~ubuntu-branches/ubuntu/natty/libapache-mod-security/natty-updates

Viewing changes to httpd.conf.example-full

Committer: Bazaar Package Importer
Author(s): Alberto Gonzalez Iniesta
Date: 2005-04-10 12:28:03 UTC
mfrom: (1.1.1 upstream)
Revision ID: james.westby@ubuntu.com-20050410122803-nm4vr14v0qf3i297

Tags: 1.8.7-1

http://bugs.debian.org/285365

http://bugs.debian.org/304195

http://bugs.debian.org/304196

http://bugs.debian.org/304445

* New upstream release. (Closes: #285365)
* Fixes several security issues, thus the urgency.
* Set proper permissions on test suite scripts (Closes: #304195)
* Corrected minor typo in README.Debian (Closes: #304196)
* debian/control: Reworded packages descriptions to be more useful.
(Closes: #304445)

Show diffs side-by-side

added added

removed removed

httpd.conf.example-full

# Turn the filtering engine On or Off

SecFilterEngine On

# Make sure that URL encoding is valid

SecFilterCheckURLEncoding On

# Only allow bytes from this range

SecFilterForceByteRange 32 126

# The audit engine works independently and

# can be turned On of Off on the per-server or

# on the per-directory basis. "On" will log everything,

# "DynamicOrRelevant" will log dynamic requests or violations,

# and "RelevantOnly" will only log policy violations

SecAuditEngine RelevantOnly

# The name of the audit log file

SecAuditLog /var/log/apache/audit.log

SecFilterDebugLog /var/log/apache/modsec_debug.log

SecFilterDebugLevel 0

# Should mod_security inspect POST payloads

SecFilterScanPOST On

# Action to take by default

SecFilterDefaultAction "deny,log,status:500"

# Redirect user on filter match

SecFilter xxx redirect:http://127.0.0.1

# Execute the external script on filter match

SecFilter yyy log,exec:/usr/share/mod-security/report-attack.pl

# Simple filter

SecFilter 111

# Only check the QUERY_STRING variable

SecFilterSelective QUERY_STRING 222

# Only check the body of the POST request

SecFilterSelective POST_PAYLOAD 333

# Only check arguments (will work for GET and POST)

SecFilterSelective ARGS 444

# Test filter

SecFilter "/cgi-bin/modsec-test.pl/keyword"

# Another test filter, will be denied with 404 but not logged

# action supplied as a parameter overrides the default action

SecFilter 999 "deny,nolog,status:500"

# Prevent OS specific keywords

SecFilter /etc/passwd

# Prevent path traversal (..) attacks

SecFilter "\.\./"

# Weaker XSS protection but allows common HTML tags

SecFilter "<[[:space:]]*script"

# Prevent XSS atacks (HTML/Javascript injection)

SecFilter "<(.|\n)+>"

# Very crude filters to prevent SQL injection attacks

SecFilter "delete[[:space:]]+from"

SecFilter "insert[[:space:]]+into"

SecFilter "select.+from"

# Require HTTP_USER_AGENT and HTTP_HOST headers

SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

# Forbid file upload

SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data

# Only watch argument p1

SecFilterSelective "ARG_p1" 555

# Watch all arguments except p1

SecFilterSelective "ARGS|!ARG_p2" 666

# Only allow our own test utility to send requests (or Mozilla)

SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)"

# Do not allow variables with this name

SecFilterSelective ARGS_NAMES 777

# Do now allow this variable value (names are ok)

SecFilterSelective ARGS_VALUES 888

# Test for a POST variable parsing bug, see test #41

SecFilterSelective ARG_p2 AAA

# Stop spamming through FormMail

# note the exclamation mark at the beginning

100

# of the filter - only requests that match this regex will

101

# be allowed

102

103

SecFilterSelective "ARG_recipient" "!@webkreator.com$"

104

</Location>

105

106

# when allowing upload, only allow images

107

# note that this is not foolproof, a determined attacker

108

# could get around this

109

110

SecFilterInheritance Off

111

SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)"

112

</Location>

113

114

</IfModule>

Older »