Documentation for Mod_Security 0.3?



  • I've just inadvertently reinstalled mod_security 0.3 over 0.2 and it is completely different. Is there any documentation on it? I have not been able to figure out how to map the different host headers to all my different back end servers. It all used to be in the virtual host tab, but no more.

    This is a backup of the 0.2 config:

    <service><name>apache_mod_security</name>
    <rcfile>apache_mod_security.sh</rcfile>
    <executable>httpd</executable></service>
    <apachemodsecuritysettings><config><globalsiteadminemail>server.ops@MyInternal.net</globalsiteadminemail>
    <hostname>fw1.MyInternal.net</hostname>
    <globalbindtoipaddr>74.0.0.1</globalbindtoipaddr>
    <globalbindtoport>80</globalbindtoport>
    <mod_mem_cache>on</mod_mem_cache>
    <mod_mem_cache_size>100</mod_mem_cache_size>
    <mod_disk_cache><mod_disk_cache_size><secreadstatelimit><secrequestbodyinmemorylimit><secrequestbodylimit><enablemodsecurity>on</enablemodsecurity>
    <secauditengine>On</secauditengine>
    <errordocument><modsecuritycustom>SecFilter phpMyAdmin</modsecuritycustom></errordocument></secrequestbodylimit></secrequestbodyinmemorylimit></secreadstatelimit></mod_disk_cache_size></mod_disk_cache></config></apachemodsecuritysettings>
    <apachemodsecurity><config><sitename>MySite</sitename>
    <siteemail>server.ops@MyInternal.net</siteemail>
    <siteurl>HTTP</siteurl>
    <ipaddress><port><certificatefile><certificatekeyfile><certificatechainfile><preserveproxyhostname>on</preserveproxyhostname>
    <primarysitehostname>www.PublicSite.com</primarysitehostname>
    <row><webserveripaddr>www.MyInternal.net</webserveripaddr>
    <additionalsitehostnames></additionalsitehostnames></row></certificatechainfile></certificatekeyfile></certificatefile></port></ipaddress></config></apachemodsecurity>

    What would the equivalent be in the new version?



  • I finally got the the bottom of this.

    The version of Apache is hosed. In fact its hosed through 2.4.2.

    https://issues.apache.org/bugzilla/show_bug.cgi?id=51489

    Maybe its possible to update the package to use an Apache version that actually works? Its only been fixed for like a year and a half now. Or not force a balancer where no balancer is required considering its the balancer configuration that's broken but there is no way not to use it.



  • Does this mean the past 2 weeks I've been banging my head against the wall trying to track down all the includes has been for nothing? What is a smarter way to do this? DMZ another box that handles apache mod_security+proxy correctly? I'm a bit turned off by this whole situation. It does explain why not many people have documented using it.

    TL;DR Basically - mod_security package for pfSense is a waste of time?



  • Not wanting to piss on anyone's parade, but a reverse proxy should NOT be run on the same machine that gets all your traffic from point A to point B, that should be handled by a separate box.

    Anything that faces the public, must get timely security updates. Quoting "Its only been fixed for like a year and a half now." adding "imagine all the exploits that got through in that timeframe, and the exposure of your network to a compromised network gateway. My $deity, can you imagine the $upper_management's (employer's,spouse's) reaction when I tell $upper_management that their encrypted communications were not actually secure, but intercepted by a server in Nowhere Land because somebody got the access level needed to change our packet routing to his box, which intercepted and injected traffic in realtime (Not Saying Again) and causing said $upper_managements loss of money?. I would jump off the building's highest ledge, but that's just me"

    Sorry to sound like I'm attacking you, but a network gateway is a network gateway. It takes packets from point A to point B, >maybe< perhaps even analyzing them if it has the ability and capacity to do so. In the case of a CARP cluster, even going as far as actually running an NTP server. A network gateway is NOT a file storage server, a host running various test VMs, a mail gateway, or a voip gateway.

    As I said, sorry to piss on anyone's parade. In summary, yes, please install a separate box to be your reverse proxy. Service separation isn't something that magically appeared yesterday. It was there long before the virtualization vendors came up and took every single box on the network, replacing them with a single box. I know, since I now run around undoing their mess. Know what to virtualize/combine and what not to.



  • … but a reverse proxy should NOT be run on the same machine that gets all your traffic from point A to point B, that should be handled by a separate box.

    That is a fairly absolute statement, and there are no absolutes in the business. There are plenty of cases where a reverse proxy absolutely SHOULD be run on the same machine that gets all your traffic from point A to point B.

    And considering that someone went to the trouble to create a package to do it in the first place…


Log in to reply