Barry, On Thu, Apr 28, 2016 at 08:19:33AM +0100, Barry Pollard wrote: > While I agree the distinction at an Apache level is now meaningless > (without changing compile options), there is still a usefulness at a > ModSecurity level for ordering of rules (e.g. I want to whitelist > after phase1 for example, primarily to reduce setting up of > collections in phase 2 as much as possible as collections struggle > with volume).
I agree, it still has it's uses and there is the option for --enable-request-early, which works nicely. > Will open the request on github and guess I should > finally make the effort to stop living in the past and bring myself up > to speed on git and pull requests, so I can actually contribute rather > than just observing :-) We will welcome you as a contributor with open arms. > at me due to a weird issue I noticed. To save anyone else repeating > my struggles, the latest version of mod_http2 (1.5.1) changes the > protocol logged from HTTP/2 to HTTP/2.0 so if you only have HTTP/2 > allowed in modsecurity_crs_10_setup.conf then requests that reach > phase 2 will start blocking and if, like me, you whitelist "most" > requests after phase 1 this might confuse you for a bit as to why only > some are blocked! Thanks,Barry Thanks for pointing this out. So the corrext entry would be: setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2.0', \ and the robust one: setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0', \ Is that correct? Ahoj, Christian > > > Date: Thu, 28 Apr 2016 08:34:07 +0200 From: > > christian.fol...@netnea.com To: barry_poll...@hotmail.com CC: > > owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: > > [Owasp-modsecurity-core-rule-set] Why are rules 960034, 960035 and > > 960038 phase 2? > > > > Hi Barry, > > > > The distinction between phase:1 and phase:2 was blurred with the > > moving of the phase:1 onto the same apache hook a few years back (in > > order to make SecRule phase:1 work in Location blocks). > > > > But for people compiling with --enable-request-early and thus having > > a real phase:1 before the request body is received, for these people > > moving rules into phase:1 when possible makes a lot of sense. > > > > I support your request and suggest you open a github issue. A direct > > pull request for the 3.0.0rc1 branch would be equally welcome. > > > > In case: Did you check all the rules for phase:1 candidates or these > > just the ones that jumped on you? > > > > Ahoj, > > > > Christian > > > > -- Do not pray for an easy life. Pray for the strength to endure a > > difficult one. -- Bruce Lee > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
