[Resolved] litespeed + modsecurity rules

Status
Not open for further replies.
A

Abraham

Member
#1
#1
Hi,
I need help, how i can use litespeed + modsec rules from apache config file. Here is my steps:
- install lite speed 4.2.15 Std Linux (x86) on CentOS release 5.10 (Final) using install.sh
- configuration->server->general:
- Load Apache Configuration -> yes
- Auto Reload On Changes -> (deprecated) Yes
- Apache Configuration File -> /usr/local/lsws/conf/my.conf
- Actions -> Graceful Restart
- /usr/local/lsws/bin/lswsctrl reload
- /usr/local/lsws/bin/lswsctrl restart
- /usr/local/lsws/bin/lswsctrl stop
- /usr/local/lsws/bin/lswsctrl start

here is apache config my.conf:
Code: 
<IfModule mod_security2.c>

SecRuleEngine DetectionOnly

SecDebugLog /opt/modsecurity/var/log/debug.log
SecDebugLogLevel 3


SecAuditEngine RelevantOnly
SecAuditLogParts ABCDEFHKZ

# Use a single file for logging.
SecAuditLogType Serial
SecAuditLog /opt/modsecurity/var/log/audit.log

SecDefaultAction phase:2,log,deny,status:501

SecRule ARGS:aaa "@rx aaa" "phase:2,log,deny,status:501"

</IfModule>
The rule have to block any requests to server with param "aaa=aaa"

litespeed config from /usr/local/lsws/conf/http_config.xml and my.conf attached.

Thanks in advance.
 

Attachments

Last edited by a moderator:
N

NiteWave

Administrator
#2
#2
- Apache Configuration File -> /usr/local/lsws/conf/my.conf
Click to expand...
Hi, your apache's configuration file should be a complete one.
default installation CentOS 5.10 will install apache, which configuration is at /etc/httpd/conf/httpd.conf

you can add mod_security rules in to existing /etc/httpd/conf/httpd.conf which is a complete apache configuration file, then start to test,
 
A

Abraham

Member
#3
#3
Should apache be installed with litespeed ? is it necessary ? And, what are necessary directives from httpd.conf for litespeed? Could you enumerate them.

Thanks in advance.
 
N

NiteWave

Administrator
#4
#4
in theory, you don't install apache. just keep apache's configuration file is fine.
but in practice, you'd better to install apache and it's easy on centOS.
if apache start up normally, then that means apache's httpd.conf is error free.
then you can have litespeed read apache's configuration file.
in other words, if a httpd.conf is invalid or have errors in it, apache can't start up and litespeed won't either.

litespeed support most apache directives and mod_security directives.
 
A

Abraham

Member
#5
#5
So, I try to use default http config, everything work fine. But I encounter with a strange behavior of litespeed I use the rule above it should block all requests with query "?aaa=aaa". Here is steps that i did

First case:
- restart litespeed
- index.html?aaa=aaa => 501 ERROR (work well)
- index.html => 200 OK
- index.html?aaa=aaa => 200 OK (why ?? it should be blocked ??)
Second case:
- restart litespeed
- index.html => 200 OK
- index.html?aaa=aaa => 200 OK (why ?? it should be blocked ??)

It looks like wrong caching behavior. Any ideas?
Thanks in advance.
 

Attachments

N

NiteWave

Administrator
#8
#8
well, your posted results clearly show the difference between apache and litespeed.

just check your lsws error log, lsws 4.2.12 is running. can you upgrade to latest 4.2.16 ?
either via web admin:
Actions -> Version Manager -> 4.2.16 Force Reinstall
or on command line:
#/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.16

then run the same tests under 4.2.16
it's possible it's been fixed in latest version.
 
N

NiteWave

Administrator
#10
#10
ok. but just recalled ... can you use index.php instead of index.html to do the tests ?

since index.html is a static file, like aaa.jpg, the query string won't be used by web server, so it's ok to ignore it for better performance.
 
N

NiteWave

Administrator
#14
#14
Thanks for the testing. So apache will apply rules to static files and litespeed won't by default. Since usually most of the requests is static files, litespeed's way may have much better performance and quite reasonable.
 
Status
Not open for further replies.
Top