Apache ProxyPass and ModSecurity
Mike Ballon
mike.ballon at gmail.com
Fri Jun 5 11:57:07 MST 2015
OK, unless anyone can prove me wrong I’m going to say this is not an issue
and that mod-sec is in fact working.
While I don’t know why the noindex error is proxy’d back to the web host,
that’s all that is sent and mod_sec is blocking everything else. I ran a
full Nesses web vuln test and while the noindex error was again passed
through, there were hundreds of subsequent blocks so mod_sec is working.
On Thu, Jun 4, 2015 at 4:04 PM, Mike Ballon <mike.ballon at gmail.com> wrote:
>
> Apache 2.2 running as a reverse-proxy with another Apache 2.2 host and
> then a DB on the end. This is an AWS setup so the design is basically;
> load-balancer, pair of reverse proxies, pair of web hosts, database on the
> backend.
>
> I'm using a basic user-agent test to ensure at least basic function of
> mod_sec and there is again, something that even 3 cups of coffee hasn't
> been able to figure out.
>
> curl -I -A "Nessus" http://www.ihaterabbits.com/
> Returns "HTTP 200"
>
> curl -I -A "Nessus" http://www.ihaterabbits.com/foobar
> Returns "HTTP 443"
>
> The reverse-proxy logs:
>
> access_log
> "HEAD / HTTP/1.1" 200 - "-" "Nessus"
> "HEAD /foobar/ HTTP/1.1" 403 - "-" "Nessus"
>
> error_log
> "ModSecurity: Access denied with code 403 bad_robots
> "ModSecurity: Access denied with code 403 bad_robots
>
> The web host logs:
>
> "GET /error/noindex.html HTTP/1.1" 200 3839
> [second curl there is no request sent to the web host]
>
> -- Why is there a request sent to the web host on the first curl when
> there is a deny from mod_sec? I tried removing the -Indexes for Options and
> that didn't change anything. It looks like it's proxying the error and not
> the request?
>
> vhost is as follows:
>
> <VirtualHost *:80>
> ProxyVia On
> <IfModule mod_security2.c>
> SecRuleEngine On
> </IfModule>
> ProxyPreserveHost On
> ServerName ihaterabbits.com
> ProxyPass / http://nameofloadbalancer/ retry=0
> ProxyPassReverse / http://nameofloadbalancer/
> </VirtualHost>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20150605/b1cffd7b/attachment.html>
More information about the PLUG-discuss
mailing list