Hi all, I've ended up using apache insted of nginx. The nginx module that was mencioned (more_set_headers), from what i've tested doesn't have the same potencial has the mod_headers from Apache.
The nginx module can change http headers but i think it doesn't support regex. Thanks, Filipe On Tue, Oct 15, 2013 at 7:17 PM, Filipe Bernardo <filipe...@gmail.com>wrote: > Hi, Ryan > Thanks for your quick answer, i'm going to try to use that extra module, > and "replace" the directives on the rules with the nginx/module > "more_set_headers" > > (now, abusing your good will :) > From what i could find regarding that module, i didn't understand if it > supports regex.. Do you know? would it be only necessary replace the > "Header edit..." to "more_set_headers"? > > Do you know if is there anyone else using this module with this rules? > > Thanks > Filipe > > > > On Tue, Oct 15, 2013 at 6:19 PM, Ryan Barnett <rbarn...@trustwave.com>wrote: > >> From: Filipe Bernardo <filipe...@gmail.com> >> Date: Tuesday, October 15, 2013 12:35 PM >> To: "owasp-modsecurity-core-rule-set@lists.owasp.org" < >> owasp-modsecurity-core-rule-set@lists.owasp.org> >> Subject: [Owasp-modsecurity-core-rule-set] modsecurity 2.7.5 (STABLE) + >> nginx 1.4.1 - "Header changing rules not working" >> >> Hi all, >> First let me say that i think you are doing a great job with the >> modsecurity, and the owasp-crs rules. >> >> I have a setup with nginx and modsecurity, i'm using the owasp-crs rules >> from the repository (git clone >> https://github.com/SpiderLabs/owasp-modsecurity-crs) >> >> and most rules work "out-of-the-box" with the apps i'm testing >> >> >> i've encontered a problem using the rules that try to alter the >> "headers" i think the problem is related with the "directives" "Header >> edit..." and "RequestHeader append..." >> >> The "rule files" i've found that are causing me problems are the >> following: >> - modsecurity_crs_49_header_tagging.conf >> - modsecurity_crs_55_application_defects.conf >> >> Modsecurity was compiled from source with --enable-standalone-module >> And nginx was compiled from source with --add-module=/path/to/modsecurity >> >> Can anyone help with this? >> Is there any module that i should compile on nginx to be able to "edit" >> the headers? >> >> Thanks >> >> >> Yeah, those rule files use the Apache mod_headers directives that >> won't work on other platforms (IIS, Nginx and Java). >> >> For Nginx, looks like you could use - >> http://wiki.nginx.org/HttpHeadersMoreModule >> >> -Ryan >> >> ------------------------------ >> >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If you >> are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is strictly prohibited. If you >> received this transmission in error, please immediately contact the sender >> and destroy the material in its entirety, whether in electronic or hard >> copy format. >> > >
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
