Thread: [mod-security-users] Mod_Security SecServerSignature

Brought to you by: victorhora, zimmerletw

mod-security-users

[mod-security-users] Mod_Security SecServerSignature

From: Christian M. <cma...@is...> - 2005-03-23 13:51:27

Hi all,

I want to know if it is posible to use SecServerSignature when using 
mod_proxy,
because i have done some test but the Server token doesnt change.

In my httpd.conf i have:

ProxyRequests Off
ProxyPass / http://targetweb/
ProxyPassReverse / http://targetweb/

And then the minimal recommended configuration of the mod_security

But when i telnet localhost 80, the server token that i get is the 
original from targetweb

Any idea?

Thanks in advance
Christian Martorella

Re: [mod-security-users] Mod_Security SecServerSignature

From: Ivan R. <iv...@we...> - 2005-03-23 13:58:16

Christian Martorella wrote:
> Hi all,
> 
> I want to know if it is posible to use SecServerSignature when using 
> mod_proxy,
> because i have done some test but the Server token doesnt change.
> 
> In my httpd.conf i have:
> 
> ProxyRequests Off
> ProxyPass / http://targetweb/
> ProxyPassReverse / http://targetweb/
> 
> And then the minimal recommended configuration of the mod_security
> 
> But when i telnet localhost 80, the server token that i get is the 
> original from targetweb
> 
> Any idea?

   Yes, that's how mod_proxy operates. Under normal circumstances it
   does not sent its own Server response header but uses the one
   received from the target web server.

   But, if you were to send an invalid request, one that causes
   an HTTP 400 Bad Request error, you would see the server name
   you configured using SecServerSignature.

   The solution is to use bot SecServerSignature (for invalid
   requests) and mod_headers (for all other requests), in which
   case the Server response header can always show the same value.

-- 
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org

Re: [mod-security-users] Mod_Security SecServerSignature

From: Christian M. <cma...@is...> - 2005-03-23 15:34:02

Thank's now with mod_headers works like i wanted ;)

Bye


Ivan Ristic wrote:

> Christian Martorella wrote:
>
>> Hi all,
>>
>> I want to know if it is posible to use SecServerSignature when using 
>> mod_proxy,
>> because i have done some test but the Server token doesnt change.
>>
>> In my httpd.conf i have:
>>
>> ProxyRequests Off
>> ProxyPass / http://targetweb/
>> ProxyPassReverse / http://targetweb/
>>
>> And then the minimal recommended configuration of the mod_security
>>
>> But when i telnet localhost 80, the server token that i get is the 
>> original from targetweb
>>
>> Any idea?
>
>
>   Yes, that's how mod_proxy operates. Under normal circumstances it
>   does not sent its own Server response header but uses the one
>   received from the target web server.
>
>   But, if you were to send an invalid request, one that causes
>   an HTTP 400 Bad Request error, you would see the server name
>   you configured using SecServerSignature.
>
>   The solution is to use bot SecServerSignature (for invalid
>   requests) and mod_headers (for all other requests), in which
>   case the Server response header can always show the same value.
>