mod-security-users

[mod-security-users] Apache2 / mod_sec per virtual host config?

[Jan G. <jan...@pr...>]

Hi there

As I fummbled around with this great mod I found out that in my 
configuration, as soon as I activate mod_security in one virtual host 
(name based), _all_ virtual hosts have mod_sec activated with the rules 
I defined for that one special vhost.

As I read from the documentation this should not be the case - so: what 
am I missing? Is it a mod_sec version-thing?

My setup in short:

Debian Sid
Apache/2.0.52
libapache2-mod-security 1.8.4-1.1 (most recent :-/ Debian package)

apache2.conf has no mod_sec defined, it includes multiple vhost-confs 
right before EOF, so it basically looks like this:

<VirtualHost ip.ad.re.ss:80>
ServerName A
... (no mod_sec)
</VirtualHost>

<VirtualHost ip.ad.re.ss:80>
ServerName B
-> mod_sec enabled
</VirtualHost>

<VirtualHost ip.ad.re.ss:80>
ServerName C
...  (no mod_sec)
</VirtualHost>


-> allthough mod_sec is only enabled and configured in vhost B, all 
three vhosts have it activated and the rules applied.

Thanks for your help,
Jan

-- 
You never see empty pot boil over
(Jamaican)

Re: [mod-security-users] Apache2 / mod_sec per virtual host config?

[Ivan R. <iv...@we...>]

Jan Gerle wrote:
> Hi there
> 
> As I fummbled around with this great mod I found out that in my 
> configuration, as soon as I activate mod_security in one virtual host 
> (name based), _all_ virtual hosts have mod_sec activated with the rules 
> I defined for that one special vhost.
> 
> As I read from the documentation this should not be the case - so: what 
> am I missing? Is it a mod_sec version-thing?

   That should definitely not be the case. I just checked the latest
   1.8 version with Apache 2.0.52 and works fine here. Send me
   (directly, not to the list) the httpd.conf and I'll give it a look.

   One more thing: how are you testing? From your workstation with a
   browser, or from the server itself (e.g. using telnet).

-- 
Ivan Ristic (http://www.modsecurity.org)