I have a directory/site set-up like this on my Apache/2.2.19 (Win32) Server using mod_security + core ruleset/2.2.1
/website1/login.php
/website2/login.php
/website3/login.php
/websiteN/login.php
In my modsecurity_crs_10_config.conf I have
setvar:'tx.brute_force_protected_urls=login.php'
The problem is that it won't work unless I type in the full path for each of the login.php pages, like so:
setvar:'tx.brute_force_protected_urls=/website1/login.php /website2/login.php andSoOn'
I have tried other ways with RegEx to work around it (e.g. /(.*)/login.php) but I can't seem to get it.
So, question is basically; how do you enforce BFP on all pages called login.php on the server?
Thanks.
Best Answer
Try this:
If it doesn't work, I suggest you enabling debug to see what the logs say.