Log in

No account? Create an account

Previous Web | Next Web

Apache's mod_security is a pain in the bum!!!

I'm sure (actually, I'm not, see below...) its potentially useful on a production box, but I don't have a production, I have a devel box, and its peeing me off no end!!!

It won't even allow me to set Options Indexes and for mod_autoindex to then do its job... it blocks the output with a 403 Forbidden... The audit log then states that the reason for blocking is because its a Unix directory index.... now, if I didn't want the indexes to be shown, I wouldn't have them specified in the master Apache config now would I??

It also blocked some of the mod_rewrite documentation from the Apache manual (specifically the Rewrite Guide and Advanced Guide files)... This time audit shows that these files are apparently leaking PHP source....... so if you wanted to actually show PHP source (say you want to do "this code gives this output... type tutorials"), its quite likely to block that... I mean, the Rewrite guides aren't even PHP and they're getting blocked!!! (although its probably something to do with having PCRE-type RegExs in the pages....))

So I would say that there is a reasonably possibility that mod_security could block legitimate content on a production system.

So I've disabled it... its just too much of a pain!

(BTW, this is on a Fedora 8 using a slightly tweaked out-of-the-box Apache config... the stuff Fedora enable is still generally turned on, the tweaking is more to do with creating VirtualHosts for development purposes... as I said, this is a devel box... it shouldn't need a tied-down-tight secure setup... and I suspect that if you left Fedora's config as-supplied, and with mod_security turned on, you don't have a very secure system... and you'll have insane amounts of log files for mod_security as well, because it logs every access of a text-type file (ie, text/plain is logged as well as text/html)... and in some detail... like, it appears to log the request, the response header that was sent, the response content that either was or would have been sent to the client if mod_security let it, and a message from mod_security to say why it blocked something.... just in 24 hours with only me accessing the webserver, and not very often at that (and probably for only about 8 hours of that 24), I've got about 100k of log file... I dread to think how big it would get and how fast on a public-accessible box.....!)