Security – Apache2 mod_security simple default deny rules for specific directory

How to configure the simplest useful default-deny rule set for mod_security?

I want to configure mod_security to allow only very specific queries to single directory:

In short: I use Apache as a reverse proxy for directory /web_app/, in this directory will be a single php file named get.php. I want to pass to this script only queries that match the following regular expression:

get\.php\?ver=1&id=[a-f\d]{16,16}&v=[-.a-z\d\ ]{1,20}

In other words, queries with three fields only: id, ver and v. Where first is a digit 1, the second a 16 digit hexadecimal and the third is a string at most 20 characters long with letters, numbers, dots, hyphens and space.
It has to deny or remove from queries anything but POST and GET values, that is: file uploads, cookies, all non-essential headers, values other than the 3 specified, etc…

I don't want to change the way any other directories work, just /web_app/. Filtering out wrong UTF or URL escaping/encoding is not a problem, so enabling mod_security shouldn't be a problem in itself.

<Location /web_app> SecFilterSelective ARG_NAMES "!^(id|ver|v)$" SecFilterSelective ARG_ver "!^1$" SecFilterSelective ARG_id "!^[a-f\d]{16,16}" SecFilterSelective ARG_v "!^[-\.a-z\d\ ]{1,20}" # Here the same for the request type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST)$" </Location>

Best Answer

For filtering the argumetns, there is a much simpler way then using regular expressions on the whole uri:

Will match on any argument NOT in the list only under /web_app.

You could find good examples in the mod_security documentation: http://www.modsecurity.org/documentation/modsecurity-apache/1.9.3/html-multipage/09-examples.html

All othere parameters could be found there also.

Best Answer

Related Solutions

Php – How to use max_post_size and upload_max_filesize in an Apache directive

Enable Mod_Security for only one website

Related Topic