You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jignesh Badani <jb...@mmsa.com> on 2006/08/23 00:22:31 UTC
[users@httpd] mod_security general question...
We have been looking at implementing mod_security for quite some time now,
but it is not getting a green flag because the module is not part of the
Apache group offering (yet).
1. Is there a reason, this module is still not being bundled as part of
the Apache source ?
2. Has anybody implemented the same along with Netegrity (CA) Siteminder
Web Agent module and in production ? If so, does it add too much of a
overhead ?
Thanks
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
Jignesh Badani
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_security general question...
Posted by Joshua Slive <jo...@slive.ca>.
On 8/22/06, Jignesh Badani <jb...@mmsa.com> wrote:
> Thanks Nick, it makes sense. So can I assume that the Apache group is fine
> with its user base using 3rd party mod_security and that they do not plan
> to develop something similar ?
>
> The reason I am confused is I see Ryan Barnett as Team Lead for "Internet
> Security Apache Benchmark Project" and he talks/writes a lot about
> mod_security.
I think you are referring to the "Center for Internet Security Apache
Benchmark Project". Note that the Center for Internet Security is not
affiliated in any way with the Apache Software Foundation, the makers
of the Apache HTTP Server.
The developers of the Apache HTTP Server are, however, VERY happy to
have third parties develop and release modules for the server. The
one issue to consider with mod_security is that (unless you pay for
it) it is GPL licensed. Depending on who you ask, linking GPL and
Apache-licensed code may or may not be legal. If it is legal, the
result is almost surely GPL licensed. This isn't likely a problem for
an end-user of mod_security, but would be a big issue if you wanted to
redistribute Apache httpd with mod_security.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_security general question...
Posted by Jignesh Badani <jb...@mmsa.com>.
Thanks to Nick, Joshua & William for your responses. Keep up the good
work.
regards
-Jignesh
"William A. Rowe, Jr." <wr...@rowe-clan.net>
08/22/2006 07:58 PM
Please respond to
users@httpd.apache.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] mod_security general question...
Jignesh Badani wrote:
> Thanks Nick, it makes sense. So can I assume that the Apache group is
fine
> with its user base using 3rd party mod_security
Why not? http://modules.apache.org/ - lots of modules - we have no
problem
with users deploying any module which solves their requirements.
> and that they do not plan to develop something similar ?
I haven't seen anyone express interest in developing such features for
the core server, nor any feedback from mod_security developers asking
to become part of the core server.
As a general rule the httpd project doesn't seek out more features, devs
bring us offers of more features. Or they host them seperately.
> The reason I am confused is I see Ryan Barnett as Team Lead for
"Internet
> Security Apache Benchmark Project" and he talks/writes a lot about
> mod_security.
http://www.amazon.com/gp/product/0321321286/ref=sr_11_1/104-5102527-8430348?ie=UTF8
(newly minted, and the page includes a good bio for Ryan.)
Ryan comes from a network/systems security background, and has many
valuable
observations, so none of this should come as a surprise. For that matter,
I never actually saw the mysterious Andrew Ford at the Apache http project
either, although he also writes a decent book :) Not everyone in the
Apache
httpd server sphere actually participates in the project.
The "Internet Security Apache Benchmark Project" is not affiliated with
the
Apache software foundation.
> On Tuesday 22 August 2006 23:22, Jignesh Badani wrote:
>> We have been looking at implementing mod_security for quite some time
>> now, but it is not getting a green flag because the module is not part
>> of the Apache group offering (yet).
Of course I trust you don't use PHP or any other third party project.
Apache is an extensible platform, ruling in your choices in or out based
on if they are "Apache Software Foundation" projects is silly. Looking
at the license, the cast of characters supporting the extension etc are
valuable measurements, of course.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_security general question...
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Jignesh Badani wrote:
> Thanks Nick, it makes sense. So can I assume that the Apache group is fine
> with its user base using 3rd party mod_security
Why not? http://modules.apache.org/ - lots of modules - we have no problem
with users deploying any module which solves their requirements.
> and that they do not plan to develop something similar ?
I haven't seen anyone express interest in developing such features for
the core server, nor any feedback from mod_security developers asking
to become part of the core server.
As a general rule the httpd project doesn't seek out more features, devs
bring us offers of more features. Or they host them seperately.
> The reason I am confused is I see Ryan Barnett as Team Lead for "Internet
> Security Apache Benchmark Project" and he talks/writes a lot about
> mod_security.
http://www.amazon.com/gp/product/0321321286/ref=sr_11_1/104-5102527-8430348?ie=UTF8
(newly minted, and the page includes a good bio for Ryan.)
Ryan comes from a network/systems security background, and has many valuable
observations, so none of this should come as a surprise. For that matter,
I never actually saw the mysterious Andrew Ford at the Apache http project
either, although he also writes a decent book :) Not everyone in the Apache
httpd server sphere actually participates in the project.
The "Internet Security Apache Benchmark Project" is not affiliated with the
Apache software foundation.
> On Tuesday 22 August 2006 23:22, Jignesh Badani wrote:
>> We have been looking at implementing mod_security for quite some time
>> now, but it is not getting a green flag because the module is not part
>> of the Apache group offering (yet).
Of course I trust you don't use PHP or any other third party project.
Apache is an extensible platform, ruling in your choices in or out based
on if they are "Apache Software Foundation" projects is silly. Looking
at the license, the cast of characters supporting the extension etc are
valuable measurements, of course.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_security general question...
Posted by Jignesh Badani <jb...@mmsa.com>.
Thanks Nick, it makes sense. So can I assume that the Apache group is fine
with its user base using 3rd party mod_security and that they do not plan
to develop something similar ?
The reason I am confused is I see Ryan Barnett as Team Lead for "Internet
Security Apache Benchmark Project" and he talks/writes a lot about
mod_security.
regards
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
Jignesh Badani
Nick Kew <ni...@webthing.com>
08/22/2006 04:28 PM
Please respond to
users@httpd.apache.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] mod_security general question...
On Tuesday 22 August 2006 23:22, Jignesh Badani wrote:
> We have been looking at implementing mod_security for quite some time
now,
> but it is not getting a green flag because the module is not part of the
> Apache group offering (yet).
>
> 1. Is there a reason, this module is still not being bundled as part of
> the Apache source ?
Its author is an independent developer, and appears happy to remain that
way.
It's his work to distribute as he chooses. If you want it bundled with
Apache, get a package from a distributor - e.g. a Linux CDROM.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_security general question...
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 22 August 2006 23:22, Jignesh Badani wrote:
> We have been looking at implementing mod_security for quite some time now,
> but it is not getting a green flag because the module is not part of the
> Apache group offering (yet).
>
> 1. Is there a reason, this module is still not being bundled as part of
> the Apache source ?
Its author is an independent developer, and appears happy to remain that way.
It's his work to distribute as he chooses. If you want it bundled with
Apache, get a package from a distributor - e.g. a Linux CDROM.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org