Geoffroy Raimbault:
>
> I have a small problem using Modsecurity on a reverse proxy with apache2
> filtering on CGI variables. It seems that some variable like
> REQUEST_FILENAME or SCRIPT_FILENAME are changed by mod_proxy before
> being filtered by mod_security.
>
>
> For example, In trying to filter the access to files having an ".inc"
> extension with the filter :
>
> SecFilterSelective REQUEST_FILENAME ".inc$"
This should be "\.inc$", BTW.
> But, looking in the modsecurity debugs log, we can see that it try the
> filter on a modified REQUEST_FILENAME :
>
> """"
> [09/Mar/2005:18:39:20 +0100]
> [www.site11.com/sid#8166dd8][rid#81bc3f8][/config.inc] Checking
> signature "\\.inc$" at REQUEST_FILENAME
> [09/Mar/2005:18:39:20 +0100]
> [www.site11.com/sid#8166dd8][rid#81bc3f8][/config.inc] Checking against
> "proxy:http://192.168.20.151/config.inc?test=1"
> """"
Yes, that's how Apache handles proxying internally.
> May be there is something to do with the module ordering process of
> Apache 2 to solve the problem ?
No, I don't think so. And in Apache 2 the module ordering process
is handled internally so you can't influence it.
But if the target resource is on another server then I think
you should not try to use the REQUEST_FILENAME variable. Try something
else, for example, use REQUEST_URI and \.
SecFilterSelective REQUEST_URI (\.inc$|\.inc\?)
>
> Geoffroy
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
