设为首页收藏本站

LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
LinuxSir.cn,穿越时空的Linuxsir!»论坛 运维技术 —— LinuxSir.cn 网络技术\网络安全讨论 求教 Apache模块mod_security与SVN的整合使用
12下一页
返回列表 发新帖
查看: 1633|回复: 16

求教 Apache模块mod_security与SVN的整合使用

[复制链接]
发表于 2006-3-23 14:28:25 | 显示全部楼层 |阅读模式
用了mod_security之后svn就被屏蔽掉了。 能否让mod_serucity对于get和post之外还能支持别的方式?

我在网上找了半天,只找到和我一样没法解决的一个帖子。

subversion and mod_security

From: Miguel Bañón <mbagnon_at_asimelec.es>
Date: 2005-03-09 10:38:17 CET

I am trying to use subversion with apache hardened with mod_security.
The default rule set of mod_security blocks svn commits, does anybody
have a working rule set?

Cheers.
回复

使用道具 举报

晨想
发表于 2006-3-24 08:50:23 | 显示全部楼层
SVN 的请求是什么样子的?截取一个上来看看?

这个应该可以

  2. <Location /svn/Respo>
  3.     SecFilterEngine Off
  4. </Location>
复制代码
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-3-24 09:16:27 | 显示全部楼层
在windows下 客户端提示
error svn request faild on "/...目录名"
error svn 403:.....    (错误是403的)

我在conf里头的配置
LoadModule security_module    modules/mod_security.so
<IfModule mod_security.c>
    # Enable ModSecurity
    SecFilterEngine DynamicOnly

    # Reject requests with status 403
    SecFilterDefaultAction "deny,log,status:403"

    # Some sane defaults
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off

    # Accept almost all byte values
    SecFilterForceByteRange 1 255
   # Only record the interesting stuff
    SecAuditEngine RelevantOnly
    # Uncomment below to record responses with unusual statuses
    # SecAuditLogRelevantStatus ^5
    SecAuditLog logs/modsec_audit.log

    # You normally won't need debug logging
    SecFilterDebugLevel 0
    SecFilterDebugLog logs/modsec_debug.log

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"

    # Do not accept GET or HEAD requests with bodies
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"


    # Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"

    # Don't accept transfer encodings we know we don't handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
</IfModule>

后来用了你的那个方案,也不成。。。

:~
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-3-24 09:18:13 | 显示全部楼层
怎么能够配置mod_security 对于option请求的过滤呢??

因为在在windows下都是option错误
error option svn request faild on "/...目录名"
error option svn 403:..... (错误是403的)
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-3-24 10:27:16 | 显示全部楼层
我已经抓了modsec_audit.log日志了
==81c1ec03==============================
Request: svn.xxx.com 219.x.x.x - xx.xx.com [24/Mar/2006:10:06:43 +0800] "OPTIONS /xxx.xxx.com/lib HTTP/1.1" 403 307 "-" "SVN/1.3.0 (r17949) neon/0.25.4" E5IT3tIzB2oAAEGb6PgAAAAM "-"
Handler: dav-handler
-----------------------------PTIONS /xxx.com/lib HTTP/1.1
Host: svn.xxx.com
User-Agent: SVN/1.3.0 (r17949) neon/0.25.4
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 104
Content-Type: text/xml
Accept-Encoding: gzip, gzip
Authorization: Basic aG1zLnJkLmlrYW5nLmNvbTpobXM=
mod_security-action: 403
mod_security-message: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data" at HEADER("Content-Type"
104
<?xml version="1.0" encoding="utf-8"?><Dptions xmlns="DAV:"><D:activity-collection-set/></Dptions>

HTTP/1.1 403 Forbidden
Content-Length: 307
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
--81c1ec03--
modsec_debug.log

[root@www logs]# cat modsec_debug.log |grep svn
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83ba298][/xxx.xxx.com/lib][2] Logging phase starting
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83ba298][/xxx.xxx.com/lib][3] Audit log: Set to RelevantOnly - ignoring a non-relevant request
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][2] Detection phase starting (request 83a5db0): "OPTIONS /xxx.xxx.com/lib HTTP/1.1"
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] Normalised REQUEST_URI: "/xxx.xxx.com/lib"
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][2] Parsing arguments...
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][3] Content-Type is "text/xml"
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][5] read_post_payload: read 104 bytes
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] Time #1: 2659 usec
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][2] Checking signature "!^(GET|HEAD)$" at REQUEST_METHOD
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] Checking against "OPTIONS"
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][3] Warning (chained rule). Pattern match "!^(GET|HEAD)$" at REQUEST_METHOD
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][2] Checking signature "!(^application/x-www-form-urlencoded$|^multipart/form-data" at HEADER(Content-Type)
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] Checking against "text/xml"
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][1] Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data" at HEADER("Content-Type"
[24/Mr/2006:10:06:43 +0800] [svn.xx.comg/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] Time #2: 2952 usec
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] sec_filter_in: start: inputmode=0, readtype=0, nBytes=8192
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] sec_filter_in: Sent 104 bytes (104 total)
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][4] sec_filter_in: Sent EOS bucket
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][2] Logging phase starting
[24/Mar/2006:10:06:43 +0800] [svn.xx.com/sid#812e508][rid#83a5db0][/xxx.xxx.com/lib][2] sec_audit_logger_serial: start
回复 支持 反对

使用道具 举报

晨想
发表于 2006-3-24 12:22:30 | 显示全部楼层
那个目录是否正确?,这个方法是mod_security 的 ML 上写的,而且那个人说有效的。。你不会把 svn 放在了根目录吧?
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-3-24 12:50:15 | 显示全部楼层
目录已经改成正确的安装目录了。。。。  唉~~~
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-3-24 14:59:36 | 显示全部楼层
成了!成了~~

:~

屏蔽掉下面的代码就好了,感情是因为标头的关系

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data"
回复 支持 反对

使用道具 举报

晨想
发表于 2006-3-25 05:57:42 | 显示全部楼层
噢。那mod_security 的效果减少很多的噢。。:)。
回复 支持 反对

使用道具 举报

 楼主| 发表于 2006-3-27 09:19:49 | 显示全部楼层
研究关于权限对单独IP开放方式中,如果配合使用应该就能达到目的
回复 支持 反对

使用道具 举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表