Thread: [mod-security-users] Apache 2.2.0 - Mod Security 1.9.1 - Webdav Folder
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ann H. <sea...@ha...> - 2005-12-03 00:32:51
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
I moved my webdav folder out of the general root directory structure in apache,
and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
request. I would appreciate any ideas. Thanks
Error Message - Apache
========================
[Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
denied with code 403. Pattern match
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at
HEADER("Content-Type") [hostname "www.example.com"] [uri "/"]
[Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
denied with code 403. Pattern match
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at
HEADER("Content-Type") [hostname "www.example.com"] [uri "/tails"]
httpd-dav.conf
=========================
DavLockDB /usr/local/apache/var/DavLock
DAVMinTimeout 600
Alias /tails/ "/<non-standard location>/tails/"
<Directory "/<non-standard location>/tails">
Dav On
Options Indexes MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all
SecFilterInheritance Off
AuthName "Tails Area"
AuthType Basic
AuthBasicProvider dbm
AuthDBMType DB
AuthzDBMType DB
AuthDBMUserFile /usr/local/apache/etc/password-file
AuthDBMGroupFile /usr/local/apache/etc/password-file
<LimitExcept GET OPTIONS>
Require group tails
</LimitExcept>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDkOemhs7JGk93PT0RA7BxAKCNXMcy3gU36k8uSb5pKWXSXWHv8QCfT8aI
iSvzL9TlUWsYTAt5ccfTkEU=
=5cWP
-----END PGP SIGNATURE-----
|
|
From: Ivan R. <iv...@we...> - 2005-12-03 09:39:07
|
Ann Hopkins wrote: > I moved my webdav folder out of the general root directory structure in apache, > and used "SecFilterInheritance Off", but it "Mod_security" still blocks the > request. I would appreciate any ideas. Thanks You appear to be doing the right thing. This may be a problem with the order in which contexts are inherited in Apache. Show us the part where you create ModSecurity configuration. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Ann H. <sea...@ha...> - 2005-12-03 17:57:46
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Apache 2.2.0 configuration now uses a modular configuration file with includes
and this is the portion at the the end of the "http.conf" file - modules are
activated at the beginning of this file.
...
# Distributed authoring and versioning (WebDAV)
Include conf/httpd-dav.conf
# Various default settings
Include conf/httpd-default.conf
# Modsecurity filtering (Specific)
Include conf/httpd-modsecurity.conf
# Handypaws - Directories - Aliases (Specific)
Include conf/httpd-handypaws.conf
# Secure (SSL/TLS) connections
Include conf/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
Here is the file "httpd-modsecurity.conf"
# Module_Security
# Security module - recommended configuration
<IfModule mod_security.c>
# Turn ModSecurity On
SecFilterEngine On
# Reject requests with status 403
SecFilterDefaultAction "deny,log,status:403"
# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding Off
# Accept almost all byte values
SecFilterForceByteRange 1 255
# Server masking is optional
# SecServerSignature "Microsoft-IIS/5.0"
# Change Security Signature Requires
# ServerSignature On and Server Tokens Full
SecServerSignature "SOMETHING RATHER SILLY"
SecUploadDir /tmp
SecUploadKeepFiles Off
# Only record the interesting stuff
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log
# You normally won't need debug logging
SecFilterDebugLevel 0
SecFilterDebugLog logs/modsec_debug_log
CustomLog "|/usr/local/apache/bin/rotatelogs
/usr/local/apache/logs/modseccustomlog.%Y-%m-%d-%H_%M_%S 5M" \
"%h %l %u %t \"%r\" %>s %b %{mod_security-message}i" \
env=mod_security-relevant
# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type
"!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
# Do not accept GET or HEAD requests with bodies
SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Length "!^$"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Kill email relay attempts and log
# example : CONNECT news98.idv.tw:25 HTTP/1.0
SecFilterSelective "SERVER_PORT" 25
</IfModule>
Ivan Ristic wrote:
> Ann Hopkins wrote:
>
>>I moved my webdav folder out of the general root directory structure in apache,
>>and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
>>request. I would appreciate any ideas. Thanks
>
>
> You appear to be doing the right thing. This may be a problem with
> the order in which contexts are inherited in Apache.
>
> Show us the part where you create ModSecurity configuration.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDkdyOhs7JGk93PT0RA6zlAKDEKoslHC+mQYDoilpaWXy8j0eR+gCfUYFl
ho04ZyZABv6NBNM5kp9yk/s=
=qxog
-----END PGP SIGNATURE-----
|
|
From: Philippe B. <pbo...@ci...> - 2005-12-05 09:38:13
|
Hi, If think I had issues with Webdav/IE too. You should replace this : > SecFilterSelective HTTP_Content-Type >"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" With this : SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data|^text/xml)" It worked for me. Sincerely, Philippe Bourcier |
|
From: Ivan R. <iv...@we...> - 2005-12-03 18:16:42
|
Ann Hopkins wrote:
> I moved my webdav folder out of the general root directory structure in apache,
> and used "SecFilterInheritance Off", but it "Mod_security" still blocks the
> request. I would appreciate any ideas. Thanks
The way you have Apache configured right now
Alias /tails/ "/<non-standard location>/tails/"
Alias "kicks in" only when you provide the / at the end of the
URI. But this is not happening:
> [Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access
> denied with code 403. Pattern match
> "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at
> HEADER("Content-Type") [hostname "www.example.com"] [uri "/tails"]
Without the / at the end Apache treats the request as one
for the root context. (You would be getting a 404 response if it
were not for ModSecurity.)
You can test my assumption my making a request to "/tails/" instead
of "/tails".
Changing the Alias line to:
Alias /tails "/<non-standard location>/tails"
should fix the problem.
--
Ivan Ristic
Apache Security (O'Reilly) - http://www.apachesecurity.net
Open source web application firewall - http://www.modsecurity.org
|
|
From: Ann H. <sea...@ha...> - 2005-12-03 18:36:46
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 I forgot to add that I was using Windows XP to connect using Webdav. "/tails/" did not work. I also have to trick Windows XP to use basic authentication otherwise it fails miserably. "http://www.example.com:80/tails" does work after changing the alias to what you suggested. Weird that it worked before in pre-2.2.0 but I have a lot of those quirks yesterday. Thank you. Ivan Ristic wrote: > Ann Hopkins wrote: > >>I moved my webdav folder out of the general root directory structure in apache, >>and used "SecFilterInheritance Off", but it "Mod_security" still blocks the >>request. I would appreciate any ideas. Thanks > > > The way you have Apache configured right now > > Alias /tails/ "/<non-standard location>/tails/" > > Alias "kicks in" only when you provide the / at the end of the > URI. But this is not happening: > > >>[Fri Dec 02 16:24:47 2005] [error] [client 192.168.254.XXX] mod_security: Access >>denied with code 403. Pattern match >>"!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at >>HEADER("Content-Type") [hostname "www.example.com"] [uri "/tails"] > > > Without the / at the end Apache treats the request as one > for the root context. (You would be getting a 404 response if it > were not for ModSecurity.) > > You can test my assumption my making a request to "/tails/" instead > of "/tails". > > Changing the Alias line to: > > Alias /tails "/<non-standard location>/tails" > > should fix the problem. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDkeVXhs7JGk93PT0RA8feAJ4yHDYV0P9JMa/ZOsYGW9s/6JG3HACfYs10 A+HhuTK2AFzPui/6ifWMCRI= =sy/S -----END PGP SIGNATURE----- |
Thanks for helping keep SourceForge clean.
X