mod-security-users

[mod-security-users] excluding virtual hosts

[David O. <da...@cr...>]

Hi all,

I would like to define deny-filters, that exclude certain virtual hosts. 
In other words I want that some defined hosts are allowed to do things 
others are not allowed to.
I don't want to put the filters in the virtual hosts-section because 
it's too many virtual hosts.

How do I set my filters the best way? Should I work with chains?

Thanks,
David


-- 
Seit dem 01.01.05 wird der Email-Verkehr in Deutschland massiv überwacht
(http://www.regtp.de/imperia/md/content/tech_reg_t/ueberwachu/tkuev.pdf).
Versende keine vertraulichen Informationen ohne starke Verschlüsselung!
Mein GnuPG-Key: http://cryptix.de/pgp/david.asc
GnuPG-Fingerprint: CE888BDFF1DED3B8D2105F29CB1920BD87 

Re: [mod-security-users] excluding virtual hosts

[David O. <da...@cr...>]

I found the answer myself.
One example would be:

SecFilterSelective ARGS "/bin/" chain
SecFilterSelective SERVER_NAME !example.com


Regards,
David


David Obando schrieb am 17.01.2005 13:03:

> Hi all,
>
> I would like to define deny-filters, that exclude certain virtual 
> hosts. In other words I want that some defined hosts are allowed to do 
> things others are not allowed to.
> I don't want to put the filters in the virtual hosts-section because 
> it's too many virtual hosts.
>
> How do I set my filters the best way? Should I work with chains?
>
> Thanks,
> David
>
>


-- 
Seit dem 01.01.05 wird der Email-Verkehr in Deutschland massiv überwacht
(http://www.regtp.de/imperia/md/content/tech_reg_t/ueberwachu/tkuev.pdf).
Versende keine vertraulichen Informationen ohne starke Verschlüsselung!
Mein GnuPG-Key: http://cryptix.de/pgp/david.asc
GnuPG-Fingerprint: CE888BDFF1DED3B8D2105F29CB1920BD87 

Re: [mod-security-users] excluding virtual hosts

[Ivan R. <iv...@we...>]

David Obando wrote:
> I found the answer myself.
> One example would be:
> 
> SecFilterSelective ARGS "/bin/" chain
> SecFilterSelective SERVER_NAME !example.com

   Correct. FYI you should be aware that second rule will match
   "www.example.com", "somethingelse.example.com",
   "example.com.modsecurity.org" and so on. It's better to use
   the dollar sign to anchor the regex to the end of string. E.g.

   SecFilterSelective SERVER_NAME !example.com$

   Anyway, that approach only works one rule at a time. There
   are other things you could try:

   1) The allow action will let the request through. So if you
      do something like this:

      # rules that apply to all hosts
      SecFilter ...
      SecFilter ...

      # end processing early for some hosts
      SecFilterSelective SERVER_NAME (example1.com|example2.com)$ allow

      # rules that apply to some hosts
      SecFilter ...


   2) You could use the skip action to skip over some rules
      but you would need to count them so it's not very
      practical.

   3) You can explicitly disable filtering for some hosts:

      <VirtualHost ...>
      SecFilterEngine Off
      </VirtualHost>

   4) Or clear the rule list and load a partial list only:

      <VirtualHost ...>
      SecFilterInheritance Off
      Include conf/partial_modsecurity_rules.conf
      </VirtualHost>

-- 
Ivan Ristic (http://www.modsecurity.org)

Re: [mod-security-users] excluding virtual hosts

[Katsuharu W. <ml...@pa...>]

At Mon, 17 Jan 2005 13:03:02 +0100,
David Obando wrote:
> 
> I would like to define deny-filters, that exclude certain virtual hosts. 
> In other words I want that some defined hosts are allowed to do things 
> others are not allowed to.
> I don't want to put the filters in the virtual hosts-section because 
> it's too many virtual hosts.
> 
> How do I set my filters the best way? Should I work with chains?
> 

How about this?

 SecFilterSelective HTTP_HOST "allow2.vhost.com" skipnext:2
 SecFilterSelective HTTP_HOST "allow1.vhost.com" skipnext:1
 SecFilter foo deny

--
Katsuharu Watanabe
Key fingerprint = 121E AC94 AD99 C468 9E02  C868 827B D767 058A E62E