I would like to create a mod_security collection that is based on something other than the user's IP, Session ID, or username. Specifically, based on the REQUEST_URI. However, mod_security indicates that this is not possible. My question is whether there might be some workaround.
I tried the following, but couldn't get it to work:
SetEnvIf Request_URI "^\/([a-z0-9]+)\/" account="$1"
SecAction setsid:%{account},pass,nolog
SecAction "phase:2,pass,setvar:session.count=+1,nolog"
SecRule SESSION:COUNT "@gt 60" "phase:2,deny,status:503,skip:1,nolog"
SecAction "phase:5,deprecatevar:session.count=1/1,pass,nolog"
The above should extract the account name from the URL (line 1), and use that as the session id (line 2; this is what doesn't work). It then increases the request count on each request that includes that account name (line 3). If the count goes over 60 (line 4), a 503 error is returned. The count is decreased by 1 every 1 seconds (line 5).
0 Answers