Home / user-71046

Hrvoje Špoljar's questions

Martin Hope
Hrvoje Špoljar
Asked: 2014-08-14 05:54:08 +0800 CST
  • 3

I'm trying to craft a rule which would match certain regex in POST requests.

Rule I have so far looks like;

SecRule REQUEST_FILENAME "form.php" \
  "id:'12345',chain,deny,status:406,log,msg:'foobar detected'"
SecRule REQUEST_METHOD "POST" chain
SecRule REQUEST_BODY "@rx (?i:(bad|words|to|be|blocked))"

Rule works when content type is not 'text/xml'

I'm testing with curl like

curl -vs http://domain.tld/form.php -d 'blocked'

However when I set 'Content-Type:text/xml'; rules fails to match; testing with

curl -vs http://domain.tld/form.php -H "Content-Type:text/xml" -d 'blocked'

There is additional rule which sets REQBODY_PROCESSOR to XML if content type 'text/xml' is found in headers. I'm interested to see how matching policy changes with different REQBODY_PROCESSOR because obviously when REQBODY_PROCESSOR is not XML (when Content-Type is ommited; rules match). I tried forcing other REQBODY_PROCESSOR options to get the rule chain working but without success.

mod-security
Martin Hope
Hrvoje Špoljar
Asked: 2011-07-07 15:14:28 +0800 CST
  • 7

I found this in my apache access logs 

access.log:555.555.555.555 - - [05/May/2011:12:12:21 -0400] "GET /somedir/ HTTP/1.1" 403 291 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0"
access.log:555.555.555.555 - - [05/May/2011:12:12:29 -0400] "GET /somedir/ HTTP/1.1" 200 7629 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0"

So /somedir/ has .htaccess file which looks like 

Order Deny,Allow
Deny from all
Allow from 333.333.333.333
Allow from 444.444.444.444

htaccess was not modified within timeframe (8 seconds between 12:12:21 and 12:12:29

Any ideas how this is possible to hit 403 Forbidden and then 8 sec later 200 OK; I'm puzzled

apache-2.2 hacking .htaccess
Martin Hope
Hrvoje Špoljar
Asked: 2011-05-03 05:54:56 +0800 CST
  • 2

How to make nginx proxy php to fastcgi evenly on all cores.

Top shows usage of only 2 cores when I try to stress test configuration.

Cpu0  : 62.6%us, 14.9%sy,  0.0%ni, 18.5%id,  0.3%wa,  0.0%hi,  3.6%si,  0.0%st
Cpu1  : 57.1%us, 11.0%sy,  0.0%ni, 31.2%id,  0.0%wa,  0.0%hi,  0.7%si,  0.0%st
Cpu2  :  1.3%us,  0.7%sy,  0.0%ni, 97.0%id,  0.0%wa,  0.0%hi,  1.0%si,  0.0%st
Cpu3  :  2.0%us,  1.7%sy,  0.0%ni, 95.7%id,  0.0%wa,  0.0%hi,  0.7%si,  0.0%st

I got 

worker_processes  20;

Set in nginx.conf

Start fast cgi with 

spawn-fcgi -s /tmp/php.sock -f /usr/sbin/php -u nobody -g nogroup -U nobody -G nogroup -C 160 -P /var/run/spawn-fcgi.pid

And proxy block in nginx.conf that calls fast cgi is 

location ~ \.php$
{
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php.sock;
        fastcgi_param SCRIPT_FILENAME /var/www/$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_script_name;
}
fastcgi nginx