mod_security question

Discussion in 'Apache Migration/Compatibility' started by ffeingol, Jul 31, 2007.

  1. ffeingol

    ffeingol New Member

    OK, we're running an Enterprise version of LSWS on a VPS with cPanel. We have mod_security setup. For now we have just 1 rule for testing:

    SecFilter "testit"

    .shtml pages are being proxied to Apache.

    If we browse http://www.mydomain.com/blah.shtml?testit then Apache blocks the request with a 406 (our error code set in the conf) and mod_security works properly. If we browse to http://www.mydomain.com/blah.php?testit LSWS serves up the page. I though LSWS should be reading the mod_security rules and applying them?

    TIA,

    Frank
  2. mistwang

    mistwang LiteSpeed Staff

    How this rule was configured? in httpd.conf? which section of httpd.conf? or in LiteSpeed web console?
    Can you please try the rule in another format?

    SecFilterSelective "ARGS" "testit"

    should have the same effect as yours, I just want to make sure it is not a bug with "SecFilter" directive.
  3. ffeingol

    ffeingol New Member

    Hello,

    Yes, it's in httpd.conf. It's configured in the "default" cPanel config (if you use mod_security installed via cPanel).

    Code:
    AddModule mod_security.c
    Include "/usr/local/apache/conf/modsec.conf"
    
    and then /usr/local/apache/conf/modsec.conf has:

    Code:
    <IfModule mod_security.c>
    SecFilterEngine On
    SecFilterCheckURLEncoding On
    SecFilterForceByteRange 0 255
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
    SecFilterDefaultAction "deny,log,status:406"
    SecFilterSelective REMOTE_ADDR "^127.0.0.1$" nolog,allow
    Include "/usr/local/apache/conf/modsec.user.conf"
    </IfModule>
    
    and then finally modsec.user.conf

    Code:
    #SecFilter "testit"
    SecFilterSelective "ARGS" "testit"
    
    The results are the same for either form of the rule. The apache proxy works, LSWS does not.

    Frank
  4. mistwang

    mistwang LiteSpeed Staff

    It turns out to be a bug parsing query string with only one variable name, if there are other request variable or has a value, it will be caught.

    The fix is in our 3.2.1 build, can you download and give it a try.
  5. ffeingol

    ffeingol New Member

    Where/how do I download 3.2.1? The download pages looks like it only has 3.2.

    TIA,

    Frank
  6. mistwang

    mistwang LiteSpeed Staff

    Just change the version number to 3.2.1 in the download link
  7. ffeingol

    ffeingol New Member

    Thanks much. That fixed the issue.

    Frank

Share This Page