[mod-security-users] (no subject)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] (no subject)
|
From: <mi...@th...> - 2007-10-22 19:04:18
|
I'm having trouble getting mod_security to work with Subversion through
WebDAV. Subversion works perfectly with mod_security disabled, but with
it, I'm getting a "400: bad request" error from the client. After checking
the logs, I see that mod_security is blocking everything but the most
common request types. Here is one of the errors from the modsec_audit log:
Message: Access denied with code 400 (phase 2). Match of "rx
^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w
\\-\\.\\/~%:@&=+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against
"REQUEST_LINE" required. [id "960911"] [msg "Invalid HTT P Request
Line"] [severity "CRITICAL"]
I'm quite new to the mod_security software. Is there anyone who has set up
their mod_security to work with subversion and might be willing to help me
out with what SecRules to include? I've tried adding several SecRules, but
I'm not even sure if I'm putting them in the right place. Here are the
ones that I've tried:
SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
I've spent many hours searching google for a solution, so any help at all
would be very greatly appreciated.
|
