将mod_security设置为detectionOnly仅用于特定页面? [英] Set mod_security to detectionOnly for a specific page?

问题描述

如果整个网站的mod_security设置为ON，是否可以将特定页面设置为detection_only?

If mod_security is set to ON for the whole website, is there a way I can set specific pages to detection_only?

用例是该应用程序用于配置网站，并且CSS或js的使用非常普遍，但很可能使modsecurity抛出XSS规则异常.我只想在这些页面上检测那些异常，但不阻止它们.但是，在所有其他页面上，我希望阻止规则异常.

Use case is that the application is used to configure websites, and use of CSS or js is very common, but very likely to make modsecurity throw an XSS rule exception. I'd like to detect those exceptions but not block them, on those pages only. However on all other pages I want rule exceptions to block.

更多细节:该应用程序实际上是在另一台Windows服务器上运行的IIS应用程序，而mod_security在Linux服务器上的Apache中运行.haproxy将传入的请求定向到apache，而apache通过modsecurity接收请求；如果通过，则将其反向代理回haproxy，然后将其传递给IIS.

More gritty detail: The application is actually an IIS application running on another Windows server, while mod_security is running in Apache on a linux server. haproxy directs incoming requests to apache, and apache takes the request through modsecurity; if it passes, it reverse-proxies it back to haproxy, which then passes it to IIS.

== incoming request ==> haproxy ==> apache 
                                      v
                                    mod_security
                                      v
        IIS machine <== haproxy <== mod_proxy

_{(是的，有充分的理由使用haproxy.我们有数百个https证书，我们可以将haproxy指向一个充满它们的文件夹，然后它将根据SNI https请求选择正确的文件夹.还没找到其他可以做得到的东西.)}

因此，至少在我看来，apache上没有目录可以使用.htaccess文件.

So there's no directory on the apache side where a .htaccess file would make sense, at least to my tiny mind.

被视为DetectionOnly的路径将匹配主机 admin.mysite.com 和路径 ^/site/[a-zA-Z0-9-] +/Settings $

Paths to be treated as DetectionOnly would match the host admin.mysite.com and the path ^/site/[a-zA-Z0-9-]+/Settings$

推荐答案

类似的事情应该起作用(未经测试):

Something like this should work (untested):

SecRule REQUEST_HEADERS:Host "@streq admin.mysite.com" "phase:1,id:1234,chain"
    SecRule REQUEST_URI "^/site/[a-zA-Z0-9-]+/Settings$" "ctl:ruleEngine=DetectionOnly"

只需在其他任何规则之前添加该规则，并确保 id 是唯一的(我以1234为例).

Just add that rule before any of the others and make sure the id is unique (I've used 1234 as an example).

由于对ctl的更改仅适用于该请求，因此将为下一个请求重置规则引擎.

The rule engine will be reset for the next request as ctl changes are for this request only.

这篇关于将mod_security设置为detectionOnly仅用于特定页面?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！