[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] =?utf-8?b?5Zue5aSN77yaIFZhcmlhYmxlIHRoYXQg?=
From: Ehsan Mahdavi <ehsan.mahdavi () gmail ! com>
Date: 2022-04-15 13:24:08
Message-ID: CAC7V=mxkgYj_1Nja=LY8pxrFjk4SY0SXGdC006m=b3wcQm+Mgg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
Dear huiming, hi
Do you think that there is variable in the config or do you suggest editing
the source codes?
On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users <
mod-security-users@lists.sourceforge.net> wrote:
>
>
> seems scheme can be get from ngx_http_request_s->schema
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "huiming" <877509395@qq.com>;
> *发送时间:* 2022年4月15日(星期五) 上午9:01
> *收件人:* "mod-security-users"<mod-security-users@lists.sourceforge.net>;
> *主题:* 回复: [mod-security-users] Variable that holds scheme
>
> seems https://github.com/SpiderLabs/ModSecurity-nginx does not copy
> scheme from nginx to modsecurity.
>
> so mod can not get it.
>
>
> ------------------ 原始邮件 ------------------
> *发件人:* "mod-security-users" <ehsan.mahdavi@gmail.com>;
> *发送时间:* 2022年4月14日(星期四) 下午4:37
> *收件人:* "mod-security-users"<mod-security-users@lists.sourceforge.net>;
> *主题:* Re: [mod-security-users] Variable that holds scheme
>
> Hi Andrew
>
> Yes, I am trying to answer the question, but not to treat them
> differently. I just need to log the scheme in the Modsecurity Audit log.
> I have tried different variables like REQUEST_URI
> <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI>,
> REQUEST_URI_RAW
> <https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI_RAW> and
> etc. none of them contain the scheme!
>
>
> On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <andrew.howe@loadbalancer.org>
> wrote:
>
>> Hi Ehsan,
>>
>> > This question might look basic, but I could not find the variable that
>> holds or contains the (http|https) scheme.
>>
>> Where are you trying to pull the scheme from? The scheme isn't
>> typically* transmitted in an HTTP request.
>>
>> A URL will usually be broken up into an HTTP request line and a Host
>> header, which usually looks something like:
>>
>> GET /docs/ HTTP/2
>> Host: coreruleset.org
>>
>> No scheme/protocol.
>>
>> What are you trying to achieve? Are you trying to answer the question
>> "did this request come in as plain text HTTP or has TLS termination
>> been performed", and then treat the two cases differently?
>>
>> Thanks,
>> Andrew
>>
>>
>> *You may find request lines containing a full 'absolute URI' which
>> includes the scheme, for example with a proxy server.
>> --
>>
>> Andrew Howe
>> Loadbalancer.org Ltd.
>> www.loadbalancer.org
>> +1 888 867 9504 / +44 (0)330 380 1064
>>
>>
>> _______________________________________________
>> mod-security-users mailing list
>> mod-security-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>>
>
>
> --
> regards
> Ehsan Mahdavi
> Computer Engineering Ph.D.
>
>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
--
regards
Ehsan Mahdavi
Computer Engineering Ph.D.
[Attachment #7 (text/html)]
<div dir="ltr"><div dir="ltr"><span \
style="color:rgb(95,99,104);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:12px;letter-spacing:0.3px;white-space:nowrap">Dear \
huiming, hi</span><br><div><span \
style="color:rgb(95,99,104);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif; \
font-size:12px;letter-spacing:0.3px;white-space:nowrap"><br></span></div><div><span \
style="color:rgb(95,99,104);font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:12px;letter-spacing:0.3px;white-space:nowrap">Do \
you think that there is variable in the config or do you suggest editing the source \
codes?</span></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Fri, Apr 15, 2022 at 6:28 AM huiming via mod-security-users \
<<a href="mailto:mod-security-users@lists.sourceforge.net">mod-security-users@lists.sourceforge.net</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><img \
src="cid:1802d59d72aac44996b1" \
id="gmail-m_8744316210833560234img_insert_164998753752809461046104879964"><br><br></div><div>seems \
scheme can be get from \
ngx_http_request_s->schema</div><div><div><br></div><div><br></div><div \
style="font-size:12px;font-family:"Arial Narrow";padding:2px \
0px">------------------ 原始邮件 ------------------</div><div \
style="font-size:12px;background:rgb(239,239,239);padding:8px"><div><b>发件人:</b> \
"huiming" \
<<a href="mailto:877509395@qq.com" \
target="_blank">877509395@qq.com</a>>;</div><div><b>发送时间:</b> \
2022年4月15日(星期五) 上午9:01</div><div><b>收件人:</b> \
"mod-security-users"<<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>>;</div><div></div><div><b>主题:</b> \
回复: [mod-security-users] Variable that holds \
scheme</div></div><div><br></div><div>seems <a \
href="https://github.com/SpiderLabs/ModSecurity-nginx" \
target="_blank">https://github.com/SpiderLabs/ModSecurity-nginx</a> does not copy \
scheme from nginx to modsecurity.</div><div><br></div><div>so mod can not get \
it.</div><div><div><br></div><div><br></div><div \
style="font-size:12px;font-family:"Arial Narrow";padding:2px \
0px">------------------ 原始邮件 ------------------</div><div \
style="font-size:12px;background:rgb(239,239,239);padding:8px"><div><b>发件人:</b> \
"mod-security-users" \
<<a href="mailto:ehsan.mahdavi@gmail.com" \
target="_blank">ehsan.mahdavi@gmail.com</a>>;</div><div><b>发送时间:</b> \
2022年4月14日(星期四) 下午4:37</div><div><b>收件人:</b> \
"mod-security-users"<<a \
href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a>>;</div><div></div><div><b>主题:</b> \
Re: [mod-security-users] Variable that holds scheme</div></div><div><br></div><div \
dir="ltr">Hi Andrew<br><div><br></div><div>Yes, I am trying to answer the question, \
but not to treat them differently. I just need to log the scheme in the Modsecurity \
Audit log.</div><div>I have tried different variables like <a \
href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI" \
target="_blank">REQUEST_URI</a>, <a \
href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#REQUEST_URI_RAW" \
target="_blank">REQUEST_URI_RAW</a> and etc. none of them contain the \
scheme!</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Apr 13, 2022 at 3:38 PM Andrew Howe <<a \
href="mailto:andrew.howe@loadbalancer.org" \
target="_blank">andrew.howe@loadbalancer.org</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">Hi Ehsan,<br> <br>
> This question might look basic, but I could not find the variable that holds or \
contains the (http|https) scheme.<br> <br>
Where are you trying to pull the scheme from? The scheme isn't<br>
typically* transmitted in an HTTP request.<br>
<br>
A URL will usually be broken up into an HTTP request line and a Host<br>
header, which usually looks something like:<br>
<br>
GET /docs/ HTTP/2<br>
Host: <a href="http://coreruleset.org" rel="noreferrer" \
target="_blank">coreruleset.org</a><br> <br>
No scheme/protocol.<br>
<br>
What are you trying to achieve? Are you trying to answer the question<br>
"did this request come in as plain text HTTP or has TLS termination<br>
been performed", and then treat the two cases differently?<br>
<br>
Thanks,<br>
Andrew<br>
<br>
<br>
*You may find request lines containing a full 'absolute URI' which<br>
includes the scheme, for example with a proxy server.<br>
-- <br>
<br>
Andrew Howe<br>
Loadbalancer.org Ltd.<br>
<a href="http://www.loadbalancer.org" rel="noreferrer" \
target="_blank">www.loadbalancer.org</a><br> +1 888 867 9504 / +44 (0)330 380 \
1064<br> <br>
<br>
_______________________________________________<br>
mod-security-users mailing list<br>
<a href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div style="color:rgb(136,136,136)"> \
regards</div><div style="color:rgb(136,136,136)"> Ehsan \
Mahdavi</div><div style="color:rgb(136,136,136)"> Computer Engineering \
Ph.D.</div><div style="color:rgb(136,136,136)"><br></div><div><br></div></div></div></div></div></div>_______________________________________________<br>
mod-security-users mailing list<br>
<a href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div dir="ltr"><div \
style="color:rgb(136,136,136)"> regards</div><div \
style="color:rgb(136,136,136)"> Ehsan Mahdavi</div><div \
style="color:rgb(136,136,136)"> Computer Engineering Ph.D.</div><div \
style="color:rgb(136,136,136)"><br></div><div><br></div></div></div></div></div>
--00000000000018bf4a05dcb12959--
["8AC518FB@5F566529.31D05862.png.jpg" (image/jpeg)]
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic