[prev in list] [next in list] [prev in thread] [next in thread]
List: mod-security-users
Subject: Re: [mod-security-users] Variable that holds scheme
From: Ehsan Mahdavi <ehsan.mahdavi () gmail ! com>
Date: 2022-04-16 5:55:59
Message-ID: CAC7V=mxFz5cMhOhcc4+TH5Tw1W8jqNSCg1+KWv4rov0j_z955w () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Arlen,
the HSTS is not always there (even while using https). Forcing it will
impose restrictions on the problem. Using it means forcing https, which
might not always be desirable.
The REQUEST_URI_RAW, as I've mentioned in previous emails, doesn't do the
job. I've tried that and it's not guaranteed to always contain http(s).
On Fri, Apr 15, 2022 at 11:02 PM Arlen Walker <public@arachnidae.com> wrote:
> Just a couple of thoughts:
>
> You could try looking for the request header for HSTS
> (Strict-Transport-Security). Won't catch all browsers, but if you use it on
> your server it'll catch most of them. (And why wouldn't you use it?)
>
> Doesn't REQUEST_URI_RAW work for this? I thought it gave the full URI as a
> text string.
>
>
> Have fun,
> Arlen
>
> On Apr 14, 2022, at 3:12 AM, Ehsan Mahdavi <ehsan.mahdavi@gmail.com>
> wrote:
>
>
> Hi ervin,
>
> The env.ssl_cipher or sth like that sounds good, if it works in Nginx.
> I'll try that and get back to you.
>
> On Wed, Apr 13, 2022 at 3:51 PM Ervin Hegedüs <airween@gmail.com> wrote:
>
>> Hi there,
>>
>> On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote:
>> >
>> > What are you trying to achieve? Are you trying to answer the question
>> > "did this request come in as plain text HTTP or has TLS termination
>> > been performed", and then treat the two cases differently?
>>
>> may be (the official poster) should try the ENV variable:
>>
>> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV
>>
>> See the example:
>>
>> # Reading an environment variable from other Apache module (mod_ssl)
>> SecRule TX:ANOMALY_SCORE "@gt 0" "phase:5,id:16,msg:'%{env.ssl_cipher}'"
>>
>>
>> and the comment below:
>>
>> Note : Use setenv to set environment variables to be accessed by Apache.
>>
>>
>> As I know, ENV works in libmodsecurity too, but I have no idea
>> how can it set through Nginx (if the server is it).
>>
> _______________________________________________
> mod-security-users mailing list
> mod-security-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>
--
regards
Ehsan Mahdavi
Computer Engineering Ph.D.
[Attachment #5 (text/html)]
<div dir="ltr"><div dir="ltr">Hi Arlen,<br><div>the <span \
style="color:rgb(0,0,0)">HSTS</span><span style="color:rgb(0,0,0)"> is not always \
there (even while using https). Forcing it will impose restrictions on the problem. \
Using it means forcing https, which might not always be \
desirable.</span></div><div><span style="color:rgb(0,0,0)">The </span><span \
style="color:rgb(0,0,0)">REQUEST_URI_RAW, as I've mentioned in previous emails, \
doesn't do the job. </span><span style="color:rgb(0,0,0)">I've tried that \
and i</span><span style="color:rgb(0,0,0)">t's not guaranteed to always contain \
http(s). </span></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Fri, Apr 15, 2022 at 11:02 PM Arlen Walker <<a \
href="mailto:public@arachnidae.com">public@arachnidae.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Just a \
couple of thoughts:<div><br></div><div>You could try looking for the request header \
for HSTS (Strict-Transport-Security). Won't catch all browsers, but if you use it on \
your server it'll catch most of them. (And why wouldn't you use \
it?)</div><div><br></div><div>Doesn't REQUEST_URI_RAW work for this? I thought it \
gave the full URI as a text string.</div><div><br></div><div><br><div dir="ltr">Have \
fun,</div><div dir="ltr">Arlen</div><div dir="ltr"><br><blockquote type="cite">On Apr \
14, 2022, at 3:12 AM, Ehsan Mahdavi <<a href="mailto:ehsan.mahdavi@gmail.com" \
target="_blank">ehsan.mahdavi@gmail.com</a>> \
wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div \
dir="ltr"><div dir="ltr">Hi ervin,<div><br><div><span style="color:rgb(0,0,0)">The \
env.ssl_</span><span style="color:rgb(0,0,0)">cipher or sth like that sounds good, if \
it works in Nginx. I'll try that and get back to \
you.</span><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Wed, Apr 13, 2022 at 3:51 PM Ervin Hegedüs <<a \
href="mailto:airween@gmail.com" target="_blank">airween@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi there,<br> <br>
On Wed, Apr 13, 2022 at 12:04:39PM +0100, Andrew Howe wrote:<br>
> <br>
> What are you trying to achieve? Are you trying to answer the question<br>
> "did this request come in as plain text HTTP or has TLS termination<br>
> been performed", and then treat the two cases differently?<br>
<br>
may be (the official poster) should try the ENV variable:<br>
<br>
<a href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV" \
rel="noreferrer" target="_blank">https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#ENV</a><br>
<br>
See the example:<br>
<br>
# Reading an environment variable from other Apache module (mod_ssl)<br>
SecRule TX:ANOMALY_SCORE "@gt 0" \
"phase:5,id:16,msg:'%{env.ssl_cipher}'"<br> <br>
<br>
and the comment below:<br>
<br>
Note : Use setenv to set environment variables to be accessed by Apache. <br>
<br>
<br>
As I know, ENV works in libmodsecurity too, but I have no idea<br>
how can it set through Nginx (if the server is \
it).<br></blockquote></div></div></div></blockquote></div></div>_______________________________________________<br>
mod-security-users mailing list<br>
<a href="mailto:mod-security-users@lists.sourceforge.net" \
target="_blank">mod-security-users@lists.sourceforge.net</a><br> <a \
href="https://lists.sourceforge.net/lists/listinfo/mod-security-users" \
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/mod-security-users</a><br>
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:<br>
<a href="http://www.modsecurity.org/projects/commercial/rules/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/rules/</a><br> <a \
href="http://www.modsecurity.org/projects/commercial/support/" rel="noreferrer" \
target="_blank">http://www.modsecurity.org/projects/commercial/support/</a><br> \
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div \
style="color:rgb(136,136,136)"> regards</div><div \
style="color:rgb(136,136,136)"> Ehsan Mahdavi</div><div \
style="color:rgb(136,136,136)"> Computer Engineering \
Ph.D.</div></div></div></div></div></div>
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic