Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7457610705 for ; Mon, 6 May 2013 13:11:53 +0000 (UTC) Received: (qmail 98070 invoked by uid 500); 6 May 2013 13:11:52 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 97989 invoked by uid 500); 6 May 2013 13:11:52 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 97980 invoked by uid 99); 6 May 2013 13:11:52 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 May 2013 13:11:52 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of breno.silva@gmail.com designates 209.85.216.182 as permitted sender) Received: from [209.85.216.182] (HELO mail-qc0-f182.google.com) (209.85.216.182) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 06 May 2013 13:11:45 +0000 Received: by mail-qc0-f182.google.com with SMTP id b25so1729389qca.27 for ; Mon, 06 May 2013 06:11:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=GtCMn9gzydSUXgLJUoQDcvLLJxWk5rDEQ3T1rFY8ulg=; b=cDnx5n+03C1QxGtsmUrdeGgoZVVrTTtsHXXIJVHCwDRgDEacQlsdh2yBFjOtqEpqaY +V2UU1gUn9vLnbhFcV81rtpT++LGGq8Y1QLc+jzbnJAnrAzk6swmVVj4qI/mFqYhsVed HEvwV/EZwyzWTYrlwPcjmAzA+zq3ZHF+NFVZFqZkA5FbaQDivVs1DKK1txjGw8QAC/gv /rrQLhMEkxye6Q73c1IoK98sIbhvaJz6f92ttDyzWdk4UKo6U54s2b5XXfgrlJAuv4jd A4glg10Da2ev8zIEVPAIjEGvKjOsFOoHUZHmcjZvFUh6Uz11+PONXRtxRmBNSOS3uL0y SMQQ== MIME-Version: 1.0 X-Received: by 10.49.116.206 with SMTP id jy14mr27030548qeb.32.1367845884659; Mon, 06 May 2013 06:11:24 -0700 (PDT) Received: by 10.229.112.15 with HTTP; Mon, 6 May 2013 06:11:24 -0700 (PDT) In-Reply-To: <5187AB46.70401@thelounge.net> References: <51878DD3.7000907@thelounge.net> <51879FDB.2050001@thelounge.net> <5187A9F5.6040700@thelounge.net> <5187AB46.70401@thelounge.net> Date: Mon, 6 May 2013 10:11:24 -0300 Message-ID: Subject: Re: New SecRemoteAddrDefine (httpd-dev CCed) From: Breno Silva To: Reindl Harald Cc: Mailing-List mod_security , Mailing-List httpd-dev Content-Type: multipart/alternative; boundary=047d7b6d7ae01080e904dc0c70c9 X-Virus-Checked: Checked by ClamAV on apache.org --047d7b6d7ae01080e904dc0c70c9 Content-Type: text/plain; charset=ISO-8859-1 Yes.. but we cannot assume all users is doing it right :) And to be honest i think many are not doing it. Do you have a box without rpaf or you can disable it to test SecDefineRemoteAddr ? Also i will need this feature for nginx/iis module. Thanks On Mon, May 6, 2013 at 10:08 AM, Reindl Harald wrote: > i do not think so > > anybody which is running his webserver behind a load-balancer > without a solution like rpaf is obviously a fool because any > apache error/access-log is useless, any Allow/Deny does not > work as expected and last but not least REMOTE_ADDR in CGI > and PHP scripts is the address from the proxy and god beware > you have restrictions based on the client IP in your scripts > and not aware that you always have the same client-IP > > Am 06.05.2013 15:04, schrieb Breno Silva: > > Good. But is think we still need SecDefineRemoteAddr for Apache 2.2 > without rpaf right ? > > > > On Mon, May 6, 2013 at 10:02 AM, Reindl Harald h.reindl@thelounge.net>> wrote: > > > > thank you, this works exactly as expected with Apache 2.4 and > > mod_remoteip / mod_security, how i tested is expplained at bottom > > > > PLEASE revisit the mod_security 2.7.2 change > > * Fixed mod_security displaying wrong ip address in error.log using > apache 2.4 and mod_remoteip > > > > this was obviously a wrong intented hack only affacted the logging > > and without look at the source i guess you are logging > "X-Forwarded-For" > > in case it exists without respect mod_remoteip > > _________________________________________________________________ > > > > SecRemoteAddrDefine is not needed beause with Apache 2.2 and mod_rpaf > > this works all the time caused by a different handling inside Apache > > and you need "mod_rpaf" there at least for the correct ip-address > > in the accesslog to have useable webalizer-stats > > > > even with Apache 2.2 mod_security should not re-invent the wheel > > it's up to Apache to handle this correctly and it does if > > correctly configured > > _________________________________________________________________ > > > > and to answer Ryan Barnett's "What is preventing an attacker from > forging > > fake x-forwarded-for headers while still sending the requests through > > a "trusted" proxy?" here the a snippet form the httpd-docs > > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#processing > > > When multiple, comma delimited useragent IP addresses are listed in > > > the header value, they are processed in Right-to-Left order. > Processing > > > halts when a given useragent IP address is not trusted to present > the > > > preceding IP address. The header field is updated to this remaining > > > list of unconfirmed IP addresses, or if all IP addresses were > trusted, > > > this header is removed from the request altogether > > _________________________________________________________________ > > > > testing to prove the correct working of the attached source from you > > > > * UserAgent Switcher and my Firefox claims to be "Nessus" > > * SecRule REMOTE_ADDR "^10\.0\.0\.99" > "id:'102',phase:1,pass,nolog,ctl:ruleRemoveById=990002" > > * 10.0.0.103 is the real IP of the Apache-Trafficserver > > * with the configuration below i get no access denied as expected > > * if i replace the "10.0.0.103" with "10.0.0.104" and restart httpd > > as expected i get access denied > > * that's the state which i expected and demanded since january > > > > = 2.4> > > LoadModule remoteip_module "modules/mod_remoteip.so" > > RemoteIPHeader X-Forwarded-For > > RemoteIPInternalProxy 127.0.0.1 10.0.0.103 > > RemoteIPProxiesHeader X-Forwarded-For > > > > _________________________________________________________________ > > > > Am 06.05.2013 14:30, schrieb Breno Silva: > > > Let's try this patch. Should work for Apache 2.4 + mod_remoteip > and Apache2.2 with the SecDefineRemoteAddr > > > > > > On Mon, May 6, 2013 at 9:19 AM, Reindl Harald < > h.reindl@thelounge.net > > >> > wrote: > > > > > > why do you refuse to understand that we do not need a new > feature or at > > > it is NOT up to you to re-invent the wheel > > > > > > Apache 2.2 works with proxy and mod_rpaf does not need any > change > > > in mod_security, mod_rpaf does the same as mod_remoteip in a > different > > > way which is no longer the way to go with Apache >= 2.4 > > > > > > if i use %a in log-configuration i have ALWAYS the desired > behavior > > > with Apache 2.2 with and without proxy AND Apache 2.4 with and > without > > > mod_remoteip as i am currently run Apache 2.2 with mod_rpaf > which > > > everybody in context of load-balancers does and so you do not > need to > > > care about this in mod_security because in Apache 2.2 %h > contains the > > > correct address and in Apache 2.4 %a does the same > > > > > > until a few weeks ago nobody cared about this at all > > > > > > now if it is brought up by me that Apache 2.4 has BUILTIN > support for > > > proxy-handling of the remote-addr simply respect this in case > we are > > > running under Apache 2.4 and understand that it is the > completly wrong > > > way you are going all the time starting with hacking the > modsec-logging > > > > > > http://httpd.apache.org/docs/current/mod/mod_log_config.html > > > %a Client IP address and port of the request. > > > %{c}a Underlying peer IP address and port of the connection > (see the mod_remoteip module) > > > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxylist > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipproxiesheader > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxylist > > --047d7b6d7ae01080e904dc0c70c9 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Yes.. but we cannot assume all users is doing it right :)<= div style>And to be honest i think many are not doing it.
<= br>
Do you have a box without rpaf or you can disable it to= test SecDefineRemoteAddr ?

Also i will need this feature for nginx/iis= module.

Thanks


On Mon, May 6, 2013 at = 10:08 AM, Reindl Harald <h.reindl@thelounge.net> wrote:=
i do not think so

anybody which is running his webserver behind a load-balancer
without a solution like rpaf is obviously a fool because any
apache error/access-log is useless, any Allow/Deny does not
work as expected and last but not least REMOTE_ADDR in CGI
and PHP scripts is the address from the proxy and god beware
you have restrictions based on the client IP in your scripts
and not aware that you always have the same client-IP

Am 06.05.2013 15:04, schrieb Breno Silva:
> Good. But is think we still need SecDefineRem= oteAddr for Apache 2.2 without rpaf right ?
>
> On Mon, May 6, 2013 at 1= 0:02 AM, Reindl Harald <h.rein= dl@thelounge.net <mailto:h= .reindl@thelounge.net>> wrote:
>
> =A0 =A0 thank you, this works exactly as expected with Apache 2.4 and<= br> > =A0 =A0 mod_remoteip / mod_security, how i tested is expplained at bot= tom
>
> =A0 =A0 PLEASE revisit the mod_security 2.7.2 change
> =A0 =A0 * Fixed mod_security displaying wrong ip address in error.log = using apache 2.4 and mod_remoteip
>
> =A0 =A0 this was obviously a wrong intented hack only affacted the log= ging
> =A0 =A0 and without look at the source i guess you are logging "X= -Forwarded-For"
> =A0 =A0 in case it exists without respect mod_remoteip
> =A0 =A0 ______________________________________________________________= ___
>
> =A0 =A0 SecRemoteAddrDefine is not needed beause with Apache 2.2 and m= od_rpaf
> =A0 =A0 this works all the time caused by a different handling inside = Apache
> =A0 =A0 and you need "mod_rpaf" there at least for the corre= ct ip-address
> =A0 =A0 in the accesslog to have useable webalizer-stats
>
> =A0 =A0 even with Apache 2.2 mod_security should not re-invent the whe= el
> =A0 =A0 it's up to Apache to handle this correctly and it does if<= br> > =A0 =A0 correctly configured
> =A0 =A0 ______________________________________________________________= ___
>
> =A0 =A0 and to answer Ryan Barnett's "What is preventing an a= ttacker from forging
> =A0 =A0 fake x-forwarded-for headers while still sending the requests = through
> =A0 =A0 a "trusted" proxy?" here the a snippet form the= httpd-docs
>
> =A0 =A0 http://httpd.apache.org/docs/current/= mod/mod_remoteip.html#processing
> =A0 =A0 > When multiple, comma delimited useragent IP addresses are= listed in
> =A0 =A0 > the header value, they are processed in Right-to-Left ord= er. Processing
> =A0 =A0 > halts when a given useragent IP address is not trusted to= present the
> =A0 =A0 > preceding IP address. The header field is updated to this= remaining
> =A0 =A0 > list of unconfirmed IP addresses, or if all IP addresses = were trusted,
> =A0 =A0 > this header is removed from the request altogether
> =A0 =A0 ______________________________________________________________= ___
>
> =A0 =A0 testing to prove the correct working of the attached source fr= om you
>
> =A0 =A0 * UserAgent Switcher and my Firefox claims to be "Nessus&= quot;
> =A0 =A0 * SecRule REMOTE_ADDR "^10\.0\.0\.99" "id:'= 102',phase:1,pass,nolog,ctl:ruleRemoveById=3D990002"
> =A0 =A0 * 10.0.0.103 is the real IP of the Apache-Trafficserver
> =A0 =A0 * with the configuration below i get no access denied as expec= ted
> =A0 =A0 * if i replace the "10.0.0.103" with "10.0.0.10= 4" and restart httpd
> =A0 =A0 =A0 as expected i get access denied
> =A0 =A0 * that's the state which i expected and demanded since jan= uary
>
> =A0 =A0 <IfVersion >=3D 2.4>
> =A0 =A0 =A0LoadModule =A0 =A0 =A0 =A0 =A0 =A0 remoteip_module "mo= dules/mod_remoteip.so"
> =A0 =A0 =A0RemoteIPHeader =A0 =A0 =A0 =A0 X-Forwarded-For
> =A0 =A0 =A0RemoteIPInternalProxy =A0127.0.0.1 10.0.0.103
> =A0 =A0 =A0RemoteIPProxiesHeader =A0X-Forwarded-For
> =A0 =A0 </IfVersion>
> =A0 =A0 ______________________________________________________________= ___
>
> =A0 =A0 Am 06.05.2013 14:30, schrieb Breno Silva:
> =A0 =A0 > Let's try this patch. =A0Should work for Apache 2.4 += mod_remoteip =A0and Apache2.2 with the SecDefineRemoteAddr
> =A0 =A0 >
> =A0 =A0 > On Mon, May 6, 2013 at 9:19 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>
> =A0 =A0 <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> w= rote:
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 why= do you refuse to understand that we do not need a new feature or at
> =A0 =A0 > =A0 =A0 it is NOT up to you to re-invent the wheel
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 Apache 2.2 works with proxy and mod_rpaf does not= need any change
> =A0 =A0 > =A0 =A0 in mod_security, mod_rpaf does the same as mod_re= moteip in a different
> =A0 =A0 > =A0 =A0 way which is no longer the way to go with Apache = >=3D 2.4
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 if i use %a in log-configuration i have ALWAYS th= e desired behavior
> =A0 =A0 > =A0 =A0 with Apache 2.2 with and without proxy AND Apache= 2.4 with and without
> =A0 =A0 > =A0 =A0 mod_remoteip as i am currently run Apache 2.2 wit= h mod_rpaf which
> =A0 =A0 > =A0 =A0 everybody in context of load-balancers does and s= o you do not need to
> =A0 =A0 > =A0 =A0 care about this in mod_security because in Apache= 2.2 %h contains the
> =A0 =A0 > =A0 =A0 correct address and in Apache 2.4 %a does the sam= e
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 until a few weeks ago nobody cared about this at = all
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 now if it is brought up by me that Apache 2.4 has= BUILTIN support for
> =A0 =A0 > =A0 =A0 proxy-handling of the remote-addr simply respect = this in case we are
> =A0 =A0 > =A0 =A0 running under Apache 2.4 and understand that it i= s the completly wrong
> =A0 =A0 > =A0 =A0 way you are going all the time starting with hack= ing the modsec-logging
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 http://httpd.apache.org/docs/curr= ent/mod/mod_log_config.html
> =A0 =A0 > =A0 =A0 %a =A0 =A0 =A0Client IP address and port of the r= equest.
> =A0 =A0 > =A0 =A0 %{c}a Underlying peer IP address and port of the = connection (see the mod_remoteip module)
> =A0 =A0 >
> =A0 =A0 > =A0 =A0 http://httpd.apache.org/docs/curren= t/mod/mod_remoteip.html
> =A0 =A0 > =A0 =A0 http://httpd.apache.= org/docs/current/mod/mod_remoteip.html#remoteipheader
> =A0 =A0 > =A0 =A0 http://httpd.= apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy
> =A0 =A0 > =A0 =A0 http://ht= tpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxylist=
> =A0 =A0 > =A0 =A0 http://httpd.= apache.org/docs/current/mod/mod_remoteip.html#remoteipproxiesheader
> =A0 =A0 > =A0 =A0 http://httpd.a= pache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy
> =A0 =A0 > =A0 =A0 http://htt= pd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxylist


--047d7b6d7ae01080e904dc0c70c9--