Correct. Thanks, Barry
> On 28 Apr 2016, at 08:31, Christian Folini <christian.fol...@netnea.com> > wrote: > > Barry, > >> On Thu, Apr 28, 2016 at 08:19:33AM +0100, Barry Pollard wrote: >> While I agree the distinction at an Apache level is now meaningless >> (without changing compile options), there is still a usefulness at a >> ModSecurity level for ordering of rules (e.g. I want to whitelist >> after phase1 for example, primarily to reduce setting up of >> collections in phase 2 as much as possible as collections struggle >> with volume). > > I agree, it still has it's uses and there is the option for > --enable-request-early, which works nicely. > >> Will open the request on github and guess I should >> finally make the effort to stop living in the past and bring myself up >> to speed on git and pull requests, so I can actually contribute rather >> than just observing :-) > > We will welcome you as a contributor with open arms. > >> at me due to a weird issue I noticed. To save anyone else repeating >> my struggles, the latest version of mod_http2 (1.5.1) changes the >> protocol logged from HTTP/2 to HTTP/2.0 so if you only have HTTP/2 >> allowed in modsecurity_crs_10_setup.conf then requests that reach >> phase 2 will start blocking and if, like me, you whitelist "most" >> requests after phase 1 this might confuse you for a bit as to why only >> some are blocked! Thanks,Barry > > Thanks for pointing this out. > > So the corrext entry would be: > > setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2.0', \ > > and the robust one: > > setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0', > \ > > Is that correct? > > Ahoj, > > Christian >> >>> Date: Thu, 28 Apr 2016 08:34:07 +0200 From: >>> christian.fol...@netnea.com To: barry_poll...@hotmail.com CC: >>> owasp-modsecurity-core-rule-set@lists.owasp.org Subject: Re: >>> [Owasp-modsecurity-core-rule-set] Why are rules 960034, 960035 and >>> 960038 phase 2? >>> >>> Hi Barry, >>> >>> The distinction between phase:1 and phase:2 was blurred with the >>> moving of the phase:1 onto the same apache hook a few years back (in >>> order to make SecRule phase:1 work in Location blocks). >>> >>> But for people compiling with --enable-request-early and thus having >>> a real phase:1 before the request body is received, for these people >>> moving rules into phase:1 when possible makes a lot of sense. >>> >>> I support your request and suggest you open a github issue. A direct >>> pull request for the 3.0.0rc1 branch would be equally welcome. >>> >>> In case: Did you check all the rules for phase:1 candidates or these >>> just the ones that jumped on you? >>> >>> Ahoj, >>> >>> Christian >>> >>> -- Do not pray for an easy life. Pray for the strength to endure a >>> difficult one. -- Bruce Lee >> _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
