> It looks to me that rule 920350, "Host header is a numeric IP address" > (REQUEST-20-PROTOCOL-ENFORCEMENT.conf) will cause a redirect loop when > combined with the default "modsecurity_crs_10_setup.conf" action.. > > SecDefaultAction > "phase:1,log,redirect:'http://%{request_headers.host}/',tag:'Host: > %{request_headers.host}'" > SecDefaultAction > "phase:2,log,redirect:'http://%{request_headers.host}/',tag:'Host: > %{request_headers.host}'" > > request_headers.host will always be the IP address, and the rule therefore > will keep firing. > > 1. Is this the intended action even for this rule? > 2. Is there a way to override the action for this (or any specific) rule? > > It seems like this could really hammer a site unintentionally, especially if > you have a browser that isn't catching the redirect or some other script??
You make a very good point. It’s a bigger problem and not restricted to this rule though. I think the redirect loop will also happen if the client has been blocked due to a cookie. After all, the client will usually re-send the same cookie on the redirect to the homepage. And I think it will then redirect again and again. I’d have to check to make sure though. Personally I am not a fan of doing this redirect in case of a block. I can see how the redirect would be an interesting choice for some sites. An error page might scare the visitor too much. If they get thrown back to the homepage, that is still extremely frustrating, but they might re-try their request in some other way. At the other hand, it seems much better to configure a friendly error page and send the customer to a “report the problem, what did you do?” form which will help ironing out false positives much better. I would prefer that the default would be to just serve an error 403, but leaving the redirect as a commented-out example. What do others think? -- Walter Hop | PGP key: https://lifeforms.nl/pgp
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
