mod-security-users

[mod-security-users] Working with Reverse Proxy

[Chris S. <chr...@ex...>]

Hey Guys,

I'm trying to setup a reverse proxy that does some filtering as well.  I've 
got mod_security and mod_proxy loaded and configured.  mod_security is 
matching its filters (the deny message shows up in the log), but the proxy 
still passes the connection to the end server.  Is there any way to deny the 
proxying based off of what mod_security allows or denies?

We are using this setup in the DMZ, with a proxy going inbound, we'd prefer 
to deny the connection at the DMZ and not let it get any further.  Any help 
in this would be greatly appreciated.

--C 

Re: [mod-security-users] Working with Reverse Proxy

[Ivan R. <iva...@gm...>]

On 5/22/06, Chris Scott <chr...@ex...> wrote:
> Hey Guys,
>
> I'm trying to setup a reverse proxy that does some filtering as well.  I'=
ve
> got mod_security and mod_proxy loaded and configured.  mod_security is
> matching its filters (the deny message shows up in the log), but the prox=
y
> still passes the connection to the end server.  Is there any way to deny =
the
> proxying based off of what mod_security allows or denies?
>
> ...
>
> GET /error/HTTP_INTERNAL_SERVER_ERROR.html.var

  You have ErrorDocument configured on the same domain name.
  The original request is cancelled (and does not go through). In order
  to respond as configured Apache creates a new request but that
  request is proxied to the backend server.

  You can either respond with a very simple message:

  ErrorDocument 403 "Sorry can't allow you access today"

  or respond with an error document on a different domain (one that
  is not proxied:

  ErrorDocument 500 http://foo.example.com/cgi-bin/tester

  or create a proxy exclusion for a part of domain (e.g. /error/) and
  place your error documents there.

--=20
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall

Re: [mod-security-users] Working with Reverse Proxy

[Kai S. <mai...@co...>]

Ivan Ristic wrote on Mon, 22 May 2006 21:58:34 +0100:

> You can either respond with a very simple message:

Actually, if need be you can span that over several lines and thus 
transmit a "complete" error page. It's a bit difficult to handle, of 
course.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com