Re: [mod-security-users] Variable that holds scheme

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Andrew,

About inferring the scheme from the destination port (SERVER_PORT variable),
No. There are sites on multiple non-standard ports. And also there are many
sites. So it is confusing.
About X-Forwarded-Proto, I've tried that before. Seems that modsecurity
acts before proxy_set_header
<http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header>
 and more_set_headers
<https://github.com/openresty/headers-more-nginx-module#more_set_headers>.

So these heuristics won't do the job for me.

On Fri, Apr 15, 2022 at 8:56 PM Andrew Howe <and...@lo...>
wrote:

> Hi Ehsan,
>
> Something that only just occurred to me: can you not infer the scheme
> from the destination port in the audit logs? E.g.:
>
>     ---YERQU2yt---A--
>     [15/Apr/2022:16:04:31 +0000] 1650038671 172.20.0.1 44940 172.20.0.3 80
>
> An example of a plain text HTTP request (note port 80 at the very end
> of the line).
>
> You could also maybe make use of ModSecurity's SERVER_PORT variable
> and do something with that (see
>
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#server_port
> ).
>
> It's also fairly common practice for reverse proxies to add the
> request header "X-Forwarded-Proto", set to either "http" or "https",
> when TLS/SSL termination is involved. Maybe you could instruct Nginx
> to add such a header (although I don't know how the order of execution
> works in Nginx: it might add headers _after_ giving the request to
> ModSecurity, so that might not work.)
>
> You could also, if absolutely necessary, put a reverse proxy in front
> of your Nginx instance (maybe even just define an Nginx proxy), and
> have *that* proxy insert an "X-Forwarded-Proto" header which would
> then be passed to your ModSecurity instance. That's probably the
> least-good solution, though.
>
> Thanks,
> Andrew
>
> --
> Andrew Howe
> Loadbalancer.org Ltd.
> www.loadbalancer.org
> +1 888 867 9504 / +44 (0)330 380 1064
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>

-- 
                        regards
                  Ehsan Mahdavi
         Computer Engineering Ph.D.