I'm fixing default php-url-fopen filter to allow some GET query parameters which I'm using in my system (it's not publicly available, but I would still like to block unnecessary requests). The problem is that I got working regex for one name of parameter, but I can't get working regex for two parameters where second opiton is combined from two names. I'm using fail2ban 0.8.11 - here is working (fail)regex:
^<HOST> -.*"(GET|POST).*\?.*(?<!outer)\=http\:\/\/.* HTTP\/.*$
And here is the regex which doesn't work:
^<HOST> -.*"(GET|POST).*\?.*(?<!outer|type\=outer\&url)\=http\:\/\/.* HTTP\/.*$
When I try to start fail2ban service with non-working regex, I get this message:
ERROR NOK: ('Unable to compile regular expression \'^(?:::f{4,6}:)?(?P<host>[\\w\\-.^_]*\\w) -.*"(GET|POST).*\\?.*(?<!outer|type\\=outer\\&url)\\=http\\:\\/\\/.* HTTP\\/.*$\'',)
Any help would be appreciated.
The solution to my second regex is:
Both words/parameters in GET query must be separated and contained only in one negative lookbehind.