Re: Apache ProxyPass and ModSecurity

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMike Ballon at <-
 
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Mike Ballon
Date:  
To: Main PLUG discussion list
Subject: Re: Apache ProxyPass and ModSecurity
OK, unless anyone can prove me wrong I’m going to say this is not an issue
and that mod-sec is in fact working.

While I don’t know why the noindex error is proxy’d back to the web host,
that’s all that is sent and mod_sec is blocking everything else. I ran a
full Nesses web vuln test and while the noindex error was again passed
through, there were hundreds of subsequent blocks so mod_sec is working.



On Thu, Jun 4, 2015 at 4:04 PM, Mike Ballon <> wrote:

>
> Apache 2.2 running as a reverse-proxy with another Apache 2.2 host and
> then a DB on the end. This is an AWS setup so the design is basically;
> load-balancer, pair of reverse proxies, pair of web hosts, database on the
> backend.
>
> I'm using a basic user-agent test to ensure at least basic function of
> mod_sec and there is again, something that even 3 cups of coffee hasn't
> been able to figure out.
>
> curl -I -A "Nessus" http://www.ihaterabbits.com/
> Returns "HTTP 200"
>
> curl -I -A "Nessus" http://www.ihaterabbits.com/foobar
> Returns "HTTP 443"
>
> The reverse-proxy logs:
>
> access_log
> "HEAD / HTTP/1.1" 200 - "-" "Nessus"
> "HEAD /foobar/ HTTP/1.1" 403 - "-" "Nessus"
>
> error_log
> "ModSecurity: Access denied with code 403 bad_robots
> "ModSecurity: Access denied with code 403 bad_robots
>
> The web host logs:
>
> "GET /error/noindex.html HTTP/1.1" 200 3839
> [second curl there is no request sent to the web host]
>
> -- Why is there a request sent to the web host on the first curl when
> there is a deny from mod_sec? I tried removing the -Indexes for Options and
> that didn't change anything. It looks like it's proxying the error and not
> the request?
>
> vhost is as follows:
>
> <VirtualHost *:80>
> ProxyVia On
> <IfModule mod_security2.c>
> SecRuleEngine On
> </IfModule>
> ProxyPreserveHost On
> ServerName ihaterabbits.com
> ProxyPass / http://nameofloadbalancer/ retry=0
> ProxyPassReverse / http://nameofloadbalancer/
> </VirtualHost>
>
>
>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-ot - Boric acid and weight loss?Installfest this Sat 10-4 *** CHANGE OF VENUE *** Gangplank in Chandler!->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)