使用Symfony安装W / Cpanel&保持ModSecurity启用。 WHM [英] Keep ModSecurity Enabled With Symfony installation W/Cpanel & WHM

问题描述

此问题是此处另一个问题的扩展（ Symfony框架安装406不可接受的错误，带有CPanel&WHM ），请在此处阅读我的答案，以了解如何解决该问题。

This question is an extension of another here (Symfony framework install 406 Not Acceptable Error w/CPanel & WHM), please read my answer there to see how I solved the issue.

我能够解决406错误的问题，但付出了一定的代价。.我必须禁用WHM中的mod安全性，我确信这是一个巨大的安全漏洞。我的问题是我如何才能使mod security保持启用状态，并且仍能与默认的Symfony安装一起使用，以使我不再收到406错误？

I was able to solve the issue I had with the 406 errors but at a cost.., I had to disable mod security in WHM which is a huge security vulnerability I'm sure. My question is how can I keep mod security enabled and still have it work with the default Symfony installation so that I do not receive 406 errors anymore?

EDIT

ModSecurity日志

ModSecurity Logs

请求：GET /操作说明：使用代码406（阶段4）拒绝访问。理由：RESPONSE_STATUS处的模式匹配 ^ 5\d {2} $

Request: GET / Action Description: Access denied with code 406 (phase 4). Justification: Pattern match "^5\d{2}$" at RESPONSE_STATUS

推荐答案

背景

ModSecurity是Web应用程序防火墙（或WAF）。您可以定义规则以尝试识别和阻止非法请求。 WAF并不是完美的，通常使用通用的规则在大多数站点中起作用，但是有时会阻止合法请求（称为误报）。

ModSecurity is a Web Application Firewall (or WAF). You can define rules to attempt to identify and block illegitimate requests. WAFs are not perfect though, and often generic rules are used that work in "most sites", but do sometimes block legitimate requests (known as false positives).

第一个需要了解的是，除了您之外，没有人会知道您已经安装了哪些ModSecurity规则。 ModSecurity根本没有任何规则，尽管有一些规则可以从免费的规则中下载（例如 OWASP CRS ）来支付 Atomic ），也可以自己编写。因此，要向您解释的第一件事是，没人能告诉您如何解决此问题，因为根据您的安装情况，该问题可能是特定于您的。说我们可以指导您找到自己的解决方案。

The first thing to understand is that no one will know what ModSecurity rules you have installed except you. ModSecurity does not come with any rules at all, though there are rules available to download, from free ones (like the OWASP CRS) to paid for ones from the likes of Atomic) or you can write your own. So the first thing to explain to you is that no one will be able to tell you how to solve this problem as it's likely to be specific to you depending on your installation. Saying that we can guide you on the way to finding your own solution.

运行WAF确实可以提供额外的保护，但需要大量维护。虽然我个人喜欢它并且可以看到优点，但老实说，大多数站点都没有它，并且如果您保持软件的最新状态并且不安装可升级的软件，那么无论如何黑客都很少（尽管并非闻所未闻）这样做。高目标（例如WordPress）。是否保留它取决于您的网站的重要性和安全意识，但是，如果要使用它，则需要了解它如何处理此类问题。

Running a WAF does give extra protection but does require a lot of maintenance. While I personally like it and can see the merit, most sites live without it to be honest and it's rare (though not unheard of) that hackers make it in anyway if you keep your software up to date and don't install software that is high target (WordPress for example). It's up to you whether to keep it depending on how critical and security minded your website needs to be but, if do want to use it, then you will need to understand how it works to deal with issues like this.

您的问题。

我对Symfony并不熟悉，但是从ModSecurity的使用情况中我可以理解打开，您的应用程序将失败，并且至少会触发一个ModSecurity规则。关闭ModSecurity后，一切正常。

I am not familiar with Symfony but from what I can understand when ModSecurity is turned on, your application fails and at least one ModSecurity rule fires. When ModSecurity is switched off it all works fine.

因此，首先，您需要找出 ALL 阻止应用程序停止运行的规则加工。您给出了一条规则，但我怀疑这不是唯一的障碍。

So first of all you need to find out ALL the rules that are stopping your applications from working. You have given one rule but I suspect that is not the only one blocking.

正如我在对原始问题的评论中所讨论的那样，该规则是一个相当标准的规则。在大多数规则集中尝试防止信息泄漏。对于每个请求，所有Web服务器均使用3位数字状态代码进行响应。最知名的是404或找不到页面。 500范围内的值表示服务器错误。因此，此规则表示，如果服务器以匹配 ^ 5\d {2} $的模式（即5XX是X表示数字，所以0-9）响应（RESPONSE_STATUS），则说明出现了问题，ModSecurity进入防止任何错误消息返回给用户，而是发送自己的406错误消息。

That rule is, as I discussed in the comments to your original question, a fairly standard rule in most rulesets to try to prevent information leakage. All web servers respond with a 3 digit status code for each request. The most well known is 404 or "page not found". The ones in the 500 range mean server error. So this rule says that if the server responds (RESPONSE_STATUS) with a pattern matching "^5\d{2}$" (i.e. 5XX were X is a digit so 0-9) then something has gone wrong, and ModSecurity steps in to prevent any error messages going back to the user and instead sends it's own 406 error message instead.

ModSecurity具有5个阶段：

ModSecurity has 5 phases:

1. 扫描请求标头（REQUEST_HEADERS）的规则


2. 扫描请求正文的规则（REQUEST_BODY）


3. 扫描响应标头（RESPONSE_HEADERS）的规则


4. 扫描响应正文的规则（RESPONSE_BODY）


5. 影响日志记录（LOGGING）的规则

1. Rules that scan Request headers (REQUEST_HEADERS)
2. Rules that scan Request body (REQUEST_BODY)
3. Rules that scan Response headers (RESPONSE_HEADERS)
4. Rules that scan Response body (RESPONSE_BODY)
5. Rules that affect Logging (LOGGING)

此规则在第4阶段触发-这是将请求发送回客户端的时间。因此，在此阶段，您的应用程序已返回5XX状态已经出了问题。

This rule fires in phase 4 - which is when the request is being sent back to the client. So at this stage something has already gone wrong for your application to have returned a 5XX status.

我怀疑之前触发了另一个ModSecurity规则（第1阶段或第2阶段规则） ）导致了错误，您只显示了最后一个触发的规则。

I suspect that another ModSecurity rule fired earlier (a phase 1 or phase 2 rule) which caused the error and you have only shown the last rule that fired.

在我可以进一步帮助您解决问题之前，我需要知道：

Before I could help you further with your problem I would need to know:

• ALL 来自Apache错误日志的ModSecurity错误消息。


• 另外，它将是有助于了解正在运行的ModSecurity的版本（应在启动时显示在Apache错误日志中）。


• 了解正在运行的规则集也将很有帮助。它们是上面讨论的一些标准规范还是专门为您的网站编写的规范？大多数规则都有规则ID（实际上，这是从ModSecurity 2.7起是强制性的），因此感到惊讶的是，该规则未在您之前提供的错误日志代码段中列出。

• ALL ModSecurity error messages from the Apache Error logs.
• Additionally it would be helpful to know what version of ModSecurity you are running (this should be in the Apache error logs at start up).
• It would also be helpful to know what ruleset you are running. Are they some of the standard ones discussed above, or ones that have been written especially for your site? Most rules have a rule id (in fact this is mandatory from ModSecurity 2.7 onwards) so surprised this is not listed in the error log snippet you gave earlier.

我或其他人可能可以帮助您指出正确的方向。

With that I, or someone else, might be able to help point you in the right direction.

您如何自我诊断问题（以及将来的问题！）

如果我是你，我将采取以下步骤来确定问题：

If I were you I would take the following steps to identify the problem:

1. 读取所有Apache配置文件，并找出ModSecurity配置和规则的定义位置。 ModSecurity规则只是使用添加到标准Apache config中的ModSecurity语言进行的文本配置-通常包括定义规则的外部文件。了解这些规则的作用和含义。


2. 在配置中找到 SecRuleEngine On行，并将其更改为 SecRuleEngine DetectionOnly，然后重新启动Apache。这将在日志文件中标记规则，但不会阻止尝试。然后执行您想做的事情，而不用执行任何激发规则。


3. 还打开其他审核引擎，以捕获阻止的请求的完整详细信息（ SecAuditEngine RelevantOnly）。 / li>
   
4. 确定是否需要这些规则导致问题，然后从配置中将其注释掉，或者有一些方法可以对其进行调整以停止阻止合法请求。


5. 调整完所有规则后，然后再次打开ModSecurity。

1. Read all your Apache config filesand find out where the ModSecurity config and rules are defined. ModSecurity rules are just text config using the ModSecurity language added to standard Apache config - often by including external files were the rules are defined. Get to understand what those rules do and mean.
2. Find the "SecRuleEngine On" line on your config and change this to "SecRuleEngine DetectionOnly" then restart Apache. This will flag rules in the log files but NOT block attempts. Then do what you want to do and take not of the rules that fire.
3. Also turn on the additional Audit engine to capture full details of requests which block ("SecAuditEngine RelevantOnly").
4. Decide if you need those rules tat are causing you problems, and then either comment them out of your config, or there are ways to tune them to stop blocking legitimate requests.
5. Once all the rules are tuned, then turn ModSecurity on again.

ModSecurity参考手册是了解ModSecurity的非常有用的资源。

The ModSecurity Reference Manual is a very useful resource to understand ModSecurity.

我还可以推荐 ModSecurity手册以供进一步阅读。它是由ModSecurity的原始作者编写的，虽然自2.7版以来没有进行过更新，但这仍然是一个很好的介绍。

I can also recommend the ModSecurity handbook for further reading. It was written by the original author of ModSecurity and while it hasn't been updated since version 2.7 it's still a great intro.

希望有帮助，
Barry

Hope that helps, Barry

这篇关于使用Symfony安装W / Cpanel&保持ModSecurity启用。 WHM的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！