Hi Andrew,
On Sat, Feb 27, 2010 at 03:15:25PM +1030, Andrew Commons wrote:
> Hi all,
>
> The ability to extend the option httpchk <version> argument string to dummy
> up a Host header is described as a 'trick' in the configuration
> documentation. I have found that the 'trick' can be extended to add
> User-Agent (HAProxy) and Accept (*/*) headers to keep ModSecurity quiet when
> checking an Apache server. This leads me to two questions:
>
> (1) To what level is this 'trick' supported? Is an haproxy update likely to
> kill it?
It's supported and is unlikely to break on future versions. It's a trick
because it happens due to the way the request is built, and it requires
that users have a bit of HTTP knowledge to use it.
> (2) Is there a better way of handling something like ModSecurity that
> doesn't like the request generated by haproxy because it doesn't look like
> it has come from a browser?
right now I have no other solution !
> Note that in respect to question (2) I have messed around a bit with the
> ModeSecurity configuration and made some progress but the use of the 'trick'
> was far simpler!
Recently the HTTP check was internally changed so that the code now
supports adding headers. So we could very well have some "http-check"
statements to add multiple headers, like this :
http-check host www.mydomain.com
or :
http-check header Host www.mydomain.com
or maybe :
http-check add "Host: www.mydomain.com"
We could even add some POST DATA if required. This needs a bit
of thinking before implementing something, but I think we can do
useful things now.
BTW, if we do that in 1.5 before reorganizing the checks, we'll
even be able to backport into 1.4-stable.
Regards,
Willy
