我有一个启用了 modsecurity 的网站,但当我403 Forbidden
尝试通过网站访问服务器上的 PDF 文档时,却收到错误。有没有办法将 pdf 文件列入白名单,以允许通过网站提供服务,或者有没有可能的配置选项?
--9a349c55-A--
[14/Aug/2013:10:05:57 --0400] UguOxX8AAQEAAD22d8AAAACN 192.168.1.108 52929 192.168.1.125 80
--9a349c55-B--
GET /pdf/sample.pdf HTTP/1.1
Host: www.example.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Accept: */*
Referer: http://www.example.com/pdf/sample.pdf
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=143856170.1892623529.1376158518.1376158518.1376158518.1; __utmz=143856170.1376158518.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.834637782.1376487927.1376487927.1376487927.1; __utmb=1.4.10.1376487927; __utmc=1; __utmz=1.1376487927.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Range: bytes=0-32767
--9a349c55-F--
HTTP/1.1 403 Forbidden
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 247
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--9a349c55-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /pdf/sample.pdf
on this server.</p>
</body></html>
--9a349c55-H--
Message: Access denied with code 403 (phase 2). String match "bytes=0-" at REQUEST_HEADERS:Range. [file "/etc/apache2/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "248"] [id "958291"] [rev "2.2.5"] [msg "Range: field exists and begins with 0."] [data "bytes=0-32767"] [severity "NOTICE"] [tag "RULE_MATURITY/5"] [tag "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-958291"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1376489157340781 711 (- - -)
Stopwatch2: 1376489157340781 711; combined=247, p1=176, p2=30, p3=0, p4=0, p5=40, sr=31, sw=1, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
Server: Apache
--9a349c55-Z--
答案1
使用 REQUEST_URI 和正则表达式构建规则,并将其放置在配置文件中的适当位置,例如
SecRule REQUEST_URI ".*\.pdf$" phase:1,allow
在这里解释安全的方法并不容易,这取决于您的架构和现在配置 modsecurity 的方式。
答案2
看起来请求被规则 958291 阻止了,该规则假定没有合法的浏览器会将“Range”标头设置为以“0-”开头(我认为这显然是错误的假设 - Firefox 在下载任何大文件时都会这样做 - 但这是另一个话题)。
我建议不要盲目地允许任何 PDF 请求通过而不进行进一步的安全检查(如上面的 GioMac 所建议的那样),而是关闭针对 PDF 的特定规则:
SecRule REQUEST_URI ".*\.pdf\?$" "phase:1,id:1001,nolog,t:urlDecode,t:lowercase,t:normalizePath,ctl:ruleRemoveById=958291"
您还可以对您的网站可能可供下载的 MP4、WEBM 和其他大型二进制文件执行相同的操作:
SecRule REQUEST_URI ".*\.(mp4|webm|pdf)\?$" "phase:1,id:1001,nolog,t:urlDecode,t:lowercase,t:normalizePath,ctl:ruleRemoveById=958291"