'Re: [mod-security-users] question on how to deploy two modsecurity'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] question on how to deploy two modsecurity
From:       Yi Li <yi.li26 () gmail ! com>
Date:       2011-08-18 0:32:58
Message-ID: CAJWx_em7FqSp9qzmFQd=7+adrJ76w22qJ4hPar7OSORc9pXPuw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


two instances of modsecurity on two instances of httpd actually work fine;
thanks for all your input.

2011/8/17 Brian Kroth <bpkroth@gmail.com>

> Igor Galić <i.galic@brainsware.org> 2011-08-17 00:02:
> 
> 
> > 
> > ----- Original Message -----
> > 
> > > 
> > > 
> > > 
> > > will appreciate if someone could let me know whether this is a
> > > supported configuration with modsecurity; if not, will this
> > > configuration work?
> > > 
> > > 
> > > details:
> > > 
> > > 
> > > 
> > > I have an Apache server, which runs 2 instances of httpd at the same
> > > time for some business reason.
> > > Each instance support a website, and each instance of httpd has its
> > > own httpd.conf.
> > > Now I want to implement modsecurity rules for each of the two
> > > websites.
> > > I plan to two instances of modsecurity install, which will have two
> > > set of rule files and modsecurity log files for each of the
> > > websites.
> > > The two modsecurity install will have to share the modsecurity2.so
> > > file, as there is only one Apache/modules directory.
> > > 
> > 
> > 
> > Yes, not only is this supported, it's also a common scenario for
> > ISPs small and big:
> > http://wiki.apache.org/httpd/**ExtendingPrivilegeSeparation<http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation>
> >  
> 
> Here's another spin on that technique that seems to play better with a lot
> of off the shelf php apps without too much fighting with Apache to preserve
> names/ports.
> 
> Most of them get a little squirrelly when they see that they're running on
> a non-standard port.
> 
> So that vhosts are running as their own user, but still on port 80/443 you
> can have each apache instance bind to it's own IPv6 address.  With 2^64 per
> subnet to spare, you've got enough to burn :)
> 
> The frontends can happily proxy for IPv4 and/or IPv6 as well.
> 
> Unfortunately, I've found that apache doesn't like to bind to link local
> addresses, but you can easily provision yourself a unique site local prefix
> even if you don't have global IPv6 addresses yet.
> 
> You could probably pull the same trick with RFC 1918 addresses as well.
> 
> Here's another module worth looking at in that scenario:
> http://stderr.net/apache/rpaf/
> 
> Brian
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAk5L0NIACgkQdtkBin+QuSAuAgCgubw6nYOTBs31PtIFgD7rcxKl
> jdsAoIEPUp7P26VZBzdcz2tAG+/3cMoV
> =IBIm
> -----END PGP SIGNATURE-----
> 
> 


[Attachment #5 (text/html)]

two instances of modsecurity on two instances of httpd actually work fine; thanks for \
all your input.<br><br><div class="gmail_quote">2011/8/17 Brian Kroth <span \
dir="ltr">&lt;<a href="mailto:bpkroth@gmail.com">bpkroth@gmail.com</a>&gt;</span><br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex;">Igor Galić &lt;<a href="mailto:i.galic@brainsware.org" \
target="_blank">i.galic@brainsware.org</a>&gt; 2011-08-17 00:02:<div class="im"> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <br>
<br>
----- Original Message -----<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <br>
<br>
<br>
will appreciate if someone could let me know whether this is a<br>
supported configuration with modsecurity; if not, will this<br>
configuration work?<br>
<br>
<br>
details:<br>
<br>
<br>
<br>
I have an Apache server, which runs 2 instances of httpd at the same<br>
time for some business reason.<br>
Each instance support a website, and each instance of httpd has its<br>
own httpd.conf.<br>
Now I want to implement modsecurity rules for each of the two<br>
websites.<br>
I plan to two instances of modsecurity install, which will have two<br>
set of rule files and modsecurity log files for each of the<br>
websites.<br>
The two modsecurity install will have to share the modsecurity2.so<br>
file, as there is only one Apache/modules directory.<br>
</blockquote>
<br>
<br>
Yes, not only is this supported, it&#39;s also a common scenario for<br>
ISPs small and big:<br>
<a href="http://wiki.apache.org/httpd/ExtendingPrivilegeSeparation" \
target="_blank">http://wiki.apache.org/httpd/<u></u>ExtendingPrivilegeSeparation</a><br>
 </blockquote>
<br></div>
Here&#39;s another spin on that technique that seems to play better with a lot of off \
the shelf php apps without too much fighting with Apache to preserve names/ports.<br> \
<br> Most of them get a little squirrelly when they see that they&#39;re running on a \
non-standard port.<br> <br>
So that vhosts are running as their own user, but still on port 80/443 you can have \
each apache instance bind to it&#39;s own IPv6 address.   With 2^64 per subnet to \
spare, you&#39;ve got enough to burn :)<br> <br>
The frontends can happily proxy for IPv4 and/or IPv6 as well.<br>
<br>
Unfortunately, I&#39;ve found that apache doesn&#39;t like to bind to link local \
addresses, but you can easily provision yourself a unique site local prefix even if \
you don&#39;t have global IPv6 addresses yet.<br> <br>
You could probably pull the same trick with RFC 1918 addresses as well.<br>
<br>
Here&#39;s another module worth looking at in that scenario:<br>
<a href="http://stderr.net/apache/rpaf/" \
target="_blank">http://stderr.net/apache/rpaf/</a><br><font color="#888888"> <br>
Brian<br>
</font><br>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.9 (GNU/Linux)<br>
<br>
iEYEARECAAYFAk5L0NIACgkQdtkBin+QuSAuAgCgubw6nYOTBs31PtIFgD7rcxKl<br>
jdsAoIEPUp7P26VZBzdcz2tAG+/3cMoV<br>
=IBIm<br>
-----END PGP SIGNATURE-----<br>
<br></blockquote></div><br>



------------------------------------------------------------------------------
Get a FREE DOWNLOAD! and learn more about uberSVN rich system, 
user administration capabilities and model configuration. Take 
the hassle out of deploying and managing Subversion and the 
tools developers use with it. http://p.sf.net/sfu/wandisco-d2d-2

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
ModSecurity Services from Trustwave's SpiderLabs:
https://www.trustwave.com/application-security.php


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic