这是我第一次遇到这样的问题。我有一个使用 的 apache2 后面的 java 应用程序设置mod_ajp on 8009
。我注意到我无法获取客户端的 IP,因此我创建了另一个虚拟主机文件并切换到mod_jk
。然后我使用 禁用了虚拟主机mod_ajp
。所以我的mod_jk
一直运行良好,直到我开始从粉丝俱乐部我已经应用了notpad2.blogpost.com 我仍然很好。今天早上,我看到了 modsecu_audit.log 文件中的日志:
Action: Intercepted (phase 1)
Stopwatch: 1394809780952048 3090 (- - -)
Stopwatch2: 1394809780952048 3090; combined=812, p1=492, p2=0, p3=0, p4=0, p5=253, sr=143, sw=67, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.3 (http://www.modsecurity.org/); OWASP_CRS/2.2.5.
Server: Apache
WebApp-Info: "default" "C35A8A3AB916218E923E5A8E6A73595B" ""
--81b0e75f-Z--
在虚拟主机 error.log 上,我有以下错误
[Thu Mar 13 11:18:43 2014] [error] [client xxx.xxx.xxx.xxx] client denied by server configuration:
[Thu Mar 13 11:18:44 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). String match "HTTP/1.1" at REQUEST_PROTOCOL. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "220"] [id "960020"] [rev "2.2.5"] [msg "Pragma Header requires Cache-Control Header for HTTP/1.1 requests."] [severity "NOTICE"] [tag "RULE_MATURITY/5"] [tag "RULE_ACCURACY/7"] [tag "https://www.owasp.org/index.php/ModSecurity_CRS_RuleID-960020"] [tag "PROTOCOL_VIOLATION/INVALID_HREQ"] [tag "http://www.bad-behavior.ioerror.us/documentation/how-it-works/"] [hostname "mysite.com"] [uri "/"] [unique_id "UyGUFAqzjt0AADfWBbEAAAAA"]
[Thu Mar 13 11:23:52 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 2). Operator EQ matched 0 at REQUEST_HEADERS. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "47"] [id "960015"] [rev "2.2.5"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [hostname "mysite.com"] [uri "/"] [unique_id "UyGVSAqzjt0AADfWBbIAAAAH"]
在主 apache error.log 上我有:
[Fri Mar 14 15:07:11 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash"
required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data
Changed - IP Address Mismatch."] [hostname "mysite.com"] [uri "/"] [unique_id "UyMbH8QokBEAAH5mFvgAAAAB"]
[Fri Mar 14 15:09:35 2014] [notice] SIGUSR1 received. Doing graceful restart
[Fri Mar 14 15:09:36 2014] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 mod_jk/1.2.32 configured -- resuming normal operations
[Fri Mar 14 15:09:40 2014] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Access denied with code 403 (phase 1). Match of "streq %{SESSION.IP_HASH}" against "TX:ip_hash"
required. [file "/etc/modsecurity/owasp-crs/activated_rules/modsecurity_crs_16_session_hijacking.conf"] [line "35"] [id "981059"] [msg "Warning - Sticky SessionID Data
Changed - IP Address Mismatch."] [hostname "mysite.com"] [uri "/"] [unique_id "UyMbtMQokBEAAH7dJ3sAAACB"
我已经禁用了 modsecurity,但它现在显示默认索引页“它有效”。我甚至重新激活了已知有效的虚拟主机,mod_ajp
但它们似乎都不再有效了。
我知道页面被阻止了等等,但我不明白为什么反向代理会停止工作。
问题 1这是一个已知问题还是错误配置?
问题2我如何恢复虚拟主机?快速修复方法是删除 modsecurity(尽管我没有看到相关性)。
欢迎提出任何建议。谢谢
答案1
MOD 安全在请求实际到达 Apache 逻辑之前就开始起作用,因此反向代理有可能无法工作。在遇到类似情况时,我所做的就是分析错误消息显示的内容
因此,对于第一个错误,您可以做的是检查此文件
activated_rules/modsecurity_crs_20_protocol_violations.conf"]
和 ID
[id "960020"}
并检查规则实际在做什么,您可以编辑它以匹配您的请求,因此不会导致它被阻止。立即修复是删除此规则(您可以将其删除或进行配置以使其被接受
如果您需要帮助来了解 CRS,请告诉我