Thread: Re: [mod-security-users] Sending a request to different Backends based on SecRule

Brought to you by: victorhora, zimmerletw

mod-security-users

Re: [mod-security-users] Sending a request to different Backends based on SecRule

From: Christian F. <chr...@ti...> - 2014-02-28 08:01:55

Stefan,

here is a simple, working example:

SecRule	QUERY_STRING	"backend-alt"	"phase:1,id:1,setenv:backend-alt=1"

...

<VirtualHost 127.0.0.1:80>

    ...

    RewriteCond %{ENV:backend-alt} ^1$
    RewriteRule ^/appl(.*) balancer://backend-alt/appl$1   [proxy,last]

    RewriteRule ^/appl(.*) balancer://backend/appl$1       [proxy,last]

    ProxyPassReverse /appl balancer://backend/appl
    ProxyPassReverse /appl balancer://backend-alt/appl

    ...

    <Proxy balancer://backend/appl>
        BalancerMember http://localhost:8000 route=backend

        ...

    </Proxy>

    <Proxy balancer://backend-alt/appl>
        BalancerMember http://localhost:9000 route=backend-alt

        ...

    </Proxy>

</VirtualHost>


I have never looked at this from a performance perspective. But I can confirm
it is a stable setup, which keeps the decision on the backend choice in
ModSec
and allows for a lot of flexibility.

Cheers,

Christian

Re: [mod-security-users] Sending a request to different Backends based on SecRule

From: Stefan B. <ml...@we...> - 2014-02-28 10:40:17

Thanks for the example. However I still have problems accessing the 
environment-variable. Here is some of my test-config:

<VirtualHost *:443>
   RewriteEngine on
   RewriteLog /var/log/apache2/rewrite.log
   RewriteLogLevel 9

   # Some ssl-config

   # App-Whitelisting
   SecRule "REQUEST_URI" "^(/apps|/public)" 
"id:1,phase:1,log,setenv:tomcatBackend=1"

   RewriteCond %{ENV:tomcatBackend} ^1$
   RewriteRule /(.*) http://localhost:60001/$1 [proxy,last] # 
App-Load-Balancer

</VirtualHost>

When requesting https://mywebsite.loc/public/logo , the actions of 
SecRule 1 are executed (modsec_debug.log):
[/public/logo][2] Warning. Pattern match "^(/apps|/public)" at 
REQUEST_URI. ...
[/public/logo][4] Rule returned 1.

But mod_rewrite does not have access to the set environment-variable: 
(rewrite.log):
(2) init rewrite engine with requested uri /public/logo
(3) applying pattern '/(.*)' to uri '/public/logo'
(4) RewriteCond: input='' pattern='^1$' => not-matched <== Problem, no 
access to ENV:tomcatBackend
(1) pass through /public/logo

BTW: I also tried setting the SecRule 1 in the server config - context: 
Same behaviour.

Also: The RewriteRule on its own works fine.

What OS/ModSec/Apache-Versions are you running?

Am 28.02.14 08:43, schrieb Christian Folini:
> Stefan,
>
> here is a simple, working example:
>
> SecRule	QUERY_STRING	"backend-alt"	"phase:1,id:1,setenv:backend-alt=1"
>
> ...
>
> <VirtualHost 127.0.0.1:80>
>
>      ...
>
>      RewriteCond %{ENV:backend-alt} ^1$
>      RewriteRule ^/appl(.*) balancer://backend-alt/appl$1   [proxy,last]
>
>      RewriteRule ^/appl(.*) balancer://backend/appl$1       [proxy,last]
>
>      ProxyPassReverse /appl balancer://backend/appl
>      ProxyPassReverse /appl balancer://backend-alt/appl
>
>      ...
>
>      <Proxy balancer://backend/appl>
>          BalancerMember http://localhost:8000 route=backend
>
>          ...
>
>      </Proxy>
>
>      <Proxy balancer://backend-alt/appl>
>          BalancerMember http://localhost:9000 route=backend-alt
>
>          ...
>
>      </Proxy>
>
> </VirtualHost>
>
>
> I have never looked at this from a performance perspective. But I can confirm
> it is a stable setup, which keeps the decision on the backend choice in
> ModSec
> and allows for a lot of flexibility.
>
> Cheers,
>
> Christian
>
>
>
> ------------------------------------------------------------------------------
> Flow-based real-time traffic analytics software. Cisco certified tool.
> Monitor traffic, SLAs, QoS, Medianet, WAAS etc. with NetFlow Analyzer
> Customize your own dashboards, set traffic alerts and generate reports.
> Network behavioral analysis & security monitoring. All-in-one tool.
> http://pubads.g.doubleclick.net/gampad/clk?id=126839071&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/

Re: [mod-security-users] Sending a request to different Backends based on SecRule

From: Christian F. <chr...@ti...> - 2014-02-28 10:59:16

On Fri, February 28, 2014 11:40 am, Stefan Bernhardsgrütter wrote:
> Thanks for the example. However I still have problems accessing the
> environment-variable. Here is some of my test-config:

Bullocks. Here is my rewrite log with my previous example, env set
in server context:

127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
[localhost/sid#86c8dd8][rid#a96024c8/initial] (2) init rewrite engine with
requested uri /applx
127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
[localhost/sid#86c8dd8][rid#a96024c8/initial] (3) applying pattern
'^/appl(.*)' to uri '/applx'
127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
[localhost/sid#86c8dd8][rid#a96024c8/initial] (4) RewriteCond: input='1'
pattern='^1$' => matched
127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
[localhost/sid#86c8dd8][rid#a96024c8/initial] (2) rewrite '/applx' ->
'balancer://backend-alt/applx'
127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
[localhost/sid#86c8dd8][rid#a96024c8/initial] (2) forcing proxy-throughput
with balancer://backend-alt/applx
127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
[localhost/sid#86c8dd8][rid#a96024c8/initial] (1) go-ahead with proxy
request proxy:balancer://backend-alt/applx [OK]

127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (2) init rewrite engine with
requested uri /applx
127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern
'^/appl(.*)' to uri '/applx'
127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (4) RewriteCond: input=''
pattern='^1$' => not-matched
127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern
'^/appl(.*)' to uri '/applx'
127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (2) rewrite '/applx' ->
'balancer://backend/applx'
127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (2) forcing proxy-throughput
with balancer://backend/applx
127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
[localhost/sid#86c8dd8][rid#87866b0/initial] (1) go-ahead with proxy
request proxy:balancer://backend/applx [OK]

So the env variable is there in my context.

This was performed on a test machine
ubuntu 12.10, self compiled apache 2.2.24, self compiled modsec 2.7.3.

One thing that springs to mind is the ModSec "--enable-request-early"
compile option. Did you use that?

Sorry for being so brief, but I am quite busy and my time
is running out.

Christian

Re: [mod-security-users] Sending a request to different Backends based on SecRule

From: Stefan B. <ml...@we...> - 2014-02-28 15:16:44

I use debian 7 which ships with modsec 2.6.6. After compiling modsec 
myself (debian testing uses apache 2.4), everything works as expected.

Thanks for the help

Am 28.02.14 11:59, schrieb Christian Folini:
> On Fri, February 28, 2014 11:40 am, Stefan Bernhardsgrütter wrote:
>> Thanks for the example. However I still have problems accessing the
>> environment-variable. Here is some of my test-config:
> Bullocks. Here is my rewrite log with my previous example, env set
> in server context:
>
> 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
> [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) init rewrite engine with
> requested uri /applx
> 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
> [localhost/sid#86c8dd8][rid#a96024c8/initial] (3) applying pattern
> '^/appl(.*)' to uri '/applx'
> 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
> [localhost/sid#86c8dd8][rid#a96024c8/initial] (4) RewriteCond: input='1'
> pattern='^1$' => matched
> 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
> [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) rewrite '/applx' ->
> 'balancer://backend-alt/applx'
> 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
> [localhost/sid#86c8dd8][rid#a96024c8/initial] (2) forcing proxy-throughput
> with balancer://backend-alt/applx
> 127.0.0.1 - - [28/Feb/2014:11:49:08 +0100]
> [localhost/sid#86c8dd8][rid#a96024c8/initial] (1) go-ahead with proxy
> request proxy:balancer://backend-alt/applx [OK]
>
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (2) init rewrite engine with
> requested uri /applx
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern
> '^/appl(.*)' to uri '/applx'
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (4) RewriteCond: input=''
> pattern='^1$' => not-matched
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (3) applying pattern
> '^/appl(.*)' to uri '/applx'
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (2) rewrite '/applx' ->
> 'balancer://backend/applx'
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (2) forcing proxy-throughput
> with balancer://backend/applx
> 127.0.0.1 - - [28/Feb/2014:11:50:04 +0100]
> [localhost/sid#86c8dd8][rid#87866b0/initial] (1) go-ahead with proxy
> request proxy:balancer://backend/applx [OK]
>
> So the env variable is there in my context.
>
> This was performed on a test machine
> ubuntu 12.10, self compiled apache 2.2.24, self compiled modsec 2.7.3.
>
> One thing that springs to mind is the ModSec "--enable-request-early"
> compile option. Did you use that?
>
> Sorry for being so brief, but I am quite busy and my time
> is running out.
>
> Christian
>
>
>

Re: [mod-security-users] Sending a request to different Backends based on SecRule

From: Christian F. <chr...@ti...> - 2014-02-28 19:55:58

On Fri, Feb 28, 2014 at 04:16:30PM +0100, Stefan Bernhardsgrütter wrote:
> I use debian 7 which ships with modsec 2.6.6. After compiling modsec
> myself (debian testing uses apache 2.4), everything works as
> expected.

Glad to hear that. You had me puzzled. Greetings to Eastern Switzerland!

Christian


-- 
The greatest obstacle to being heroic is the doubt whether one may not
be going to prove one's self a fool; the truest heroism is, to resist
the doubt; and the profoundest wisdom, to know when it ought to be
resisted, and when to be obeyed.
-- Nathaniel Hawthorne