You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrei <la...@gmail.com> on 2017/03/01 05:54:49 UTC
[users@httpd] Re: ModSecurity and custom headers
Is there a different list I should be asking this on?
On Mon, Feb 27, 2017 at 8:49 AM, Andrei <la...@gmail.com> wrote:
> Hi all,
>
> How can I add a custom header using the 'msg' value from a ModSecurity
> rule, for all rules triggered? I'm basically trying to track the ModSec
> block reason at an edge point (Varnish) based on Apache's response.
>
> For example, I would like:
>
> SecRule REQUEST_URI "/modsectest" "log,deny,status:406,phase:1,t:none,id:9084310,msg:'ModSec
> Log Test'"
>
> To add a 'X-ModSec-Block' response header with the value 'ModSec Log Test'
> in this case. I understand this might be better suited with setenv +
> mod_headers due to blocks being done at different phases, and found
> http://serverfault.com/questions/796088/modsecurity-
> creating-a-new-request-header-from-secrule which seems similar to this
> scenario, just that it's not quite working out for me. Any help is greatly
> appreciated!
>
> Andrei
>
Re: [users@httpd] Re: ModSecurity and custom headers
Posted by Andrei <la...@gmail.com>.
Thanks!
On Wed, Mar 1, 2017 at 3:36 AM, Luca Toscano <to...@gmail.com> wrote:
> Hi Andrei,
>
> 2017-03-01 6:54 GMT+01:00 Andrei <la...@gmail.com>:
>
>> Is there a different list I should be asking this on?
>>
>
> I would start from https://modsecurity.org/help.html (Mod Security is not
> part of the httpd release since it is a third party module).
>
> Hope that helps!
>
> Luca
>
Re: [users@httpd] Re: ModSecurity and custom headers
Posted by Andrei <la...@gmail.com>.
bump
On Sat, Mar 11, 2017 at 4:14 PM, Andrei <la...@gmail.com> wrote:
> I also tried for example:
>
> SecDefaultAction "phase:2,deny,log,status:406,
> setenv:'env_modsecblk=%{rule.msg}'"
> <If "'%{env_modsecblk}e' =~ /[a-zA-Z]/">
> Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
> </If>
>
> But that also fails with:
>
> AH00526: Syntax error on line 21 of /usr/local/apache/conf/modsec2.conf:
> Cannot parse condition clause: Variable 'env_modsecblk' does not exist
>
>
> On Sat, Mar 11, 2017 at 8:06 AM, Andrei <la...@gmail.com> wrote:
>
>> Hello again :)
>>
>> So I went to the modsec lists, figured out how to get the environment
>> variable set with the rule message by default for all rules, then push the
>> 'msg' to a custom X header from there. For example:
>>
>> SecDefaultAction "phase:2,deny,log,setenv:'env_msecblk=%{rule.msg}'"
>> Header always set X-ModSec-Block %{env_msecblk}e env=env_msecblk
>>
>> However, I soon found that empty X-ModSec-Block headers were being set,
>> due to the empty "env_msecblk" environment variable being set by
>> ModSecurity in cases where disruptive rules weren't triggered. Reading over
>> the header directive docs [1], I noticed that the header will be set only
>> if the environment variable exists, but doesn't check if it's empty. So I
>> then tried:
>>
>> Header always set X-ModSec-Block %{env_modsecblk}e
>> "expr=%{env_modsecblk}e =~ m#[a-zA-Z]#"
>>
>> The above unfortunately failed with: Can't parse envclause/expression:
>> syntax error, unexpected T_ID: Variable 'env_modsecblk' does not exist
>>
>> To get around that, I took a "dirty" clean-up approach:
>>
>> Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
>> <If "! %{HTTP:X-ModSec-Block} =~ /[a-zA-Z]/">
>> Header always unset X-ModSec-Block
>> </If>
>>
>> So I my question at this point is; how do I conditionally set the custom
>> "X-ModSec-Block" header to the value of the "env_modsecblk" environment
>> variable, if that variable exists, and isn't blank. Thanks again everyone :)
>>
>> 1 - http://httpd.apache.org/docs/current/mod/mod_headers.html#header
>>
>>
>>
>>
>> On Wed, Mar 1, 2017 at 3:36 AM, Luca Toscano <to...@gmail.com>
>> wrote:
>>
>>> Hi Andrei,
>>>
>>> 2017-03-01 6:54 GMT+01:00 Andrei <la...@gmail.com>:
>>>
>>>> Is there a different list I should be asking this on?
>>>>
>>>
>>> I would start from https://modsecurity.org/help.html (Mod Security is
>>> not part of the httpd release since it is a third party module).
>>>
>>> Hope that helps!
>>>
>>> Luca
>>>
>>
>>
>
Re: [users@httpd] Re: ModSecurity and custom headers
Posted by Andrei <la...@gmail.com>.
I also tried for example:
SecDefaultAction
"phase:2,deny,log,status:406,setenv:'env_modsecblk=%{rule.msg}'"
<If "'%{env_modsecblk}e' =~ /[a-zA-Z]/">
Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
</If>
But that also fails with:
AH00526: Syntax error on line 21 of /usr/local/apache/conf/modsec2.conf:
Cannot parse condition clause: Variable 'env_modsecblk' does not exist
On Sat, Mar 11, 2017 at 8:06 AM, Andrei <la...@gmail.com> wrote:
> Hello again :)
>
> So I went to the modsec lists, figured out how to get the environment
> variable set with the rule message by default for all rules, then push the
> 'msg' to a custom X header from there. For example:
>
> SecDefaultAction "phase:2,deny,log,setenv:'env_msecblk=%{rule.msg}'"
> Header always set X-ModSec-Block %{env_msecblk}e env=env_msecblk
>
> However, I soon found that empty X-ModSec-Block headers were being set,
> due to the empty "env_msecblk" environment variable being set by
> ModSecurity in cases where disruptive rules weren't triggered. Reading over
> the header directive docs [1], I noticed that the header will be set only
> if the environment variable exists, but doesn't check if it's empty. So I
> then tried:
>
> Header always set X-ModSec-Block %{env_modsecblk}e "expr=%{env_modsecblk}e
> =~ m#[a-zA-Z]#"
>
> The above unfortunately failed with: Can't parse envclause/expression:
> syntax error, unexpected T_ID: Variable 'env_modsecblk' does not exist
>
> To get around that, I took a "dirty" clean-up approach:
>
> Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
> <If "! %{HTTP:X-ModSec-Block} =~ /[a-zA-Z]/">
> Header always unset X-ModSec-Block
> </If>
>
> So I my question at this point is; how do I conditionally set the custom
> "X-ModSec-Block" header to the value of the "env_modsecblk" environment
> variable, if that variable exists, and isn't blank. Thanks again everyone :)
>
> 1 - http://httpd.apache.org/docs/current/mod/mod_headers.html#header
>
>
>
>
> On Wed, Mar 1, 2017 at 3:36 AM, Luca Toscano <to...@gmail.com>
> wrote:
>
>> Hi Andrei,
>>
>> 2017-03-01 6:54 GMT+01:00 Andrei <la...@gmail.com>:
>>
>>> Is there a different list I should be asking this on?
>>>
>>
>> I would start from https://modsecurity.org/help.html (Mod Security is
>> not part of the httpd release since it is a third party module).
>>
>> Hope that helps!
>>
>> Luca
>>
>
>
Re: [users@httpd] Re: ModSecurity and custom headers
Posted by Andrei <la...@gmail.com>.
Hello again :)
So I went to the modsec lists, figured out how to get the environment
variable set with the rule message by default for all rules, then push the
'msg' to a custom X header from there. For example:
SecDefaultAction "phase:2,deny,log,setenv:'env_msecblk=%{rule.msg}'"
Header always set X-ModSec-Block %{env_msecblk}e env=env_msecblk
However, I soon found that empty X-ModSec-Block headers were being set, due
to the empty "env_msecblk" environment variable being set by ModSecurity in
cases where disruptive rules weren't triggered. Reading over the header
directive docs [1], I noticed that the header will be set only if the
environment variable exists, but doesn't check if it's empty. So I then
tried:
Header always set X-ModSec-Block %{env_modsecblk}e "expr=%{env_modsecblk}e
=~ m#[a-zA-Z]#"
The above unfortunately failed with: Can't parse envclause/expression:
syntax error, unexpected T_ID: Variable 'env_modsecblk' does not exist
To get around that, I took a "dirty" clean-up approach:
Header always set X-ModSec-Block %{env_modsecblk}e env=env_modsecblk
<If "! %{HTTP:X-ModSec-Block} =~ /[a-zA-Z]/">
Header always unset X-ModSec-Block
</If>
So I my question at this point is; how do I conditionally set the custom
"X-ModSec-Block" header to the value of the "env_modsecblk" environment
variable, if that variable exists, and isn't blank. Thanks again everyone :)
1 - http://httpd.apache.org/docs/current/mod/mod_headers.html#header
On Wed, Mar 1, 2017 at 3:36 AM, Luca Toscano <to...@gmail.com> wrote:
> Hi Andrei,
>
> 2017-03-01 6:54 GMT+01:00 Andrei <la...@gmail.com>:
>
>> Is there a different list I should be asking this on?
>>
>
> I would start from https://modsecurity.org/help.html (Mod Security is not
> part of the httpd release since it is a third party module).
>
> Hope that helps!
>
> Luca
>
Re: [users@httpd] Re: ModSecurity and custom headers
Posted by Luca Toscano <to...@gmail.com>.
Hi Andrei,
2017-03-01 6:54 GMT+01:00 Andrei <la...@gmail.com>:
> Is there a different list I should be asking this on?
>
I would start from https://modsecurity.org/help.html (Mod Security is not
part of the httpd release since it is a third party module).
Hope that helps!
Luca