mod_security的块只有IE浏览器 [英] mod_security blocks only internet explorer

问题描述

我mod_security的安装与Apache服务器，而现在它的阻止只IE7 / 8/9浏览器。 （我可以浏览网页与Firefox /铬/等）

日志说：

 消息：连接：在代理服务器的连接锁定令牌内容范围通过翻译，如果在REQUEST_HEADERS_NAMES字符串相匹配。 [文件/etc/apache2/mod_security/modsecurity_crs_30_http_policy.conf] [在线99] [ID960038] [味精HTTP报头由政策限制] [数据连接] [严重性警告] [标签政策/ HEADER_RESTRICTED] [标签政策/ FILES_NOT_ALLOWED] [标签WASCTC / WASC-21] [标签OWASP_TOP_10 / A7] [标签PCI / 12.1] [标签WASCTC / WASC-15 ] [标签OWASP_TOP_10 / A7] [标签PCI / 12.1]
消息：访问与code 403（阶段2）拒绝。 [文件/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf] [在线25] [味精异常比分超出（得分20）：常见的垃圾/电子邮件收割机履带]
操作：截获（阶段2）
秒表：1337888078594451 2694（918 2353  - ）
制片人：ModSecurity的为Apache / 2.5.12（http://www.modsecurity.org/）;核心规则集/ 2.0.6。
服务器：Apache
 

和规则ID为960038的是：

  SecRule REQUEST_HEADERS_NAMES@within％{} tx.restricted_headers阶段：2，T：没有，传球，NOLOG，审计日志，味精：HTTP头被限制policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}\"
 

我有一个主要问题和另外两名从第一来源：

• 我怎么知道这个规则使什么？
  
  
  
  • 它是安全的忽略这个规则吗？
  
  
  • 有什么办法可以修改规则，以允许IE浏览网页？
  
  

解决方案

1. 回答你第一个问题MOD-安全为我们提供了非常
   关于它的规则语言的语法详细的文档和
   以下是链接到其文档。 的ModSecurity规则语言




2. TX是用户定义的变量 tx.restricted_headers 它定义
   喜欢你的HTTP策略

   SecAction阶段：1，T：无，NOLOG，传球，SETVAR：tx.restricted_headers = / - 代理连接/ /锁定令牌/ /内容范围/ /转换/ /经/ / IF /'
   更多详细信息，请参阅本<一个href=\"http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/modsecurity_crs_10_setup.conf.example\"相对=nofollow> HTTP

   
   

3. 您上面提到的规则是不会阻止，但它是
   递增numerial值保持对可疑头
   名，如我上面所解释的HTTP策略提到的。




4. 这是阻止IE浏览器从提到的日志中看到的规则

   消息：访问与code 403（阶段2）拒绝。 [文件/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf] [在线25] [味精异常比分超出（得分20）：常见的垃圾/电子邮件收割机履带]

您可以修改分数异常阈值或可以改变你的HTTP policy.The规则你所说是正确的，不需要是commented.I希望你明白我的意思。

I installed mod_security with an apache server, and now it's blocking only ie7/8/9 browser. (I can browse the web with firefox/chromium/etc)

The logs say:

Message: String match within "Proxy-Connection Lock-Token Content-Range Translate via if" at REQUEST_HEADERS_NAMES:Connection. [file "/etc/apache2/mod_security/modsecurity_crs_30_http_policy.conf"] [line "99"] [id "960038"] [msg "HTTP header is restricted by policy"] [data "Connection"] [severity "WARNING"] [tag "POLICY/HEADER_RESTRICTED"] [tag "POLICY/FILES_NOT_ALLOWED"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A7"] [tag "PCI/12.1"]
Message: Access denied with code 403 (phase 2). [file "/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 20): Common SPAM/Email Harvester crawler"]
Action: Intercepted (phase 2)
Stopwatch: 1337888078594451 2694 (918 2353 -)
Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.0.6.
Server: Apache

And the rule id "960038" is:

SecRule REQUEST_HEADERS_NAMES "@within %{tx.restricted_headers}""phase:2,t:none,pass,nolog,auditlog,msg:'HTTP header is restricted by policy',id:'960038',tag:'POLICY/HEADER_RESTRICTED',tag:'POLICY/FILES_NOT_ALLOWED',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',tag:'WASCTC/WASC-15',tag:'OWASP_TOP_10/A7',tag:'PCI/12.1',severity:'4',logdata:'%{matched_var}',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.policy_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-POLICY/HEADERS_RESTRICTED-%{matched_var_name}=%{matched_var}"

I have one main question and two other derived from the first:

• How do I know what this rule makes?
  • Is it safe to ignore this rule?
  • Is there any way to modify the rule in order to allow ie to navigate the web?

解决方案

1. Answering Your First Question Mod-Security provide us a very detailed documentation about the syntax of its Rule Language and following is the link to its documentation. ModSecurity Rule Language

2. TX is for user defined variable tx.restricted_headers it defines your HTTP policy like

   SecAction "phase:1,t:none,nolog,pass,setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/'" for more detailed information refer this HTTP Policy

3. The Rule you have mentioned above is not blocking but it is incrementing a numerial value maintained against suspicious header name as mentioned in the HTTP policy i explained above.

4. The Rule that is blocking IE as seen from the logs mentioned

   Message: Access denied with code 403 (phase 2). [file "/etc/apache2/mod_security/modsecurity_crs_49_enforcement.conf"] [line "25"] [msg "Anomaly Score Exceeded (score 20): Common SPAM/Email Harvester crawler"]

You can modify the anomaly score threshold or can change your HTTP policy.The Rule you have mentioned is correct and don't need to be commented.I hope you get my point

这篇关于mod_security的块只有IE浏览器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！