Good. But is think we still need SecDefineRemoteAddr for Apache 2.2 without rpaf right ?
On Mon, May 6, 2013 at 10:02 AM, Reindl Harald <h.rei...@thelounge.net>wrote: > thank you, this works exactly as expected with Apache 2.4 and > mod_remoteip / mod_security, how i tested is expplained at bottom > > PLEASE revisit the mod_security 2.7.2 change > * Fixed mod_security displaying wrong ip address in error.log using apache > 2.4 and mod_remoteip > > this was obviously a wrong intented hack only affacted the logging > and without look at the source i guess you are logging "X-Forwarded-For" > in case it exists without respect mod_remoteip > _________________________________________________________________ > > SecRemoteAddrDefine is not needed beause with Apache 2.2 and mod_rpaf > this works all the time caused by a different handling inside Apache > and you need "mod_rpaf" there at least for the correct ip-address > in the accesslog to have useable webalizer-stats > > even with Apache 2.2 mod_security should not re-invent the wheel > it's up to Apache to handle this correctly and it does if > correctly configured > _________________________________________________________________ > > and to answer Ryan Barnett's "What is preventing an attacker from forging > fake x-forwarded-for headers while still sending the requests through > a "trusted" proxy?" here the a snippet form the httpd-docs > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#processing > > When multiple, comma delimited useragent IP addresses are listed in > > the header value, they are processed in Right-to-Left order. Processing > > halts when a given useragent IP address is not trusted to present the > > preceding IP address. The header field is updated to this remaining > > list of unconfirmed IP addresses, or if all IP addresses were trusted, > > this header is removed from the request altogether > _________________________________________________________________ > > testing to prove the correct working of the attached source from you > > * UserAgent Switcher and my Firefox claims to be "Nessus" > * SecRule REMOTE_ADDR "^10\.0\.0\.99" > "id:'102',phase:1,pass,nolog,ctl:ruleRemoveById=990002" > * 10.0.0.103 is the real IP of the Apache-Trafficserver > * with the configuration below i get no access denied as expected > * if i replace the "10.0.0.103" with "10.0.0.104" and restart httpd > as expected i get access denied > * that's the state which i expected and demanded since january > > <IfVersion >= 2.4> > LoadModule remoteip_module "modules/mod_remoteip.so" > RemoteIPHeader X-Forwarded-For > RemoteIPInternalProxy 127.0.0.1 10.0.0.103 > RemoteIPProxiesHeader X-Forwarded-For > </IfVersion> > _________________________________________________________________ > > Am 06.05.2013 14:30, schrieb Breno Silva: > > Let's try this patch. Should work for Apache 2.4 + mod_remoteip and > Apache2.2 with the SecDefineRemoteAddr > > > > On Mon, May 6, 2013 at 9:19 AM, Reindl Harald > > <h.rei...@thelounge.net<mailto: > h.rei...@thelounge.net>> wrote: > > > > why do you refuse to understand that we do not need a new feature or > at > > it is NOT up to you to re-invent the wheel > > > > Apache 2.2 works with proxy and mod_rpaf does not need any change > > in mod_security, mod_rpaf does the same as mod_remoteip in a > different > > way which is no longer the way to go with Apache >= 2.4 > > > > if i use %a in log-configuration i have ALWAYS the desired behavior > > with Apache 2.2 with and without proxy AND Apache 2.4 with and > without > > mod_remoteip as i am currently run Apache 2.2 with mod_rpaf which > > everybody in context of load-balancers does and so you do not need to > > care about this in mod_security because in Apache 2.2 %h contains the > > correct address and in Apache 2.4 %a does the same > > > > until a few weeks ago nobody cared about this at all > > > > now if it is brought up by me that Apache 2.4 has BUILTIN support for > > proxy-handling of the remote-addr simply respect this in case we are > > running under Apache 2.4 and understand that it is the completly > wrong > > way you are going all the time starting with hacking the > modsec-logging > > > > http://httpd.apache.org/docs/current/mod/mod_log_config.html > > %a Client IP address and port of the request. > > %{c}a Underlying peer IP address and port of the connection (see the > mod_remoteip module) > > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxy > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipinternalproxylist > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipproxiesheader > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxy > > > http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteiptrustedproxylist > > > > > > Am 06.05.2013 14:07, schrieb Breno Silva: > > > I cannot use mod_remoteip because it is only available to Apache > 2.4. This feature should be Apache version > > > independent. Should work for Apache 2.0 and 2.2. > > > > > > Could you please send me the debug log and a pcap of this > transaction. I want to check where is the problem > > because > > > it is working here. > > > > > > Thanks > > > > > > > > > On Mon, May 6, 2013 at 8:02 AM, Reindl Harald < > h.rei...@thelounge.net <mailto:h.rei...@thelounge.net> > > <mailto:h.rei...@thelounge.net <mailto:h.rei...@thelounge.net>>> > wrote: > > > > > > Hi > > > > > > Am 06.05.2013 04:03, schrieb Breno Silva: > > > > Hello Reindl, > > > > > > > > I wrote a patch for SecRemoteAddrDefine. This is now: > > > > SecRemoteAddrDefine X-Forwarded-For > /etc/modsecurity/trusted_ip.txt > > > > > > > > Then in trusted_ip.txt you can insert your ips one per line. > > > > > > > > Can you test and give me feedback ? > > > > > > > > Thanks > > > > Breno > > > > > > syntax is accepted but does not work, see below > > > _________________________________________________ > > > > > > i still refuse to understand why here a dirty hack is done > especially > > > because this changelog shows that there is another crude hack > in case > > > of logging (i guess blow X-Forwarded-For in any case to the > log) instead > > > handle it in the proper way PHP does for > $_SERVER['REMOTE_ADDR'] > > > > > > you have to respect the Apache configuration and > RemoteIPInternalProxy > > > why do you not look how PHP handles this in a correct way? > from the > > > view of a clean software design this hack-attitude is > completly wrong > > > > > > if mod_remoteip take saction there is no longer a > X_FORWARDED_FOR header > > > in $_SERVER at all and $_SERVER['REMOTE_ADDR'] contains the > correct IP > > > > > > * Fixed mod_security displaying wrong ip address in error.log > using apache 2.4 and mod_remoteip > > > _________________________________________________ > > > > > > [Mon May 06 12:49:14.532293 2013] [:error] [pid 8816] [client > 10.0.0.99] ModSecurity: Access denied with > > code 404 > > > (phase 2). Matched phrase "nessus" at > REQUEST_HEADERS:User-Agent. [file > > > "/etc/httpd/modsecurity.d/modsecurity_35_bad_robots.conf"] > [line "3"] [id "990002"] [msg "Bad Robot"] > > [hostname > > > "proxy.test.rh"] [uri "/"] [unique_id > "UYeKqgoAAGMAACJwT-oAAAAD"] > > > ______________________________________________________________ > > > > > > the proxy i am connected to is for sure 10.0.0.103 and both, > my client IP > > > and the origin-server from the view of the proxy are > 10.0.0.99, the logging > > > is correct but this rule should not be active for my IP > > > > > > [root@rh:/etc/httpd/modsecurity.d]$ cat mod_security.conf | > grep "ruleRemoveById=990002" > > > SecRule REMOTE_ADDR "^10\.0\.0\.99" > "id:'102',phase:1,pass,nolog,ctl:ruleRemoveById=990002" > > > > > > [root@rh:/etc/httpd/modsecurity.d]$ cat > modsecurity_10_config.conf | grep SecRemoteAddrDefine > > > SecRemoteAddrDefine X-Forwarded-For > /etc/httpd/modsecurity.d/modsecurity_10_mod_remoteip.conf > > > > > > [root@rh:/etc/httpd/modsecurity.d]$ cat > /etc/httpd/modsecurity.d/modsecurity_10_mod_remoteip.conf > > > 127.0.0.1 > > > 10.0.0.4 > > > 10.0.0.103 > > > 91.118.73.4 > >
