Should <VirtualHost> work with LiteSpeed?

A

AndyB78

Member
#1
#1
Hi,

I have this rule in modsec2.user.conf meant to log POST payload for a specific domain.com:

<VirtualHost domain.com>
SecRule REQUEST_METHOD "POST" "phase:2,log,id:22222223"
</VirtualHost>

But it's not logging anything. Does LiteSpeed support VirtualHost?

Thanks!
 
A

AndyB78

Member
#3
#3
Hi,

I looked it up in modsec_audit.log but it's missing part "C". Look:

--281e42a8-A--
[13/Oct/2015:15:52:26 +0300] - 54.147.159.154 33082 xxx.yyy.zzz.ttt:80 80
--281e42a8-B--
POST / HTTP/1.1
Host: domain.com
Content-Length: 27
User-Agent: runscope/0.1
Accept: */*
Accept-Encoding: gzip, deflate

--281e42a8-F--

--281e42a8-H--
Message: Detected , [Rule: 'REQUEST_METHOD' 'POST'] [id "22222224"] [severity "WARNING"] [MatchedString "POST"]
--281e42a8-Z--

This is the entire log for that post request.
 
A

AndyB78

Member
#5
#5
Great, thanks. It seems to work.

What about <VirtualHost>? Can I use it to limit POST payload loading to only a single Host on a shared server? Or can you suggest some other way to limit POST payload logging to a specific vhost?

Thanks!
 
A

AndyB78

Member
#7
#7
I don't want to change the config at vhost level. I just want to restrict a rule to a certain vhost.

I tried this in modsec2.user.conf but it doesn't trigger (it doesn't log anything):

SecAuditLogParts "ABCFHZ"
...
<VirtualHost domain.com>
SecRule REQUEST_METHOD "POST" "id:22222224,phase:2,ctl:auditEngine=On,log,auditlog,pass"
</VirtualHost>

If I remove <VirtualHost> tag/endtag it works as expected.

What am I doing wrong?
 
A

AndyB78

Member
#11
#11
Well I located the per vhost include file:

Include "/usr/local/apache/conf/userdata/std/2/account/*.conf"

So I included in /usr/local/apache/conf/userdata/std/2/account/modsec.conf (the file was already there) the line:

SecRule REQUEST_METHOD "POST" "id:22222224,phase:2,ctl:auditEngine=On,log,auditlog,pass"

But no joy. It doesn't trigger.
 
You must log in or register to reply here.
Top