How to configure the simplest useful default-deny rule set for mod_security
?
I want to configure mod_security
to allow only very specific queries to single directory:
In short: I use Apache as a reverse proxy for directory /web_app/
, in this directory will be a single php file named get.php
. I want to pass to this script only queries that match the following regular expression:
get\.php\?ver=1&id=[a-f\d]{16,16}&v=[-.a-z\d\ ]{1,20}
In other words, queries with three fields only: id
, ver
and v
. Where first is a digit 1, the second a 16 digit hexadecimal and the third is a string at most 20 characters long with letters, numbers, dots, hyphens and space.
It has to deny or remove from queries anything but POST and GET values, that is: file uploads, cookies, all non-essential headers, values other than the 3 specified, etc…
I don't want to change the way any other directories work, just /web_app/
. Filtering out wrong UTF or URL escaping/encoding is not a problem, so enabling mod_security
shouldn't be a problem in itself.
Best Answer
For filtering the argumetns, there is a much simpler way then using regular expressions on the whole uri:
Will match on any argument NOT in the list only under
/web_app
.You could find good examples in the mod_security documentation: http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/09-examples.html
All othere parameters could be found there also.