Re: [mod-security-users] mod_security status 200
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security status 200
|
From: <xx...@im...> - 2005-11-04 14:30:37
|
One addition : when I call the custom 404 error page directly from my browser, I'm getting a 200 OK code... The debug log says "Access denied with code 200. Pattern match "<my pattern>" at OUTPUT - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I can see the custom 404 error page, but the SecFilterSelective doesn't work (the SecFilterSelective looks for text in the custom 404 page) The debug log says "Filtering off for a subrequest" Ivan Ristic <iv...@we...> 04/11/2005 14:49 To Peter VE <xx...@im...> cc mod_security mailinglist <mod...@li...>, rcb...@gm... Subject Re: [mod-security-users] mod_security status 200 Peter VE wrote: > Ok, I forgot to turn on SecFilterScanOutput > > SecFilterScanOutput On > SecFilterSelective OUTPUT "was not found on this server." status:200 > > After enabling ScanOutput, I'm seeing "scan_pre: adding the output > filter to the filter list" in the log... but it still doesn't work > > any ideas ? Actually, the output filter is not triggered for Apache-produced pages. (I'll have to look into that to figure out exactly why.) So the above only works for "normal" pages. But there is another way. Do this: ErrorDocument 404 /error404.php And then have the script explicitly respond with code 200 in addition to outputing a human-readable message. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
