Re: [mod-security-users] SecFilterSelective OUTPUT problem
Brought to you by:
victorhora,
zimmerletw
From: E R <e3...@gm...> - 2006-03-30 20:33:11
|
No, I'm not using virtual hosts. It appears that the mod_security side is catching the output, throwing the 404 error, but not using the custom server-level ErrorDocument directive. This only happens when requesting non-existing content served from the app server. Requesting non-existent html pages works properly. Ivan: Is there a combination of Apache/ModSecurity that you know will work for this problem? -Eric On 3/30/06, Ryan Barnett <rcb...@gm...> wrote: > > Are you using virtual hosts? If you have defined virtual hosts, then you > need to specify both the proxy rules and errordocument directives within = the > same virtual host conatainer. > > I have implemented a similar mod_security mechanism to catch failed > authentications for internal Oracle web apps. I have mod_security inspec= t > the OUTPUT html returned by the proxied app server and look for the Oracl= e > Error message. If it sees this, it will trigger a 401 status code and th= en > use the CGI script that I specified in the ErorrDocument. > > <LocationMatch "/application1/login.do"> > SecFilterSelective OUTPUT "ORA-01017\: invalid username\/password\; > logon denied" status:401 > </LocationMatch> > > This works fine for me, however I had to specify all of this within the > SSL/443 virtual host container. > > -- > Ryan C. Barnett > Web Application Security Consortium (WASC) Member > CIS Apache Benchmark Project Lead > SANS Instructor: Securing Apache > GCIA, GCFA, GCIH, GSNA, GCUX, GSEC > Author: Preventing Web Attacks with Apache > > > On 3/30/06, Eric <e3...@gm...> wrote: > > > > Hi, > > > > I am currently using apache as a proxy for serving content from a > > backend > > application server. I am using modsecurity to send requests for > > non-existent > > pages to a custom 404 page. The command that I am using is > > SecFilterSelective > > OUTPUT "..." "log,status:404" with the 404 as a custom page I define > > with > > ErrorDocument 404 /404/error/page. And it seems to be catching the rul= e > > fine. > > > > The problem that I am having is what Error Page is returned. When the > content > is comming from apache the Custom error page is returned, but when the > content > is coming from the app server the default 404 message is displayed. In > both > cases the SecFilter rule is catching the "..." correctly, but its just no= t > displaying the custom 404 page. > > Any ideas why the custom page is not being displayed? > > Thanks. > > -Eric > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat= =3D121642 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > |