You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Merton Campbell Crockett <m....@roadrunner.com> on 2008/06/13 18:41:25 UTC
[users@httpd] Rejecting Invalid URL With a 503 Status
It's been a few years since I've done any extensive work with Apache
and could use some help with a server that I've inherited.
The Apache server is configured with a <VirtualHost> that is used to
support a single, web-based collaboration tool. The URL used to
access the collaboration tool are in the following format.
https://host.domain.com/anonymous/...
https://host.domain.com/registered/...
https://host.domain.com/resources/...
The strings--anonymous, registered, and resources--have an associated
Alias that defines which <Location> container to be used to access a
collaboration workspace. The anonymous string is only used for
registering a new user as a member of a collaboration workspace.
Looking at the Apache access log, it's clear that Apache is processing
a lot of requests from systems probing for vulnerabilities. Rather
than have Apache process the request, I would like to immediately
reject all requests with a 503, Service Unavailable, status.
Can this be done with a series of RewriteCond statements specifying
each of the permitted strings followed by a RewriteRule that rejects
the request and terminates processing? Is there a better way of
accomplishing this?
Merton Campbell Crockett
m.c.crockett@roadrunner.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Rejecting Invalid URL With a 503 Status
Posted by André Warnier <aw...@ice-sa.com>.
Merton Campbell Crockett wrote:
>
> On 13 Jun 2008, at 09:47:43, Joshua Slive wrote:
>
>> On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
>> <m....@roadrunner.com> wrote:
>>
If I may add my grain of salt : often the issue is that such error
messages end up cluttering the logfile, consuming megabytes and making
it more time-consuming to find real errors that one should track down.
One case in point is the "GET /_vti_bin/.." stuff generated by some IE
clients. One knows what they are, one knows that they'll end up being
rejected, and one is tired of finding them all over. So one would
appreciate some nice and efficient way to reject them early on, and not
even having them logged.
And one knows that this might cause one some time in the future to
overlook some things one should'nt.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Rejecting Invalid URL With a 503 Status
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 13 Jun 2008 16:06:45 -0400
"Joshua Slive" <jo...@slive.ca> wrote:
> Otherwise, mod_rewrite could certainly be used. If you want the
> uber-powerful approach, mod_security can also do stuff like this.
Indeed, normal Allow/Deny is the correct and best way to do this.
mod_security is an alternative if you need things to happen early,
but if Allow/Deny is too late for you that probably points to a
problem in your application. mod_rewrite will work, but is the
least likely to be the best tool for the job.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Rejecting Invalid URL With a 503 Status
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, Jun 13, 2008 at 3:40 PM, Merton Campbell Crockett
<m....@roadrunner.com> wrote:
> Basically, I'm tired of the bullshit. I don't want to spend my life filling
> out forms explaining to those that haven't a clue that their "vulnerability"
> is a false positive. I want to configure Apache to reject all requests that
> cannot possibly be supported by the collaboration tool.
Ok. Sounds like a tough life ;-)
Something as simple as this might work (although I haven't tested it):
<Location />
Order Deny,Allow
Deny from all
</Location>
<Location /letmein>
Order Deny,Allow
Allow from all
</Location>
This will get you 403 rather than 503.
Otherwise, mod_rewrite could certainly be used. If you want the
uber-powerful approach, mod_security can also do stuff like this.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Rejecting Invalid URL With a 503 Status
Posted by Merton Campbell Crockett <m....@roadrunner.com>.
On 13 Jun 2008, at 09:47:43, Joshua Slive wrote:
> On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
> <m....@roadrunner.com> wrote:
>
>> Looking at the Apache access log, it's clear that Apache is
>> processing a lot
>> of requests from systems probing for vulnerabilities. Rather than
>> have
>> Apache process the request, I would like to immediately reject all
>> requests
>> with a 503, Service Unavailable, status.
>
> Can I ask: Why? Apache has to process the request one way or the other
> in order to send back an error response. What's the difference if the
> error response is a 404 or a 503?
I don't really care whether the status returned is 404, 503, or some
other code as long as it does not require me to identify why the
request is being rejected.
Why? Most of the requests are rejected because the file doesn't
exist; however, Apache does perform some action on some requests
beyond determining whether or not the file exists. I do not want
Apache to perform these actions.
>> Can this be done with a series of RewriteCond statements specifying
>> each of
>> the permitted strings followed by a RewriteRule that rejects the
>> request and
>> terminates processing? Is there a better way of accomplishing this?
>
> Yes, you could do this with mod_rewrite, but I don't see the point.
Does your company or organization have a Security Operations Center
(SOC) that does nothing but scan for potential vulnerabilities? If
so, do they insist that you make changes to your Apache configuration
even though the "vulnerability" doesn't exist?
Basically, I'm tired of the bullshit. I don't want to spend my life
filling out forms explaining to those that haven't a clue that their
"vulnerability" is a false positive. I want to configure Apache to
reject all requests that cannot possibly be supported by the
collaboration tool.
Merton Campbell Crockett
m.c.crockett@roadrunner.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Rejecting Invalid URL With a 503 Status
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, Jun 13, 2008 at 12:41 PM, Merton Campbell Crockett
<m....@roadrunner.com> wrote:
> Looking at the Apache access log, it's clear that Apache is processing a lot
> of requests from systems probing for vulnerabilities. Rather than have
> Apache process the request, I would like to immediately reject all requests
> with a 503, Service Unavailable, status.
Can I ask: Why? Apache has to process the request one way or the other
in order to send back an error response. What's the difference if the
error response is a 404 or a 503?
>
> Can this be done with a series of RewriteCond statements specifying each of
> the permitted strings followed by a RewriteRule that rejects the request and
> terminates processing? Is there a better way of accomplishing this?
Yes, you could do this with mod_rewrite, but I don't see the point.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org