Mod_Security+Apache+Proxy

Idi · Sep 18, 2012, 1:16 PM

Hi

I installed a pfSense in a vm with three network adapters: lan, wan and dmz
I publish a web site on port 8080 connected to the dmz
the site must be accessible from LAN and Internet
I installed the module Proxy Server with mod_security and configured everything (the options Enable mod_security protection is actived).
The publication of the site works, but the protection of mod_security not working
I added a custom rule like

SecRule REQUEST_URI "admin-console" deny

in the options "proxy server setting / Custom mod_security rules" but accessing the site url "http://xxxx.xxxxx.xxx/admin-console/login.seam?conversationId=17" this is not blocked
I checked the httpd.conf file and the rule is written correctly.
I also tried a url like http://xxxx.xxxxx.xxx/etc/inetd.conf should be blocked by default by mod_security, but instead responds jboss, which means that mod_security is bypassed.

Why?

Thanks,
Idi

tlum · Sep 19, 2012, 2:50 AM

Are you sure that mod_security is in the path, that you didn't just port map directly to the backend server bypassing mod_security entirely? That's just a guess, you didn't give enough detail to know. Checking the mod_security log and the /var/log/httpd-access.log you're definitely seeing the traffic proxied? Maybe you've done that already, but you didn't say, so I have to ask just in case.

Idi · Sep 24, 2012, 3:03 PM

Thanks for the reply

When I installed the package, restart it turns out the error:

…. "Proxy Server with mod_security" ... fetch: /usr/local/apachemodsecurity/rules/rules/default.conf: open (): No such file or directory

I edited the file /usr/local/pkg/apache_mod_security.inc at line 114 and the error is no longer out

When the server restarts, in the start of the module "Proxy Server with mod_security" returns the error
(48) Address already in use: make_sock: could not bind to address 127.0.0.1:80
no listening sockets available, shutting down
This error comes out even if it is defined an ip different from 127.0.0.1
If the service is restarted manually from the dashboard service starts properly.

I followed the instructions to add the two files accf_data.ko and accf_http.ko that I took from the site pfsense.org, I modified the loader.conf file by adding the line accf_http_load = "YES"

When I set some parameters of the "mod_security + Apache + Proxy: Settings" in httpd-error.log comes out the following error:

[Mon Sep 24 16:37:50 2012] [notice] Graceful restart requested, doing restart
[Mon Sep 24 16:37:50 2012] [warn] (22) Invalid argument: Failed to enable the 'httpready' Accept Filter
[Mon Sep 24 16:37:50 2012] [warn] (22) Invalid argument: Failed to enable the 'httpready' Accept Filter
[Mon Sep 24 16:37:50 2012] [notice] Digest: generating secret for digest authentication …
[Mon Sep 24 16:37:50 2012] [notice] Digest: done
[Mon Sep 24 16:37:51 2012] [notice] Apache/2.2.22 (FreeBSD) mod_ssl/2.2.22 OpenSSL/0.9.8n configured - resuming normal operations

The filter mod_security still does not filter, but I can get access to the site in DMZ
That mod_security is not in the path, if I do not set the "mod_security + Apache + Proxy: Proxies Site" the site is not accessible