Hi Andrew, On Sat, Feb 27, 2010 at 03:15:25PM +1030, Andrew Commons wrote: > Hi all, > > The ability to extend the option httpchk <version> argument string to dummy > up a Host header is described as a 'trick' in the configuration > documentation. I have found that the 'trick' can be extended to add > User-Agent (HAProxy) and Accept (*/*) headers to keep ModSecurity quiet when > checking an Apache server. This leads me to two questions: > > (1) To what level is this 'trick' supported? Is an haproxy update likely to > kill it?
It's supported and is unlikely to break on future versions. It's a trick because it happens due to the way the request is built, and it requires that users have a bit of HTTP knowledge to use it. > (2) Is there a better way of handling something like ModSecurity that > doesn't like the request generated by haproxy because it doesn't look like > it has come from a browser? right now I have no other solution ! > Note that in respect to question (2) I have messed around a bit with the > ModeSecurity configuration and made some progress but the use of the 'trick' > was far simpler! Recently the HTTP check was internally changed so that the code now supports adding headers. So we could very well have some "http-check" statements to add multiple headers, like this : http-check host www.mydomain.com or : http-check header Host www.mydomain.com or maybe : http-check add "Host: www.mydomain.com" We could even add some POST DATA if required. This needs a bit of thinking before implementing something, but I think we can do useful things now. BTW, if we do that in 1.5 before reorganizing the checks, we'll even be able to backport into 1.4-stable. Regards, Willy