mod_security:允许没有请求正文的POST请求的规则 [英] mod_security: A rule to allow POST requests without a request body
问题描述
我已经安装了Apache 2.4和mod_security 2.9.1,并且可以使用一些非常基本的规则运行.
I have Apache 2.4 and mod_security 2.9.1 installed, and it is working, with some very basic rules.
我正在尝试发出包含一些标头信息但在请求正文中没有任何内容的POST请求(该请求是向受mod_security保护的API端点的,并且该端点需要POST,而没有请求正文).根据以下内容,不需要正文的POST是有效的:
I am trying to make a POST request that includes some header information, but doesn't have anything in the request body (the request is to an API endpoint which is being protected by mod_security, and that endpoint requires a POST without the request body). A POST that doesn't require a body is valid, per the following: Are PUT and POST requests required/expected to have a request body?
mod_security阻止了该请求,因为它似乎无法解析/格式化主体(可能是因为它不存在).
mod_security is blocking the request because it seems that it can't parse/format the body (likely because it doesn't exist).
如何修改规则以允许没有主体的POST,但如果主体存在则以其他方式正常工作.
How can I amend the rules to permit a POST without a body, but otherwise act as normal if the body does exist.
正在触发的特定规则是:
The specific rule that is being triggered is:
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:415,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
错误是:
[Fri Jul 08 10:32:32.901230 2016] [:error] [pid 7697] [client 10.0.2.2:57442] [client 10.0.2.2] ModSecurity: JSON parser error: parse error: premature EOF\n [hostname "example.com"] [uri "/api/v1/logout"] [unique_id "V377qH8AAQEAAB4RU6cAAAAD"]
[Fri Jul 08 10:32:32.901555 2016] [:error] [pid 7697] [client 10.0.2.2:57442] [client 10.0.2.2] ModSecurity: Access denied with code 415 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/modsecurity/modsecurity.conf"] [line "61"] [id "200002"] [msg "Failed to parse request body."] [data "JSON parser error: parse error: premature EOF\\x0a"] [severity "CRITICAL"] [hostname "example.com"] [uri "/api/v1/logout"] [unique_id "V377qH8AAQEAAB4RU6cAAAAD"]
或者,我是否应该不仅仅发送Content-Type HTTP标头以获取mod_security来解析正文(尽管我希望强制所有POST请求始终具有已定义的Content-Type)?
Or, should I simply not send a Content-Type HTTP header in order to get mod_security to parse the body (although I'd prefer to enforce that all POST requests always have a defined Content-Type)?
我已经详细说明了正在使用的完整 modsecurity.conf (这是一个基本示例,其中包含两个用于过滤Content-Type的附加规则.
I've made a gist of the full modsecurity.conf that is being used (which is a basic example with two extra rules for filtering Content-Types).
推荐答案
对于具有零主体长度的请求,您可以禁用主体访问:
You can disable body access for a request with zero body length:
SecRule REQUEST_BODY_LENGTH "@eq 0" "id:12345,phase:1,nolog,ctl:requestBodyAccess=off"
或者,如果您只想在特定的URL上执行此操作,请使用如下所示的链接规则:
Or if you only want to do this on a certain URL then use a chained rule like this:
SecRule REQUEST_URI /my/weird/api "phase:1,id:12346,nolog,chain"
SecRule REQUEST_BODY_LENGTH "@eq 0" "ctl:requestBodyAccess=off"
这篇关于mod_security:允许没有请求正文的POST请求的规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
