity/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"]
> [line "518"] [id "932160"] [msg "Remote Command Execution: Unix Shell
> Code Found"] [data "Matched
>
>
>
>
> on the same server i've configured a simple http to https redirection
> Redirect / https://www.example.test/
>
> with redirect the same test fail:
>
> redirects acts before modsecurity? How can i solve this?
>
>
> if I understood you correctly, the request is also not blocked when you
> arrive in the site after the redirect (on https?) ?
>
> If that is the case, are you enabling Modsecurity globally or only in one
> VirtualHost? In latter case, you have to also set SecRuleEngine On in the
> https virtualHost (or even add the whole config there).
>
> HTH
>
> Peter
>
>
> Thanks in advance
>
> Franz
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>