diff options
Diffstat (limited to '')
| -rw-r--r-- | sca-cpp/trunk/modules/http/Makefile.am | 2 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/http-test | 1 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/http.hpp | 30 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/httpd-test | 1 | ||||
| -rw-r--r-- | sca-cpp/trunk/modules/http/httpd.hpp | 10 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/mod-security-audit-conf | 44 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/mod-security-conf | 21 | ||||
| -rwxr-xr-x | sca-cpp/trunk/modules/http/proxy-test | 1 |
8 files changed, 73 insertions, 37 deletions
diff --git a/sca-cpp/trunk/modules/http/Makefile.am b/sca-cpp/trunk/modules/http/Makefile.am index 161279a73f..4fd7cc0818 100644 --- a/sca-cpp/trunk/modules/http/Makefile.am +++ b/sca-cpp/trunk/modules/http/Makefile.am @@ -76,7 +76,7 @@ if WANT_MODSECURITY modsecurity.prefix: $(top_builddir)/config.status echo ${MODSECURITY_PREFIX} >modsecurity.prefix -dist_modsecurity_SCRIPTS = mod-security-conf +dist_modsecurity_SCRIPTS = mod-security-conf mod-security-audit-conf modsecurity_DATA = modsecurity.prefix modsecuritydir = $(prefix)/modules/http diff --git a/sca-cpp/trunk/modules/http/http-test b/sca-cpp/trunk/modules/http/http-test index 73cfe700a6..956b13a516 100755 --- a/sca-cpp/trunk/modules/http/http-test +++ b/sca-cpp/trunk/modules/http/http-test @@ -18,6 +18,7 @@ # under the License. # Setup +rm -rf tmp ./httpd-conf tmp localhost 8090 htdocs ./httpd-event-conf tmp ./httpd-start tmp diff --git a/sca-cpp/trunk/modules/http/http.hpp b/sca-cpp/trunk/modules/http/http.hpp index eb7a8d506f..e8c88f8a83 100644 --- a/sca-cpp/trunk/modules/http/http.hpp +++ b/sca-cpp/trunk/modules/http/http.hpp @@ -371,7 +371,7 @@ template<typename R> const failable<list<R> > apply(const list<list<string> >& h // Setup the CURL session const failable<CURL*> fch = setup(url, cs); if (!hasContent(fch)) - return mkfailure<list<R>>(reason(fch)); + return mkfailure<list<R>>(fch); CURL* ch = content(fch); // Set the request headers @@ -440,19 +440,19 @@ const failable<value> evalExpr(const value& expr, const string& url, const CURLS js::JSContext cx; const failable<list<string> > jsreq = json::jsonRequest(1, car<value>(expr), cdr<value>(expr), cx); if (!hasContent(jsreq)) - return mkfailure<value>(reason(jsreq)); + return mkfailure<value>(jsreq); // POST it to the URL const list<string> h = mklist<string>("Content-Type: application/json-rpc"); const failable<list<list<string> > > res = apply<list<string> >(mklist<list<string> >(h, content(jsreq)), rcons<string>, list<string>(), url, "POST", cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); // Parse and return JSON-RPC result const failable<value> rval = json::jsonResultValue(cadr<list<string> >(content(res)), cx); debug(rval, "http::evalExpr::result"); if (!hasContent(rval)) - return mkfailure<value>(reason(rval)); + return mkfailure<value>(rval); return content(rval); } @@ -513,7 +513,7 @@ const failable<value> getcontent(const string& url, const CURLSession& cs) { // Get the contents of the resource at the given URL const failable<list<list<string> > > res = get<list<string>>(rcons<string>, list<string>(), url, cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); const list<string> ls(reverse(cadr(content(res)))); // Return the content as a list of values @@ -597,7 +597,7 @@ const failable<value> get(const string& url, const CURLSession& cs) { // Get the contents of the resource at the given URL const failable<list<list<string> > > res = get<list<string> >(rcons<string>, list<string>(), url, cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); // Parse the returned content return responseValue(content(res)); @@ -608,7 +608,7 @@ const failable<value> get(const string& url, const CURLSession& cs) { */ const failable<list<list<string> > > writeRequest(const failable<list<string> >& ls, const string& ct) { if (!hasContent(ls)) - return mkfailure<list<list<string> > >(reason(ls)); + return mkfailure<list<list<string> > >(ls); const list<list<string> > req = mklist<list<string> >(mklist<string>(string("Content-Type: ") + ct), content(ls)); debug(req, "http::writeRequest::req"); return req; @@ -695,13 +695,13 @@ const failable<value> post(const value& val, const string& url, const CURLSessio // Convert value to a content request const failable<list<list<string> > > req = contentRequest(val, url); if (!hasContent(req)) - return mkfailure<value>(reason(req)); + return mkfailure<value>(req); debug(content(req), "http::post::input"); // POST it to the URL const failable<list<list<string> > > res = apply<list<string>>(content(req), rcons<string>, list<string>(), url, "POST", cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); // Return the new entry id from the HTTP location header, if any const string loc = location(car(content(res))); @@ -724,13 +724,13 @@ const failable<value> put(const value& val, const string& url, const CURLSession // Convert value to a content request const failable<list<list<string> > > req = contentRequest(val, url); if (!hasContent(req)) - return mkfailure<value>(reason(req)); + return mkfailure<value>(req); debug(content(req), "http::put::input"); // PUT it to the URL const failable<list<list<string> > > res = apply<list<string> >(content(req), rcons<string>, list<string>(), url, "PUT", cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); debug(true, "http::put::result"); return value(true); @@ -745,13 +745,13 @@ const failable<value> patch(const value& val, const string& url, const CURLSessi // Convert value to a content request const failable<list<list<string> > > req = contentRequest(val, url); if (!hasContent(req)) - return mkfailure<value>(reason(req)); + return mkfailure<value>(req); debug(content(req), "http::patch::input"); // PATCH it to the URL const failable<list<list<string> > > res = apply<list<string> >(content(req), rcons<string>, list<string>(), url, "PATCH", cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); debug(true, "http::patch::result"); return value(true); @@ -766,7 +766,7 @@ const failable<value, string> del(const string& url, const CURLSession& cs) { const list<list<string> > req = mklist(list<string>(), list<string>()); const failable<list<list<string> > > res = apply<list<string> >(req, rcons<string>, list<string>(), url, "DELETE", cs); if (!hasContent(res)) - return mkfailure<value>(reason(res)); + return mkfailure<value>(res); debug(true, "http::delete::result"); return value(true); @@ -805,7 +805,7 @@ const failable<bool> connect(const string& url, CURLSession& cs) { // Setup the CURL session const failable<CURL*> fch = setup(url, cs); if (!hasContent(fch)) - return mkfailure<bool>(reason(fch)); + return mkfailure<bool>(fch); CURL* ch = content(fch); // Connect diff --git a/sca-cpp/trunk/modules/http/httpd-test b/sca-cpp/trunk/modules/http/httpd-test index 2b151d0e12..ab6ab5ad41 100755 --- a/sca-cpp/trunk/modules/http/httpd-test +++ b/sca-cpp/trunk/modules/http/httpd-test @@ -22,6 +22,7 @@ here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $h curl_prefix=`cat $here/../http/curl.prefix` # Setup +rm -rf tmp ./httpd-conf tmp localhost 8090 htdocs ./httpd-event-conf tmp ./httpd-start tmp diff --git a/sca-cpp/trunk/modules/http/httpd.hpp b/sca-cpp/trunk/modules/http/httpd.hpp index 718ed6e52b..7147e8839c 100644 --- a/sca-cpp/trunk/modules/http/httpd.hpp +++ b/sca-cpp/trunk/modules/http/httpd.hpp @@ -402,7 +402,7 @@ const list<string> read(request_rec* r) { */ const failable<int> writeResult(const failable<list<string> >& ls, const string& ct, request_rec* r) { if (!hasContent(ls)) - return mkfailure<int>(reason(ls)); + return mkfailure<int>(ls); ostringstream os; write(content(ls), os); const string ob(str(os)); @@ -437,8 +437,10 @@ const failable<int> writeResult(const failable<list<string> >& ls, const string& */ const int reportStatus(const failable<int>& rc) { debug(rc, "httpd::reportStatus::rc"); - if (!hasContent(rc)) - return HTTP_INTERNAL_SERVER_ERROR; + if (!hasContent(rc)) { + const int r = rcode(rc); + return r == -1 ? HTTP_INTERNAL_SERVER_ERROR : r; + } return content(rc); } @@ -725,7 +727,7 @@ const bool debugRequest(request_rec* r, const string& msg) { return true; } -#define debug_httpdRequest(r, msg) if (debug_islogging()) httpd::debugRequest(r, msg) +#define debug_httpdRequest(r, msg) do { if (debug_islogging()) httpd::debugRequest(r, msg); } while(0) #else diff --git a/sca-cpp/trunk/modules/http/mod-security-audit-conf b/sca-cpp/trunk/modules/http/mod-security-audit-conf new file mode 100755 index 0000000000..5914bd1df4 --- /dev/null +++ b/sca-cpp/trunk/modules/http/mod-security-audit-conf @@ -0,0 +1,44 @@ +#!/bin/sh + +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Generate a minimal mod-security audit configuration. +here=`echo "import os; print os.path.realpath('$0')" | python`; here=`dirname $here` +mkdir -p $1 +root=`echo "import os; print os.path.realpath('$1')" | python` + +mkdir -p $root/tmp + +cat >>$root/conf/mod-security.conf <<EOF +# Generated by: mod-security-audit-conf $* +# Enable mod-security audit log +SecAuditEngine RelevantOnly +SecAuditLogRelevantStatus "^(?:5|4(?!04))" +SecAuditLogParts ABIJDEFHKZ +SecAuditLogType Serial +Include conf/mod-security-audit-log.conf + +EOF + +# Configure audit logging +cat >$root/conf/mod-security-audit-log.conf <<EOF +# Generated by: mod-security-audit-conf $* +SecAuditLog $root/logs/secaudit_log + +EOF + diff --git a/sca-cpp/trunk/modules/http/mod-security-conf b/sca-cpp/trunk/modules/http/mod-security-conf index fdc4d8e24d..4d978a01cb 100755 --- a/sca-cpp/trunk/modules/http/mod-security-conf +++ b/sca-cpp/trunk/modules/http/mod-security-conf @@ -81,8 +81,8 @@ IH %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" "phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" # Avoid a potential RegEx DoS condition -SecPcreMatchLimit 10000 -SecPcreMatchLimitRecursion 10000 +SecPcreMatchLimit 50000 +SecPcreMatchLimitRecursion 50000 SecRule TX:/^MSC_/ "!@streq 0" "phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" # Detect slow DoS attacks @@ -100,13 +100,6 @@ SecResponseBodyLimitAction ProcessPartial SecTmpDir $root/tmp/ SecDataDir $root/tmp/ -# Enable mod-security audit log -SecAuditEngine RelevantOnly -SecAuditLogRelevantStatus "^(?:5|4(?!04))" -SecAuditLogParts ABIJDEFHKZ -SecAuditLogType Serial -Include conf/mod-security-log.conf - # Use & as application/x-www-form-urlencoded parameter separator SecArgumentSeparator & @@ -120,8 +113,8 @@ setvar:tx.critical_anomaly_score=5, \ setvar:tx.error_anomaly_score=4, \ setvar:tx.warning_anomaly_score=3, \ setvar:tx.notice_anomaly_score=2" -SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=5" -SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=4" +SecAction "phase:1,id:'981208',t:none,nolog,pass,setvar:tx.inbound_anomaly_score_level=10" +SecAction "phase:1,id:'981209',t:none,nolog,pass,setvar:tx.outbound_anomaly_score_level=8" # Paranoid mode SecAction "phase:1,id:'981210',t:none,nolog,pass,setvar:tx.paranoid_mode=0" @@ -186,12 +179,6 @@ Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_25_cc_known.conf Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_42_comment_spam.conf Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf Include ${modsecurity_prefix}/optional_rules/modsecurity_crs_55_application_defects.conf -EOF - -# Configure audit logging -cat >$root/conf/mod-security-log.conf <<EOF -# Generated by: mod-security-conf $* -SecAuditLog $root/logs/modsec_audit_log EOF diff --git a/sca-cpp/trunk/modules/http/proxy-test b/sca-cpp/trunk/modules/http/proxy-test index 9f3d248fdf..0333dd280b 100755 --- a/sca-cpp/trunk/modules/http/proxy-test +++ b/sca-cpp/trunk/modules/http/proxy-test @@ -18,6 +18,7 @@ # under the License. # Setup +rm -rf tmp ./httpd-conf tmp localhost 8091/8090 htdocs ./httpd-event-conf tmp ./httpd-start tmp |