mod-security-users

[mod-security-users] Not allowed in VirtualHost ?

[Dionysios G. S. <ds...@no...>]

After upgrading mod_security from 1.7.6 to 1.8.3 I get the following errors:

---------------
Starting apache.
Syntax error on line 1356 of /usr/local/etc/apache/httpd.conf:
SecServerResponseToken not allowed in VirtualHost
Syntax error on line 1359 of /usr/local/etc/apache/httpd.conf:
SecServerSignature not allowed in VirtualHost

Re: [mod-security-users] Not allowed in VirtualHost ?

[Ivan R. <iv...@we...>]

Dionysios G. Synodinos wrote:
> After upgrading mod_security from 1.7.6 to 1.8.3 I get the following
> errors:
> 
> ---------------
> Starting apache.
> Syntax error on line 1356 of /usr/local/etc/apache/httpd.conf:
> SecServerResponseToken not allowed in VirtualHost
> Syntax error on line 1359 of /usr/local/etc/apache/httpd.conf:
> SecServerSignature not allowed in VirtualHost

  That's correct. Just move them outside the VirtualHost area
  to make it work again.

  It is not possible to have different yet foolproof server
  signature policies across different virtual hosts.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] Not allowed in VirtualHost ?

[Dionysios G. S. <ds...@no...>]

Ivan Ristic wrote:

>Dionysios G. Synodinos wrote:
>  
>
>>After upgrading mod_security from 1.7.6 to 1.8.3 I get the following
>>errors:
>>
>>---------------
>>Starting apache.
>>Syntax error on line 1356 of /usr/local/etc/apache/httpd.conf:
>>SecServerResponseToken not allowed in VirtualHost
>>Syntax error on line 1359 of /usr/local/etc/apache/httpd.conf:
>>SecServerSignature not allowed in VirtualHost
>>    
>>
>
>  That's correct. Just move them outside the VirtualHost area
>  to make it work again.
>  
>

This has changed since 1.7. Am I correct?

>  It is not possible to have different yet foolproof server
>  signature policies across different virtual hosts.
>  
>

Understood!

Since a server could have many different virtual hosts and might not 
need not to deploy mod_security in all of them or have different 
deployment profiles, I would suggest that in a future version of 
mod_security administrators are allowed to define rules inside virtual 
hosts.

Thank you for such a useful module,
Dionysios.

Re: [mod-security-users] Not allowed in VirtualHost ?

[Ivan R. <iv...@we...>]

>>  That's correct. Just move them outside the VirtualHost area
>>  to make it work again.
>>  
>>
> 
> This has changed since 1.7. Am I correct?

  Yes.


> Since a server could have many different virtual hosts and might not
> need not to deploy mod_security in all of them or have different
> deployment profiles, I would suggest that in a future version of
> mod_security administrators are allowed to define rules inside virtual
> hosts.

  Just to clarify: you *can* use most of mod_security directives
  per-host, per-directory, per-location, etc. The restriction we
  discussed only applies to the two directives you mentioned,
  SecServerResponseToken and SecServerSignature.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Re: [mod-security-users] Not allowed in VirtualHost ?

[Sandy K. <s_k...@ya...>]

--- Ivan Ristic <iv...@we...> wrote:

>   Just to clarify: you *can* use most of
> mod_security directives
>   per-host, per-directory, per-location, etc. The
> restriction we
>   discussed only applies to the two directives you
> mentioned,
>   SecServerResponseToken and SecServerSignature.
> 

Ah - there was my confusion.  Thanks for the
clarification, and for the great tool!

SK



		
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com