Yes Barry's questions

I made some changes to my config as per this suggestion:

SecAction \
    "id:901321,\
    phase:1,\
    pass,\
    t:none,\
    nolog,\
    initcol:global=global,\
    initcol:ip=%{x-forwarded-for}_%{tx.ua_hash},\
    setvar:'tx.real_ip=%{x-forwarded-for}'"

But nothing seems to happen. I noticed that my apache error_log was using the default error log format and logging everything as 127.0.0.1.

So I changed my ErrorLogFormat to:

ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %{X-Forwarded-For}i] %M% ,\ referer\ %{Referer}i"

That made my logs better, but ModSecurity is still not doing any blocking. What's weird is that most of the ModSec logs in the apache error_log have an extra client IP section in them:

[Wed May..2019] [err] [pid X:tid X] [client XXX.XX.XX.XXX] [client 127.0.0.1] ModSecurity: Warning...

I have no idea where the extra [client 127.0.0.1] is coming from - I know it's definitely only doing this for ModSecurity logs in the error_log.

It seems like either ModSecurity is either constantly trying to block 127.0.0.1 or just not blocking anything..

So how can I get ModSecurity to block using the X-Forwarded-For header?

NOTE

1. I do have SecRuleEngine On set properly.
2. Versions: Apache 2.4, ModSecurity 2.9, OWASP 3

I am trying to disable rule 942100 (an SQLi rule) when certain values are present in the URI, but apache won't start so something is wrong.

My attempt (in REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf):

SecRule ARGS "@rx (m[inax]{2}[_\w]+)\-{3}[ade]{1,2}sc" \
    "id:942100,\
    phase:2,\
    pass,\
    nolog,noauditlog,\
    ctl:ruleRemoveById=942100"

The idea is so that URI values such as "min_width---asc" and "max_height_or_width---desc" for example are not flagged by ModSec. I need to remove these false positives but it's not working.

I know it's possible to use wildcards for subdomain aliases like:

ServerAlias *.domain.com

But is it possible to use that for domains having a the same subdomain?

# like this
ServerAlias subdomain.*.com

I was wondering if anybody knew of any software (preferably free if possible) that monitors server traffic for spikes? Something that, say, might send out notifications via email or anything for that matter to let you know there's an unusually high volume of traffic at the moment.

Thanks!

I am trying to set some defaults in my.cnf and when I tried to check MySQL's current defaults I got an error!

• Using Zend Server CE 5.5
• on OSX 10.6.8

And here is the command and subsequent error:

$ mysql --print-defaults
/usr/local/zend/mysql/bin/mysql.client: unknown option '--print-defaults'

When I type --help it shows the --print-defaults as an option.

Am I doing something wrong? Has anyone else experienced this?

(Note: if this question belongs on Super User please let me know and don't downvote it -- unless it actually deserves one.)

Edit

I tried doing mysqld --print-defaults and as I reported it didn't work either. So I checked if it was running and this is what I got:

$ ps aux | grep mysqld
 5:36PM  0:00.01 grep mysqld
Mon02AM  2:24.61 /usr/local/zend/mysql/bin/mysqld 
                 --defaults-extra-file=/usr/local/zend/mysql/data/my.cnf 
                 --basedir=/usr/local/zend/mysql 
                 --datadir=/usr/local/zend/mysql/data 
                 --user=zend 
                 --log-error=/usr/local/zend/mysql/data/mycomputer.local.err 
                 --pid-file=/usr/local/zend/mysql/data/mycomputer.local.pid 
                 --socket=/usr/local/zend/mysql/tmp/mysql.sock --port=3306

I'm having a weird issue with trying to setup SSL (https) on Zend Server CE for OSX. Currently I am running Zend Server 5.5.

$ sudo zendctl.sh version
Password:
Zend Server version: 5.5.0

I created a self-signed certificate in the correct directory using this:

$ openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt \
> -days 365 -nodes

I already uncommented this out in my httpd.conf:

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

And I added this to my httpd-vhost.conf file:

NameVirtualHost *:80
NameVirtualHost *:443

And these are my vhost conf for the site (I'm trying to use one directory for both SSL and port 80 requests):

<VirtualHost *:80>
    DocumentRoot /usr/local/zend/apache2/htdocs/mydomain.com
    ServerName mydomain.local
    AllowEncodedSlashes On
</VirtualHost>

#this is the HTTPS version
<VirtualHost mydomain.local:443>
    DocumentRoot /usr/local/zend/apache2/htdocs/mydomain.com
    ServerName mydomain.local:443
    AllowEncodedSlashes On
</VirtualHost>

When I try to load the site in my browser (FF) using https://mydomain.local/ I get this:

The connection was interrupted The connection to mydomain.local was interrupted while the page was loading.

So I tried this with the openssl command:

$ openssl s_client -connect mydomain.local:443
CONNECTED(00000003)
20743:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/ssl/s23_clnt.c:607:

Additionally, I can get to the site by going to http://mydomain.local:443 but not https.

What does this error mean? Why can't I load my site with HTTPS?

I have a problem with an old project for which I have the following mod_rewrite conditions/rules:

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]

But .phtml files are being rendered as plain text in the browser.

The problem is that I have some .phtml files within a public directory that are matching the first rewrite condition '-s' (is regular file, with size) and so they're not getting sent to index.php. In fact, the .phtml files are showing as plain text! I need to keep those files there so I can't set deny from all for that directory because it also contains some images and stuff.

I tried this:

RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
RewriteRule \.phtml$ index.php [NC,L]

But it didn't work because it already met the first rewrite condition, so the first rule got applied (to do nothing).

How can I get around that?