httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: New SecRemoteAddrDefine (httpd-dev CCed)
Date Mon, 06 May 2013 13:02:45 GMT
thank you, this works exactly as expected with Apache 2.4 and
mod_remoteip / mod_security, how i tested is expplained at bottom

PLEASE revisit the mod_security 2.7.2 change
* Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip

this was obviously a wrong intented hack only affacted the logging
and without look at the source i guess you are logging "X-Forwarded-For"
in case it exists without respect mod_remoteip
_________________________________________________________________

SecRemoteAddrDefine is not needed beause with Apache 2.2 and mod_rpaf
this works all the time caused by a different handling inside Apache
and you need "mod_rpaf" there at least for the correct ip-address
in the accesslog to have useable webalizer-stats

even with Apache 2.2 mod_security should not re-invent the wheel
it's up to Apache to handle this correctly and it does if
correctly configured
_________________________________________________________________

and to answer Ryan Barnett's "What is preventing an attacker from forging
fake x-forwarded-for headers while still sending the requests through
a "trusted" proxy?" here the a snippet form the httpd-docs

http://httpd.apache.org/docs/current/mod/mod_remoteip.html#processing
> When multiple, comma delimited useragent IP addresses are listed in
> the header value, they are processed in Right-to-Left order. Processing
> halts when a given useragent IP address is not trusted to present the
> preceding IP address. The header field is updated to this remaining
> list of unconfirmed IP addresses, or if all IP addresses were trusted,
> this header is removed from the request altogether
_________________________________________________________________

testing to prove the correct working of the attached source from you

* UserAgent Switcher and my Firefox claims to be "Nessus"
* SecRule REMOTE_ADDR "^10\.0\.0\.99" "id:'102',phase:1,pass,nolog,ctl:ruleRemoveById=990002"
* 10.0.0.103 is the real IP of the Apache-Trafficserver
* with the configuration below i get no access denied as expected
* if i replace the "10.0.0.103" with "10.0.0.104" and restart httpd
  as expected i get access denied
* that's the state which i expected and demanded since january

<IfVersion >= 2.4>
 LoadModule             remoteip_module "modules/mod_remoteip.so"
 RemoteIPHeader         X-Forwarded-For
 RemoteIPInternalProxy  127.0.0.1 10.0.0.103
 RemoteIPProxiesHeader  X-Forwarded-For
</IfVersion>
_________________________________________________________________

Am 06.05.2013 14:30, schrieb Breno Silva:
> Let's try this patch.  Should work for Apache 2.4 + mod_remoteip  and Apache2.2 with
the SecDefineRemoteAddr
> 
> On Mon, May 6, 2013 at 9:19 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
> 
>     why do you refuse to understand that we do not need a new feature or at
>     it is NOT up to you to re-invent the wheel
> 
>     Apache 2.2 works with proxy and mod_rpaf does not need any change
>     in mod_security, mod_rpaf does the same as mod_remoteip in a different
>     way which is no longer the way to go with Apache >= 2.4
> 
>     if i use %a in log-configuration i have ALWAYS the desired behavior
>     with Apache 2.2 with and without proxy AND Apache 2.4 with and without
>     mod_remoteip as i am currently run Apache 2.2 with mod_rpaf which
>     everybody in context of load-balancers does and so you do not need to
>     care about this in mod_security because in Apache 2.2 %h contains the
>     correct address and in Apache 2.4 %a does the same
> 
>     until a few weeks ago nobody cared about this at all
> 
>     now if it is brought up by me that Apache 2.4 has BUILTIN support for
>     proxy-handling of the remote-addr simply respect this in case we are
>     running under Apache 2.4 and understand that it is the completly wrong
>     way you are going all the time starting with hacking the modsec-logging
> 
>     http://httpd.apache.org/docs/current/mod/mod_log_config.html
>     %a      Client IP address and port of the request.
>     %{c}a Underlying peer IP address and port of the connection (see the mod_remoteip
module)
> 
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxylist
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipproxiesheader
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
>     http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxylist
> 
> 
>     Am 06.05.2013 14:07, schrieb Breno Silva:
>     > I cannot use mod_remoteip because it is only available to Apache 2.4. This feature
should be Apache version
>     > independent. Should work for Apache 2.0 and 2.2.
>     >
>     > Could you please send me the debug log and a pcap of this transaction. I want
to check where is the problem
>     because
>     > it is working here.
>     >
>     > Thanks
>     >
>     >
>     > On Mon, May 6, 2013 at 8:02 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>
>     <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> wrote:
>     >
>     >     Hi
>     >
>     >     Am 06.05.2013 04:03, schrieb Breno Silva:
>     >     > Hello Reindl,
>     >     >
>     >     > I wrote a patch for SecRemoteAddrDefine. This is now:
>     >     > SecRemoteAddrDefine X-Forwarded-For /etc/modsecurity/trusted_ip.txt
>     >     >
>     >     > Then in trusted_ip.txt you can insert your ips one per line.
>     >     >
>     >     > Can you test and give me feedback ?
>     >     >
>     >     > Thanks
>     >     > Breno
>     >
>     >     syntax is accepted but does not work, see below
>     >     _________________________________________________
>     >
>     >     i still refuse to understand why here a dirty hack is done especially
>     >     because this changelog shows that there is another crude hack in case
>     >     of logging (i guess blow X-Forwarded-For in any case to the log) instead
>     >     handle it in the proper way PHP does for $_SERVER['REMOTE_ADDR']
>     >
>     >     you have to respect the Apache configuration and RemoteIPInternalProxy
>     >     why do you not look how PHP handles this in a correct way? from the
>     >     view of a clean software design this hack-attitude is completly wrong
>     >
>     >     if mod_remoteip take saction there is no longer a X_FORWARDED_FOR header
>     >     in $_SERVER at all and $_SERVER['REMOTE_ADDR'] contains the correct IP
>     >
>     >     * Fixed mod_security displaying wrong ip address in error.log using apache
2.4 and mod_remoteip
>     >     _________________________________________________
>     >
>     >     [Mon May 06 12:49:14.532293 2013] [:error] [pid 8816] [client 10.0.0.99]
ModSecurity: Access denied with
>     code 404
>     >     (phase 2). Matched phrase "nessus" at REQUEST_HEADERS:User-Agent. [file
>     >     "/etc/httpd/modsecurity.d/modsecurity_35_bad_robots.conf"] [line "3"] [id
"990002"] [msg "Bad Robot"]
>     [hostname
>     >     "proxy.test.rh"] [uri "/"] [unique_id "UYeKqgoAAGMAACJwT-oAAAAD"]
>     >     ______________________________________________________________
>     >
>     >     the proxy i am connected to is for sure 10.0.0.103 and both, my client IP
>     >     and the origin-server from the view of the proxy are 10.0.0.99, the logging
>     >     is correct but this rule should not be active for my IP
>     >
>     >     [root@rh:/etc/httpd/modsecurity.d]$ cat mod_security.conf | grep "ruleRemoveById=990002"
>     >      SecRule REMOTE_ADDR "^10\.0\.0\.99" "id:'102',phase:1,pass,nolog,ctl:ruleRemoveById=990002"
>     >
>     >     [root@rh:/etc/httpd/modsecurity.d]$ cat modsecurity_10_config.conf | grep
SecRemoteAddrDefine
>     >     SecRemoteAddrDefine         X-Forwarded-For /etc/httpd/modsecurity.d/modsecurity_10_mod_remoteip.conf
>     >
>     >     [root@rh:/etc/httpd/modsecurity.d]$ cat /etc/httpd/modsecurity.d/modsecurity_10_mod_remoteip.conf
>     >     127.0.0.1
>     >     10.0.0.4
>     >     10.0.0.103
>     >     91.118.73.4


Mime
View raw message