From: Filipe Bernardo <filipe...@gmail.com<mailto:filipe...@gmail.com>> Date: Tuesday, October 15, 2013 12:35 PM To: "owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>" <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: [Owasp-modsecurity-core-rule-set] modsecurity 2.7.5 (STABLE) + nginx 1.4.1 - "Header changing rules not working"
Hi all, First let me say that i think you are doing a great job with the modsecurity, and the owasp-crs rules. I have a setup with nginx and modsecurity, i'm using the owasp-crs rules from the repository (git clone https://github.com/SpiderLabs/owasp-modsecurity-crs) and most rules work "out-of-the-box" with the apps i'm testing i've encontered a problem using the rules that try to alter the "headers" i think the problem is related with the "directives" "Header edit..." and "RequestHeader append..." The "rule files" i've found that are causing me problems are the following: - modsecurity_crs_49_header_tagging.conf - modsecurity_crs_55_application_defects.conf Modsecurity was compiled from source with --enable-standalone-module And nginx was compiled from source with --add-module=/path/to/modsecurity Can anyone help with this? Is there any module that i should compile on nginx to be able to "edit" the headers? Thanks Yeah, those rule files use the Apache mod_headers directives that won't work on other platforms (IIS, Nginx and Java). For Nginx, looks like you could use - http://wiki.nginx.org/HttpHeadersMoreModule -Ryan ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
