Thread: Re: [mod-security-users] Sending a request to different Backends based on SecRule
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ti...> - 2014-02-28 08:01:55
|
Stefan, here is a simple, working example: SecRule QUERY_STRING "backend-alt" "phase:1,id:1,setenv:backend-alt=1" ... <VirtualHost 127.0.0.1:80> ... RewriteCond %{ENV:backend-alt} ^1$ RewriteRule ^/appl(.*) balancer://backend-alt/appl$1 [proxy,last] RewriteRule ^/appl(.*) balancer://backend/appl$1 [proxy,last] ProxyPassReverse /appl balancer://backend/appl ProxyPassReverse /appl balancer://backend-alt/appl ... <Proxy balancer://backend/appl> BalancerMember http://localhost:8000 route=backend ... </Proxy> <Proxy balancer://backend-alt/appl> BalancerMember http://localhost:9000 route=backend-alt ... </Proxy> </VirtualHost> I have never looked at this from a performance perspective. But I can confirm it is a stable setup, which keeps the decision on the backend choice in ModSec and allows for a lot of flexibility. Cheers, Christian |
From: Stefan B. <ml...@we...> - 2014-02-28 10:40:17
|
Thanks for the example. However I still have problems accessing the environment-variable. Here is some of my test-config: <VirtualHost *:443> RewriteEngine on RewriteLog /var/log/apache2/rewrite.log RewriteLogLevel 9 # Some ssl-config # App-Whitelisting SecRule "REQUEST_URI" "^(/apps|/public)" "id:1,phase:1,log,setenv:tomcatBackend=1" RewriteCond %{ENV:tomcatBackend} ^1$ RewriteRule /(.*) http://localhost:60001/$1 [proxy,last] # App-Load-Balancer </VirtualHost> When requesting https://mywebsite.loc/public/logo , the actions of SecRule 1 are executed (modsec_debug.log): [/public/logo][2] Warning. Pattern match "^(/apps|/public)" at REQUEST_URI. ... [/public/logo][4] Rule returned 1. But mod_rewrite does not have access to the set environment-variable: (rewrite.log): (2) init rewrite engine with requested uri /public/logo (3) applying pattern '/(.*)' to uri '/public/logo' (4) RewriteCond: input='' pattern='^1$' => not-matched <== Problem, no access to ENV:tomcatBackend (1) pass through /public/logo BTW: I also tried setting the SecRule 1 in the server config - context: Same behaviour. Also: The RewriteRule on its own works fine. What OS/ModSec/Apache-Versions are you running? Am 28.02.14 08:43, schrieb Christian Folini: > Stefan, > > here is a simple, working example: > > SecRule QUERY_STRING "backend-alt" "phase:1,id:1,setenv:backend-alt=1" > > ... > > <VirtualHost 127.0.0.1:80> > > ... > > RewriteCond %{ENV:backend-alt} ^1$ > RewriteRule ^/appl(.*) balancer://backend-alt/appl$1 [proxy,last] > > RewriteRule ^/appl(.*) balancer://backend/appl$1 [proxy,last] > > ProxyPassReverse /appl balancer://backend/appl > ProxyPassReverse /appl balancer://backend-alt/appl > > ... > > <Proxy balancer://backend/appl> > BalancerMember http://localhost:8000 route=backend > > ... > > </Proxy> > > <Proxy balancer://backend-alt/appl> > BalancerMember http://localhost:9000 route=backend-alt > > ... > > </Proxy> > > </VirtualHost> > > > I have never looked at this from a performance perspective. But I can confirm > it is a stable setup, which keeps the decision on the backend choice in > ModSec > and allows for a lot of flexibility. > > Cheers, > > Christian > > > > ------------------------------------------------------------------------------ > Flow-based real-time traffic analytics software. Cisco certified tool. > Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer > Customize your own dashboards, set traffic alerts and generate reports. > Network behavioral analysis & security monitoring. All-in-one tool. > http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Christian F. <chr...@ti...> - 2014-02-28 10:59:16
|
On Fri, February 28, 2014 11:40 am, Stefan Bernhardsgrütter wrote: > Thanks for the example. However I still have problems accessing the > environment-variable. Here is some of my test-config: Bullocks. Here is my rewrite log with my previous example, env set in server context: 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) init rewrite engine with requested uri /applx 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] [localhost/sid#86c8dd8][rid#a96024c8/initial] (3) applying pattern '^/appl(.*)' to uri '/applx' 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] [localhost/sid#86c8dd8][rid#a96024c8/initial] (4) RewriteCond: input='1' pattern='^1$' => matched 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) rewrite '/applx' -> 'balancer://backend-alt/applx' 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) forcing proxy-throughput with balancer://backend-alt/applx 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] [localhost/sid#86c8dd8][rid#a96024c8/initial] (1) go-ahead with proxy request proxy:balancer://backend-alt/applx [OK] 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (2) init rewrite engine with requested uri /applx 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern '^/appl(.*)' to uri '/applx' 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (4) RewriteCond: input='' pattern='^1$' => not-matched 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern '^/appl(.*)' to uri '/applx' 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (2) rewrite '/applx' -> 'balancer://backend/applx' 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (2) forcing proxy-throughput with balancer://backend/applx 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] [localhost/sid#86c8dd8][rid#87866b0/initial] (1) go-ahead with proxy request proxy:balancer://backend/applx [OK] So the env variable is there in my context. This was performed on a test machine ubuntu 12.10, self compiled apache 2.2.24, self compiled modsec 2.7.3. One thing that springs to mind is the ModSec "--enable-request-early" compile option. Did you use that? Sorry for being so brief, but I am quite busy and my time is running out. Christian |
From: Stefan B. <ml...@we...> - 2014-02-28 15:16:44
|
I use debian 7 which ships with modsec 2.6.6. After compiling modsec myself (debian testing uses apache 2.4), everything works as expected. Thanks for the help Am 28.02.14 11:59, schrieb Christian Folini: > On Fri, February 28, 2014 11:40 am, Stefan Bernhardsgrütter wrote: >> Thanks for the example. However I still have problems accessing the >> environment-variable. Here is some of my test-config: > Bullocks. Here is my rewrite log with my previous example, env set > in server context: > > 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] > [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) init rewrite engine with > requested uri /applx > 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] > [localhost/sid#86c8dd8][rid#a96024c8/initial] (3) applying pattern > '^/appl(.*)' to uri '/applx' > 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] > [localhost/sid#86c8dd8][rid#a96024c8/initial] (4) RewriteCond: input='1' > pattern='^1$' => matched > 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] > [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) rewrite '/applx' -> > 'balancer://backend-alt/applx' > 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] > [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) forcing proxy-throughput > with balancer://backend-alt/applx > 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100] > [localhost/sid#86c8dd8][rid#a96024c8/initial] (1) go-ahead with proxy > request proxy:balancer://backend-alt/applx [OK] > > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (2) init rewrite engine with > requested uri /applx > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern > '^/appl(.*)' to uri '/applx' > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (4) RewriteCond: input='' > pattern='^1$' => not-matched > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern > '^/appl(.*)' to uri '/applx' > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (2) rewrite '/applx' -> > 'balancer://backend/applx' > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (2) forcing proxy-throughput > with balancer://backend/applx > 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100] > [localhost/sid#86c8dd8][rid#87866b0/initial] (1) go-ahead with proxy > request proxy:balancer://backend/applx [OK] > > So the env variable is there in my context. > > This was performed on a test machine > ubuntu 12.10, self compiled apache 2.2.24, self compiled modsec 2.7.3. > > One thing that springs to mind is the ModSec "--enable-request-early" > compile option. Did you use that? > > Sorry for being so brief, but I am quite busy and my time > is running out. > > Christian > > > |
From: Christian F. <chr...@ti...> - 2014-02-28 19:55:58
|
On Fri, Feb 28, 2014 at 04:16:30PM +0100, Stefan Bernhardsgrütter wrote: > I use debian 7 which ships with modsec 2.6.6. After compiling modsec > myself (debian testing uses apache 2.4), everything works as > expected. Glad to hear that. You had me puzzled. Greetings to Eastern Switzerland! Christian -- The greatest obstacle to being heroic is the doubt whether one may not be going to prove one's self a fool; the truest heroism is, to resist the doubt; and the profoundest wisdom, to know when it ought to be resisted, and when to be obeyed. -- Nathaniel Hawthorne |