Thread: [mod-security-users] Variable that holds scheme
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ehsan M. <ehs...@gm...> - 2022-04-12 11:13:59
|
Hi folks
This question might look basic, but I could not find the variable that
holds or contains the (http|https) scheme.
Any ideas?
P.S. Using libmodsecurity + nginx
--
regards
Ehsan Mahdavi
|
|
From: <877...@qq...> - 2022-04-13 01:05:38
|
I had ever find scheme, but not found ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月12日(星期二) 晚上7:43 收件人: "mod-security-users"<mod...@li...>; 主题: [mod-security-users] Variable that holds scheme Hi folks This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Any ideas? P.S. Using libmodsecurity + nginx -- regards Ehsan Mahdavi |
|
From: Andrew H. <and...@lo...> - 2022-04-13 11:05:07
|
Hi Ehsan,
> This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme.
Where are you trying to pull the scheme from? The scheme isn't
typically* transmitted in an HTTP request.
A URL will usually be broken up into an HTTP request line and a Host
header, which usually looks something like:
GET /docs/ HTTP/2
Host: coreruleset.org
No scheme/protocol.
What are you trying to achieve? Are you trying to answer the question
"did this request come in as plain text HTTP or has TLS termination
been performed", and then treat the two cases differently?
Thanks,
Andrew
*You may find request lines containing a full 'absolute URI' which
includes the scheme, for example with a proxy server.
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
|
|
From: Ervin H. <ai...@gm...> - 2022-04-13 11:19:18
|
Hi there, On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote: > > What are you trying to achieve? Are you trying to answer the question > "did this request come in as plain text HTTP or has TLS termination > been performed", and then treat the two cases differently? may be (the official poster) should try the ENV variable: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV See the example: # Reading an environment variable from other Apache module (mod_ssl) SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,id:16,msg:'%{env.ssl_cipher}'" and the comment below: Note : Use setenv to set environment variables to be accessed by Apache. As I know, ENV works in libmodsecurity too, but I have no idea how can it set through Nginx (if the server is it). a. |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-14 08:11:10
|
Hi ervin, The env.ssl_cipher or sth like that sounds good, if it works in Nginx. I'll try that and get back to you. On Wed, Apr 13, 2022 at 3:51 PM Ervin Hegedüs <ai...@gm...> wrote: > Hi there, > > On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote: > > > > What are you trying to achieve? Are you trying to answer the question > > "did this request come in as plain text HTTP or has TLS termination > > been performed", and then treat the two cases differently? > > may be (the official poster) should try the ENV variable: > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV > > See the example: > > # Reading an environment variable from other Apache module (mod_ssl) > SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,id:16,msg:'%{env.ssl_cipher}'" > > > and the comment below: > > Note : Use setenv to set environment variables to be accessed by Apache. > > > As I know, ENV works in libmodsecurity too, but I have no idea > how can it set through Nginx (if the server is it). > > > > a. > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: Arlen W. <pu...@ar...> - 2022-04-15 18:29:51
|
Just a couple of thoughts: You could try looking for the request header for HSTS (Strict-Transport-Security). Won’t catch all browsers, but if you use it on your server it’ll catch most of them. (And why wouldn’t you use it?) Doesn’t REQUEST_URI_RAW work for this? I thought it gave the full URI as a text string. Have fun, Arlen > On Apr 14, 2022, at 3:12 AM, Ehsan Mahdavi <ehs...@gm...> wrote: > > > Hi ervin, > > The env.ssl_cipher or sth like that sounds good, if it works in Nginx. I'll try that and get back to you. > >> On Wed, Apr 13, 2022 at 3:51 PM Ervin Hegedüs <ai...@gm...> wrote: >> Hi there, >> >> On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote: >> > >> > What are you trying to achieve? Are you trying to answer the question >> > "did this request come in as plain text HTTP or has TLS termination >> > been performed", and then treat the two cases differently? >> >> may be (the official poster) should try the ENV variable: >> >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV >> >> See the example: >> >> # Reading an environment variable from other Apache module (mod_ssl) >> SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,id:16,msg:'%{env.ssl_cipher}'" >> >> >> and the comment below: >> >> Note : Use setenv to set environment variables to be accessed by Apache. >> >> >> As I know, ENV works in libmodsecurity too, but I have no idea >> how can it set through Nginx (if the server is it). |
|
From: Ervin H. <ai...@gm...> - 2022-04-15 18:54:16
|
Hi there, On Fri, Apr 15, 2022 at 12:51:56PM -0500, Arlen Walker wrote: > Just a couple of thoughts: > > You could try looking for the request header for HSTS (Strict-Transport-Security). Won’t catch all browsers, but if you use it on your server it’ll catch most of them. (And why wouldn’t you use it?) > > Doesn’t REQUEST_URI_RAW work for this? I thought it gave the full URI as a text string. Arlen is right, REQUEST_URI_RAW seems contain the scheme too: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI_RAW a. |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-16 05:44:17
|
Hi Arlen, the HSTS is not always there (even while using https). Forcing it will impose restrictions on the problem. Using it means forcing https, which might not always be desirable. The REQUEST_URI_RAW, as I've mentioned in previous emails, doesn't do the job. I've tried that and it's not guaranteed to always contain http(s). On Fri, Apr 15, 2022 at 11:02 PM Arlen Walker <pu...@ar...> wrote: > Just a couple of thoughts: > > You could try looking for the request header for HSTS > (Strict-Transport-Security). Won’t catch all browsers, but if you use it on > your server it’ll catch most of them. (And why wouldn’t you use it?) > > Doesn’t REQUEST_URI_RAW work for this? I thought it gave the full URI as a > text string. > > > Have fun, > Arlen > > On Apr 14, 2022, at 3:12 AM, Ehsan Mahdavi <ehs...@gm...> > wrote: > > > Hi ervin, > > The env.ssl_cipher or sth like that sounds good, if it works in Nginx. > I'll try that and get back to you. > > On Wed, Apr 13, 2022 at 3:51 PM Ervin Hegedüs <ai...@gm...> wrote: > >> Hi there, >> >> On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote: >> > >> > What are you trying to achieve? Are you trying to answer the question >> > "did this request come in as plain text HTTP or has TLS termination >> > been performed", and then treat the two cases differently? >> >> may be (the official poster) should try the ENV variable: >> >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV >> >> See the example: >> >> # Reading an environment variable from other Apache module (mod_ssl) >> SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,id:16,msg:'%{env.ssl_cipher}'" >> >> >> and the comment below: >> >> Note : Use setenv to set environment variables to be accessed by Apache. >> >> >> As I know, ENV works in libmodsecurity too, but I have no idea >> how can it set through Nginx (if the server is it). >> > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-14 08:07:49
|
Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI> , REQUEST_URI_RAW <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI_RAW> and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: > Hi Ehsan, > > > This question might look basic, but I could not find the variable that > holds or contains the (http|https) scheme. > > Where are you trying to pull the scheme from? The scheme isn't > typically* transmitted in an HTTP request. > > A URL will usually be broken up into an HTTP request line and a Host > header, which usually looks something like: > > GET /docs/ HTTP/2 > Host: coreruleset.org > > No scheme/protocol. > > What are you trying to achieve? Are you trying to answer the question > "did this request come in as plain text HTTP or has TLS termination > been performed", and then treat the two cases differently? > > Thanks, > Andrew > > > *You may find request lines containing a full 'absolute URI' which > includes the scheme, for example with a proxy server. > -- > > Andrew Howe > Loadbalancer.org Ltd. > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. CEO at aspaco.org http://emahdavi.ece.iut.ac.ir/ |
|
From: <877...@qq...> - 2022-04-15 01:01:42
|
seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy scheme from nginx to modsecurity. so mod can not get it. ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月14日(星期四) 下午4:37 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] Variable that holds scheme Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI, REQUEST_URI_RAW and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: Hi Ehsan, > This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Where are you trying to pull the scheme from? The scheme isn't typically* transmitted in an HTTP request. A URL will usually be broken up into an HTTP request line and a Host header, which usually looks something like: GET /docs/ HTTP/2 Host: coreruleset.org No scheme/protocol. What are you trying to achieve? Are you trying to answer the question "did this request come in as plain text HTTP or has TLS termination been performed", and then treat the two cases differently? Thanks, Andrew *You may find request lines containing a full 'absolute URI' which includes the scheme, for example with a proxy server. -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. CEO at aspaco.org http://emahdavi.ece.iut.ac.ir/ |
|
From: <877...@qq...> - 2022-04-15 01:54:18
Attachments:
8AC518FB@5F566529.31D05862.png.jpg
|
seems scheme can be get from ngx_http_request_s->schema ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月15日(星期五) 上午9:01 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] Variable that holds scheme seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy scheme from nginx to modsecurity. so mod can not get it. ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月14日(星期四) 下午4:37 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] Variable that holds scheme Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI, REQUEST_URI_RAW and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: Hi Ehsan, > This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Where are you trying to pull the scheme from? The scheme isn't typically* transmitted in an HTTP request. A URL will usually be broken up into an HTTP request line and a Host header, which usually looks something like: GET /docs/ HTTP/2 Host: coreruleset.org No scheme/protocol. What are you trying to achieve? Are you trying to answer the question "did this request come in as plain text HTTP or has TLS termination been performed", and then treat the two cases differently? Thanks, Andrew *You may find request lines containing a full 'absolute URI' which includes the scheme, for example with a proxy server. -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. CEO at aspaco.org http://emahdavi.ece.iut.ac.ir/ |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-15 13:12:30
Attachments:
8AC518FB@5F566529.31D05862.png.jpg
|
Dear huiming, hi Do you think that there is variable in the config or do you suggest editing the source codes? On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users < mod...@li...> wrote: > > > seems scheme can be get from ngx_http_request_s->schema > > > ------------------ 原始邮件 ------------------ > *发件人:* "huiming" <877...@qq...>; > *发送时间:* 2022年4月15日(星期五) 上午9:01 > *收件人:* "mod-security-users"<mod...@li...>; > *主题:* 回复: [mod-security-users] Variable that holds scheme > > seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy > scheme from nginx to modsecurity. > > so mod can not get it. > > > ------------------ 原始邮件 ------------------ > *发件人:* "mod-security-users" <ehs...@gm...>; > *发送时间:* 2022年4月14日(星期四) 下午4:37 > *收件人:* "mod-security-users"<mod...@li...>; > *主题:* Re: [mod-security-users] Variable that holds scheme > > Hi Andrew > > Yes, I am trying to answer the question, but not to treat them > differently. I just need to log the scheme in the Modsecurity Audit log. > I have tried different variables like REQUEST_URI > <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI>, > REQUEST_URI_RAW > <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI_RAW> and > etc. none of them contain the scheme! > > > On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> > wrote: > >> Hi Ehsan, >> >> > This question might look basic, but I could not find the variable that >> holds or contains the (http|https) scheme. >> >> Where are you trying to pull the scheme from? The scheme isn't >> typically* transmitted in an HTTP request. >> >> A URL will usually be broken up into an HTTP request line and a Host >> header, which usually looks something like: >> >> GET /docs/ HTTP/2 >> Host: coreruleset.org >> >> No scheme/protocol. >> >> What are you trying to achieve? Are you trying to answer the question >> "did this request come in as plain text HTTP or has TLS termination >> been performed", and then treat the two cases differently? >> >> Thanks, >> Andrew >> >> >> *You may find request lines containing a full 'absolute URI' which >> includes the scheme, for example with a proxy server. >> -- >> >> Andrew Howe >> Loadbalancer.org Ltd. >> www.loadbalancer.org >> +1 888 867 9504 / +44 (0)330 380 1064 >> >> >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ >> > > > -- > regards > Ehsan Mahdavi > Computer Engineering Ph.D. > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: Andrew H. <and...@lo...> - 2022-04-15 16:24:30
|
Hi Ehsan,
Something that only just occurred to me: can you not infer the scheme
from the destination port in the audit logs? E.g.:
---YERQU2yt---A--
[15/Apr/2022:16:04:31 +0000] 1650038671 172.20.0.1 44940 172.20.0.3 80
An example of a plain text HTTP request (note port 80 at the very end
of the line).
You could also maybe make use of ModSecurity's SERVER_PORT variable
and do something with that (see
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#server_port).
It's also fairly common practice for reverse proxies to add the
request header "X-Forwarded-Proto", set to either "http" or "https",
when TLS/SSL termination is involved. Maybe you could instruct Nginx
to add such a header (although I don't know how the order of execution
works in Nginx: it might add headers _after_ giving the request to
ModSecurity, so that might not work.)
You could also, if absolutely necessary, put a reverse proxy in front
of your Nginx instance (maybe even just define an Nginx proxy), and
have *that* proxy insert an "X-Forwarded-Proto" header which would
then be passed to your ModSecurity instance. That's probably the
least-good solution, though.
Thanks,
Andrew
--
Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
|
|
From: Reindl H. <h.r...@th...> - 2022-04-15 16:48:32
|
Am 15.04.22 um 18:24 schrieb Andrew Howe:> Something that only just occurred to me: can you not infer the scheme> from the destination port in the audit logs? E.g.: only in very simple setups we have here at least 4 different ports which are https at the end of the day |
|
From: Ehsan M. <ehs...@gm...> - 2022-04-16 05:38:35
|
Hi Andrew, About inferring the scheme from the destination port (SERVER_PORT variable), No. There are sites on multiple non-standard ports. And also there are many sites. So it is confusing. About X-Forwarded-Proto, I've tried that before. Seems that modsecurity acts before proxy_set_header <http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header> and more_set_headers <https://github.com/openresty/headers-more-nginx-module#more_set_headers>. So these heuristics won't do the job for me. On Fri, Apr 15, 2022 at 8:56 PM Andrew Howe <and...@lo...> wrote: > Hi Ehsan, > > Something that only just occurred to me: can you not infer the scheme > from the destination port in the audit logs? E.g.: > > ---YERQU2yt---A-- > [15/Apr/2022:16:04:31 +0000] 1650038671 172.20.0.1 44940 172.20.0.3 80 > > An example of a plain text HTTP request (note port 80 at the very end > of the line). > > You could also maybe make use of ModSecurity's SERVER_PORT variable > and do something with that (see > > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#server_port > ). > > It's also fairly common practice for reverse proxies to add the > request header "X-Forwarded-Proto", set to either "http" or "https", > when TLS/SSL termination is involved. Maybe you could instruct Nginx > to add such a header (although I don't know how the order of execution > works in Nginx: it might add headers _after_ giving the request to > ModSecurity, so that might not work.) > > You could also, if absolutely necessary, put a reverse proxy in front > of your Nginx instance (maybe even just define an Nginx proxy), and > have *that* proxy insert an "X-Forwarded-Proto" header which would > then be passed to your ModSecurity instance. That's probably the > least-good solution, though. > > Thanks, > Andrew > > -- > Andrew Howe > Loadbalancer.org Ltd. > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: <877...@qq...> - 2022-04-16 05:59:44
|
I had try to search for scheme, but not found. only method as I know is to change method, to copy schema info above to modsecurity's transaction ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月15日(星期五) 晚上9:42 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] 回复: Variable that holds scheme Dear huiming, hi Do you think that there is variable in the config or do you suggest editing the source codes? On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users <mod...@li...> wrote: seems scheme can be get from ngx_http_request_s->schema ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月15日(星期五) 上午9:01 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] Variable that holds scheme seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy scheme from nginx to modsecurity. so mod can not get it. ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月14日(星期四) 下午4:37 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] Variable that holds scheme Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI, REQUEST_URI_RAW and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: Hi Ehsan, > This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Where are you trying to pull the scheme from? The scheme isn't typically* transmitted in an HTTP request. A URL will usually be broken up into an HTTP request line and a Host header, which usually looks something like: GET /docs/ HTTP/2 Host: coreruleset.org No scheme/protocol. What are you trying to achieve? Are you trying to answer the question "did this request come in as plain text HTTP or has TLS termination been performed", and then treat the two cases differently? Thanks, Andrew *You may find request lines containing a full 'absolute URI' which includes the scheme, for example with a proxy server. -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
|
From: <877...@qq...> - 2022-04-16 06:03:38
|
to fix https://github.com/SpiderLabs/ModSecurity-nginx seems only way to get scheme ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月16日(星期六) 中午1:59 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] 回复: Variable that holds scheme I had try to search for scheme, but not found. only method as I know is to change method, to copy schema info above to modsecurity's transaction ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月15日(星期五) 晚上9:42 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] 回复: Variable that holds scheme Dear huiming, hi Do you think that there is variable in the config or do you suggest editing the source codes? On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users <mod...@li...> wrote: seems scheme can be get from ngx_http_request_s->schema ------------------ 原始邮件 ------------------ 发件人: "huiming" <877...@qq...>; 发送时间: 2022年4月15日(星期五) 上午9:01 收件人: "mod-security-users"<mod...@li...>; 主题: 回复: [mod-security-users] Variable that holds scheme seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy scheme from nginx to modsecurity. so mod can not get it. ------------------ 原始邮件 ------------------ 发件人: "mod-security-users" <ehs...@gm...>; 发送时间: 2022年4月14日(星期四) 下午4:37 收件人: "mod-security-users"<mod...@li...>; 主题: Re: [mod-security-users] Variable that holds scheme Hi Andrew Yes, I am trying to answer the question, but not to treat them differently. I just need to log the scheme in the Modsecurity Audit log. I have tried different variables like REQUEST_URI, REQUEST_URI_RAW and etc. none of them contain the scheme! On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <and...@lo...> wrote: Hi Ehsan, > This question might look basic, but I could not find the variable that holds or contains the (http|https) scheme. Where are you trying to pull the scheme from? The scheme isn't typically* transmitted in an HTTP request. A URL will usually be broken up into an HTTP request line and a Host header, which usually looks something like: GET /docs/ HTTP/2 Host: coreruleset.org No scheme/protocol. What are you trying to achieve? Are you trying to answer the question "did this request come in as plain text HTTP or has TLS termination been performed", and then treat the two cases differently? Thanks, Andrew *You may find request lines containing a full 'absolute URI' which includes the scheme, for example with a proxy server. -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ -- regards Ehsan Mahdavi Computer Engineering Ph.D. |
Thanks for helping keep SourceForge clean.
X