[mod-security-users] Does this conf could run correctly?

[PERA, C. (S. TRANSICIEL) <chr...@ai...>]

Hi,

I try to implement basic rules as following:

--> in httpd.conf:

### < Security > ###
# Turn ModSecurity On
        SecFilterEngine On

# Reject requests with status 403
        SecFilterDefaultAction "deny,log,status:403"

# Some sane defaults
        SecFilterScanPOST Off
        SecFilterCheckURLEncoding On
        # for UTF8 encoding
        SecFilterCheckUnicodeEncoding Off

# Accept almost all byte values
        SecFilterForceByteRange 1 151

# Server masking is optional
        SecServerSignature " "

# Only record the interesting stuff
        SecAuditEngine RelevantOnly
        SecAuditLog logs/modsec_log

# You normally won't need debug logging
        SecFilterDebugLevel 0
        SecFilterDebugLog logs/modsec_debug_log

#Deny all unwanted characters
        SecFilterSelective REQUEST_URI "'"      deny
        SecFilterSelective REQUEST_URI "//"    deny
        SecFilterSelective REQUEST_URI "/\*"    deny
        SecFilterSelective REQUEST_URI "\./"    deny
        SecFilterSelective REQUEST_URI "/\."    deny
        SecFilterSelective REQUEST_URI "<"      deny
        SecFilterSelective REQUEST_URI ">"      deny

### < /Security > ###

--> In the mapping file:

RewriteRule             ^/web1(.*)          http://server1:8001/web1$1    [NC,P,L]

<Location ~ "/(web1|WEB1)">
        SecFilterSelective REQUEST_URI "//"     allow
        SecFilterSelective REQUEST_URI "/\*"    allow
        SecFilterSelective REQUEST_URI "'"      allow
        SecFilterSelective REQUEST_URI "/\."      allow
</LocationMatch>

RewriteRule             ^/web2(.*)          http://server1:8002/web1$1    [NC,P,L]
<Location ~ "/(web2|WEB2)">
        SecFilterSelective REQUEST_URI "<"     allow
        SecFilterSelective REQUEST_URI ">"    allow
        SecFilterSelective REQUEST_URI "\./'"      allow
</LocationMatch>


--> Problem: the simple quote is never allowed on web1 access, and sometimes i have problem to access with /*.

I have seen the list of metacharacters: $.[|()?* + { \ ^ - []
But the simple quote is not listed.

How can i do?

Thanks for your help.
Best Regards and good week end.

Christophe




This e-mail is intended only for the above addressee. It may contain
privileged information. If you are not the addressee you must not copy,
distribute, disclose or use any of the information in it. If you have
received it in error please delete it and immediately notify the sender.
Security Notice: all e-mail, sent to or from this address, may be
accessed by someone other than the recipient, for system management and
security reasons. This access is controlled under Regulation of
Investigatory Powers Act 2000, Lawful Business Practises.