Re: [mod-security-users] Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Apache 2.2.0 configuration now uses a modular configuration file with includes
and this is the portion at the the end of the "http.conf" file - modules are
activated at the beginning of this file.

...
# Distributed authoring and versioning (WebDAV)
Include conf/httpd-dav.conf

# Various default settings
Include conf/httpd-default.conf

# Modsecurity filtering (Specific)
Include conf/httpd-modsecurity.conf

# Handypaws - Directories - Aliases (Specific)
Include conf/httpd-handypaws.conf

# Secure (SSL/TLS) connections
Include conf/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Here is the file "httpd-modsecurity.conf"

# Module_Security
# Security module - recommended configuration
<IfModule mod_security.c>

    # Turn ModSecurity On
    SecFilterEngine On

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:403"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255

    # Server masking is optional
    # SecServerSignature "Microsoft-IIS/5.0"

    # Change Security Signature Requires
    # ServerSignature On and Server Tokens Full
    SecServerSignature "SOMETHING RATHER SILLY"

    SecUploadDir /tmp
    SecUploadKeepFiles Off

    # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug_log

    CustomLog "|/usr/local/apache/bin/rotatelogs
/usr/local/apache/logs/modseccustomlog.%Y-%m-%d-%H_%M_%S 5M" \
   "%h %l %u %t \"%r\" %>s %b %{mod_security-message}i" \
    env=mod_security-relevant

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

    # Do not accept GET or HEAD requests with bodies
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"

    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"

    # Kill email relay attempts and log
    # example : CONNECT news98.idv.tw:25 HTTP/1.0
    SecFilterSelective "SERVER_PORT" 25

</IfModule>

Ivan Ristic wrote:
> Ann Hopkins wrote:
> 
>>I moved my webdav folder out of the general root directory structure in apache,
>>and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
>>request.  I would appreciate any ideas. Thanks
> 
> 
>   You appear to be doing the right thing. This may be a problem with
>   the order in which contexts are inherited in Apache.
> 
>   Show us the part where you create ModSecurity configuration.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDkdyOhs7JGk93PT0RA6zlAKDEKoslHC+mQYDoilpaWXy8j0eR+gCfUYFl
ho04ZyZABv6NBNM5kp9yk/s=
=qxog
-----END PGP SIGNATURE-----